Why empathy is critical for CISO success

Almost all organisations are composed of disparate groups of stakeholders that have different priorities in their day-to-day operations.Engaging with each of these groups in order to uphold the overall objectives of the enterprise is essential but can be a tough challenge – something that the CISO knows only too well.The CISO occupies a precarious position. On the one hand they are accountable for managing the risks to the enterprise’s information assets, while on the other they are often dependent on several external factors to operate effectively – securing funding from the board to address key risk areas or seeking buy-in to security initiatives from distributed IT estates, application owners and administrators, for example.Maintaining differing comfort zonesA CISO’s objectives will centre on keeping the organisation safe from an IT perspective; fulfilling this requirement will often involve generating the support of a variety of parties that do not have a technical focus (or at least not one that matches that of the CISO). However, the chance of achieving the desired result is significantly improved if the CISO communicates in a way that will resonate with all of the relevant parties.In other words, the CISO should put his or her IT or risk management background to one side and demonstrate awareness and empathy around the differing needs of each set of stakeholders.This calls for CISOs to understand the different priorities of each group and put the risks into the frameworks that are familiar to them and do not require them to step outside their comfort zone.Taking steps to demystify some of the IT risk discussions increases the CISO’s visibility and credibility with the non-technical groups – and can influence final decisions in their favour.The same message, different waysUsing the example of the risk of a piece of malware encrypting a key database (which requires a system update and financial outlay) we can show how this could be articulated to various key stakeholders to best effect.Let’s suppose first of all that the CISO uses the same message organisation-wide, speaking as though they are discussing with their immediate team:“The latest red-teaming exercise highlighted how easy it is to jump between database servers without any re-authentication. We need to change the configuration otherwise that is a significant attack vector for malware to be installed.”Much of the organisation – including the board - will hear this as technical jargon that they don’t understand. The result? Assuming that if the issue was urgent, it would be clearly articulated as such, the notification will be put to one side; remediating action will not be prioritised, and the enterprise will be left open to the risk of malware exploiting a key database.Now let’s imagine that the CISO reframes the problem in ways that hit home for each of the groups that need to be involved in some kind of decision-making to reduce the risk to the enterprise.A message to an application or process owner might be:“Joe Bloggs Incorporated, which has similar operations to us, was hit with this exploit; the resulting data leak impacted all their employee records and they spent weeks reporting the nature of the breach. This needs to go on your application risk register and I need your help to convince the board that we should fund a patching programme to protect against this.”Expressing it in a way that ties in with this group’s day-to-day work is the best way to drive action, including the all-important support in getting the board on side.Finally, the issue could be broached with the board in terms of:“A new risk has materialised that could shut down our finance databases; it would take us three days to recover from backups, an operation that cost a similar organisation X. To protect us against this risk, I need to update our systems which will cost Y.”This level of detail is all that is required to flag the problem and clarify its significance and remedy – making budgetary sign-off far more likely.Versatile and visibleBy speaking the business’s language, CISOs make themselves an accessible source of IT expertise. Taking this knowledge into account during relevant decision-making processes is the basis for building IT estates that are secure-by-design and enabling robust transformation programmes.An empathetic approach also encourages business owners to gain a better overview of the risks that face their key systems – and ultimately, how these can impact business operations.

Why empathy is critical for CISO success

Why empathy is critical for CISO success

Related content

Sophos Announce Agreement to Acquire Secureworks

Tickets Breach: CEO Corrects on Number Exposed

More Than 77,000 Affected by Fidelity Investments Data Breach

Marriott Faces $52 Million FTC and Reprimand Over Data Breaches

PSNI Data Breach Compensation Could Be £140 Million

ICO Fines Northern Ireland Police £750K Over Personnel Breach

T-Mobile Forced to Adopt Better Security Practises by FCC

Upcoming Events

Securing Data in the Cloud: Advanced Strategies for Cloud Application Security

Why empathy is critical for CISO success

Why empathy is critical for CISO success

Related content

Sophos Announce Agreement to Acquire Secureworks

Tickets Breach: CEO Corrects on Number Exposed

More Than 77,000 Affected by Fidelity Investments Data Breach

Marriott Faces $52 Million FTC and Reprimand Over Data Breaches

PSNI Data Breach Compensation Could Be £140 Million

ICO Fines Northern Ireland Police £750K Over Personnel Breach

T-Mobile Forced to Adopt Better Security Practises by FCC

Upcoming Events

Securing Data in the Cloud: Advanced Strategies for Cloud Application Security

Confirm cancellation

Sign up benefits