Over the course of my career in cybersecurity, I have come to the realization that in order to become a good CISO who successfully manages to direct the cybersecurity maturity of the organization to continuous growth, you need a lot more than technical knowledge and the ability to design roadmaps and execute projects.
It is a rare reality that an organization has reached a near perfect cybersecurity posture and all that remains to the CISO is reaping the fruits and fine tuning some security control or policy.
Usually, at least in my experience (maybe I was just lucky), you join/consult a company, perform risk assessment and come to the conclusion that it does not match your vision of a required cybersecurity posture.
Designing and presenting a long-term cybersecurity maturity roadmap to the board or upper management is usually met with goodwill and acceptance especially when you don’t have to drill down to the technical level.
It is when you are moving over to the deployment phase that things start to get a little complicated. When milestones turn into technical tasks and people start to realize that things are going to change, from their perspective, to the worse and you turn into “public enemy No. #1”
Suddenly all sorts of obstacles arise such as: “it will impede production”, “the policy will increase working time”, “it needs to be re-designed” and pretty quickly the remarks turn personal and unprofessional. At times like these, you as a CISO, have to embrace an egoless attitude and avoid taking it personally, try to look at things from the other’s perspective and ignore implied insults.
Judge the complaints to your security plan in as much objectivity as you can and understand that they are motivated by fear and uncertainty as to the implications of the new security plan, such as: extra work, criticism over slow progress, system crashes due to new controls and more.
Embrace the patience of a Buddhist monk and hot spirits will calm. Never act as if you know best. Don’t repeat technical arguments that describes the process and don’t counteract opposition with seemingly superior logic, for most people the reaction for new security is more emotionally based and things will quickly escalate if they’ll feel you reject their uncertainties with a know-it-all attitude.
Take into account that compromises go a long way in trust building and help create a win-win situation. You might lose a battle today by agreeing to let go of a certain control you deem important but you will establish a long term relationship that will enable you to put other security processes in place without objections.
Try to think creatively and suggest other solutions that offer lesser yet achievable security. More importantly you will be thought of as an approachable and a pragmatic solution provider.
Much the same as in most things in life, preempting is better than preventing. To lower significantly those objection reactions and/or to be able to solve those kind of heated arguments quickly I have adopted a technique that works for me most of the times.
I have found out that when you invest in personnel relationship in your day-to-day dealings, cultivate trust and friendship with the teams who will have to implement your directives (truth be told, I try to make it happen with everyone in my day-to-day working relationship), people will be less prone to fear implications of the suggested security plan. Once you established a personnel relationship, they will trust you to take care of their interests (don’t abuse that trust!!).
Disclaimer: you can’t make everyone your friend. A low percentage of people will resist no matter how hard you try to come up with alternate solutions. They will always struggle and object to changes especially when it creates potential risks to their operability.
In those cases, once you exhausted all your goodwill efforts, tough measures must be taken. Go to management and demand a business decision and pronouncement. Even if things go your way don’t gloat, try to be sympathetic to the objecting party and offer alternative solutions that might go down smoother. Be the first to offer the olive branch, you’ll probably need their cooperation later so get them on your side as soon as possible.
I know, my way might seems the long way with a lot of effort, well, nobody said being a CISO is easy! Surprisingly, tough, in the long run, I have found this to be far more effective and a lot more enjoyable working experience.