Why Human Relationships Will be the Success or Failure of your Security Program

Security is challenging enough as it is - from an ever changing technical landscape, to new exploits on a regular basis and also working to enable the business versus being seen as a blocker. However, one challenge in particular can block even your best efforts before they even get off the starting line. And that is the ability to connect to other leaders and influence key security initiatives across the business.

I speak with security leaders and CISOs regularly and, by far, one of the most important items discussed is the importance of establishing a trusted relationship with leadership throughout the company. This applies both at the top of the security organization with the CISO and their peers. It is also applicable throughout the security organization as leaders work their corresponding partner organizations.

Why Start with Trusted Relationships?

As a security leader your role will often require you to persuade leaders that particular practices, processes and initiatives must be prioritized for the good of the company. As there is “no free lunch” the priority of one activity will delay or impact other planned activities by the team and cause some level of work or friction. When embarking on these tricky conversations with leaders the most important thing is to already have a good established relationship. A key element of this relationship is that both individuals want the business to be successful and understand what that means. This is crucial so that success is a shared objective and not just an individual’s agenda for personal benefit. Next, there must be an appreciation and respect for each other’s team and program within the company. If two leaders don’t understand why the other’s org exist, it’s very challenging to embark on trickier discussions. And third, it’s important for both leaders to have confidence in the competency of the other. I’ve seen each of these elements fail in relationship between leaders and it significantly hamstrings any efforts between the teams. But if you have an established relationship that includes these elements, then you can then tackle more difficult security topics.

How to Gain the Trust of Peers as a Security Leader?

We understand the desired end-state of a great relationship with leaders throughout the company, but how do we get there? It’s actually a bit easier than you might think. The trick is to go on a “listening tour”. This is an easy first activity if you’ve just been hired into the security role. But it’s also something you can do at any natural point of transition e.g. planning for next year, the end of a quarter, or just part of your regular “finger on the pulse of the organization”.

The first step is to introduce the idea to the leaders who you’ll be meeting with. Something along the lines of the following can easily do the trick.

“An important activity for security is to understand our partner teams throughout the organization. We want to understand what matters most to each team, how the teams operate within our company and ways that security can best partner with you for success. In the coming weeks I’d like to sit down with each of you and learn more. I’ll work with your assistants to find a time that works well for your schedule.

As you’ll notice, this email gives some context for the meeting and, ideally, positions the discussion in a positive light. This is important, because the last thing anyone wants is an unexpected meeting on their calendar from the head of security without any context!

At the meeting your objective is to cover a small handful of topics. I’ve found it helpful to lay these questions out at the beginning of your conversation so the individual understands the overall goal.

  1. Tell me about your organization. What are the most important items you focus on? What’s the high level org design?
  2. How has it been working with security? What ways could we improve working with your org?
  3. How do you view security at our company? What is the ‘worst case scenario’ that you hope never happens - from your perspective of course.
  4. Are there any pressing security areas or gaps that you have concerns where we should invest more time?
  5. What’s the best way for me to keep you updated about security (both positive security updates and items where leadership attention is needed)?

You can probably tell, but each of these questions will elicit very different feedback that is helpful for the relationship and great info for the security team. The first two questions focus directly on the other leader and their org. The first gives a better understanding of how the org operates and which people handle which tasks. The second is an olive branch and genuine request to understand past dynamics between the team. You’ll find you learn some very interesting items from the second question. Some of which are small and easy to fix, but they are items you didn’t know otherwise (e.g. file tickets with this tag or don’t put a priority on the ticket because your “high security” is different than ours and it pages someone in the middle of the night)

The third and fourth questions are great for understanding how each leader views risk. Save this information for later, we’ll come back to this in future newsletters when we talk about how to motivate for action. Lastly, the fifth question is just great for logistics. You’ll need to understand how send updates that are positive and also how to escalate issues that need some prodding from the top. Take note of people’s communication styles and meet them on their turf.

How do you know if this is successful?

In establishing a trusted baseline relationship with leaders, your goal is for leaders to genuinely believe you are level-headed, have the best interest of the business at heart, and you have an understanding and appreciation for the hard work and constraints of each team. Each leader will have previous experience with security at the current company and past. As a result there may be some hesitancy, bad previous experiences or biases. Therefore a lot of establishing this initial relationship is cutting through that past and also demystifying your approach and agenda. Remember, lacking information people fill gaps with the craziest of explanations or motivations.

You’ll know you have good relationships with other leaders when they seek you out in person to clear up something that was bubbling on an email thread. Or when you discuss a difficult situation and both of you are able to discuss different paths forward with an honest assessment of tradeoffs. In our very technical world of security it’s challenging to realize that the least technical item, human relationships with other leaders, can be the things that most effectively position our security programs for success.

Michael

Want to chat? Find me @_mwc

Share this newsletter to others

Hope you enjoyed the first edition of the security newsletter. I plan to cover a variety of topics over the weeks from leadership techniques, like this one, to more strategic security elements and also growing a security career.

Up next - The end of the trusted internal network.