In the two decades I've spent in cybersecurity, I've observed and experienced the fighting spirit of security professionals: When tasked with safeguarding information assets, we envision ourselves erecting defenses to keep threat actors at bay, or we emulate malicious actions to find flaws in the organization's security measures before attackers exploit them. We fight.
Let's go beyond a combative mindset.
The combative mindset of security professionals finds its way into our interactions with colleagues within our organization. We witness and sometimes contribute to conflicting opinions regarding the urgency with which security issues should be addressed, and we disagree on the best ways to address security risks. And we fight for a share of the budget that might shrink if other departments' needs are prioritized above our own.
This cybersecurity vs. everyone way of operating is counterproductive because it contributes to security professionals being seen as detractors and distractors. To succeed in today's workplace, we must operate as business enablers, not blockers. We can do this by adjusting our mindset, developing empathy for the role and objectives of colleagues throughout the organization, and communicating security benefits in business terms.
The future of security is collaboration.
Security teams are often seen as separate entities by the rest of the organization. To increase integration and understanding, all teams at the company need to have open conversations about their shared goals and objectives. After all, each team may have different skill sets and roles, but both ultimately want the organization to succeed.
Start here: Ask someone in each team define what success looks like to them. Then look at how those goals can be achieved within the context of broader business objectives. Differences are OK and expected, but finding the thread that ties us together is the only way to find common ground. Looking at wider objectives makes it easier to understand how teams can work together to move the organization toward those goals.
Agreeing on shared objectives—while recognizing each team's unique roles and interdependencies—will allow everyone to collaborate more smoothly.
Invest in persuasion and communication for security buy-in.
Like it or not, cybersecurity leaders often have to work harder than others to justify our presence and initiatives. Yet our initiatives often span multiple departments and depend on buy-in from other executives. Therefore, we need to put extra care into how we persuade and communicate outside the security team to get support for our efforts.
To gain others' support for a security request or project, determine:
- Who needs persuading? Understand the dependencies of your security effort to determine which teams — and which specific individuals — are stakeholders in your effort. Depending on whether they'll be initially supportive or skeptical, you'll need to tailor your communications accordingly.
- What are their objectives? Presumably, you already understand why you're pursuing a particular security project, but how does it support the needs of your stakeholders outside security? Understand what's important to them, so they'll be more inclined to support you.
- What do they need to know? Some want to see technical details, but not everyone. Some people focus on costs, others on revenue, others don't think in financial terms at all. Present the information appropriate for the individual to get their buy-in.
- Why should they trust you? Whether you're seeking funding, expertise, or time from others, consider how you'll demonstrate that their support will not go to waste. To signal credibility, present metrics from earlier security projects or point to your initiatives that succeeded in the past.
Instead of assuming that others understand what you're looking to achieve and why the effort is important, consider what steps you'll take to persuade and communicate with non-security stakeholders to gain their support.
Link to business needs in budget discussions.
The importance of positioning security in business, rather than technology terms is most important during budget discussions. While it's good news that cybersecurity is one area where spending remains fairly stable (as of this writing), any security leader needs to firmly justify their requests.
Start by answering the persuasion and communication questions above to establish the foundation for your budget discussion with the CFO or other relevant parties.
Next, understand the business scenarios that the company is considering for its next year: Is the organization expecting its revenue to shrink? Will some product lines likely expand? Any changes in the geographic regions the company services? Can you expect business as usual, or will the company's activities likely to experience significant disruption?
Continue by outlining your security objectives, then link them to the company's business objectives. Since the exact future is unknown, be prepared to discuss how your requests might change based on the scenario in which your company might find itself. For example, if the firm might open an office in a new country, you might need to hire a security person to support that region. Or if your firm will introduce a new product, you might need to fund the training of your application security team in the corresponding technologies.
Be ready to not only clarify how the security expense item benefits the company but also why now is the time to invest in that project, person, or initiative. Explain how the company might be affected if that item doesn't get funded, but do so without spreading fear, uncertainty, and doubt, which often dominate security discussions with stakeholders.
To progress, help others to succeed.
Cybersecurity is evolving into a department as steadfast as legal or marketing. But we’re still relatively early in this process and haven’t been welcomed with open arms by everyone in the organization. More importantly, we haven’t yet learned how to collaborate with non-security stakeholders to gain their trust and support. To progress, we need to have a business-aligned mindset, so we are seen as leaders that enable the success of others. We need to do this by collaborating with them, communicating on their terms, and operating with shared objectives in mind.
Updated March 29, 2023
About the Author
I design security solutions and shepherd them to a sustainable state. I used to be hands-on in many areas of cybersecurity and IT. Now I focus on strategy and leadership, treating security as an enabler that helps people and companies achieve their goals. As the CISO of Axonius, I lead the security program to earn customers' trust and fuel the company's growth. Earlier, I built security products and services. I'm also a Faculty Fellow at SANS Institute, where I help professionals develop malware analysis skills.