I was recently asked what I believed were the main contributions to the organizations that I have worked with during my career, and when I looked back the answer was undoubtedly turning around ungagged tech and security teams to service teams that are closely aligned with the mission of The Firm. This, as I reflected on this question seems to be one of the themes through my career, perhaps because being of service is one of my core values.
While our mission as security leaders is primarily to assure stakeholders that we are managing risk and protecting assets, it is essential to understand that this mission cannot be carried out without understanding what the expectations, challenges, and opportunities are from the stakeholder's point of view so that we can build strategies to address those, in essence being empathetic, a core principle of Servant Leadership. When you look at the most prominent servant leaders in history, such as Martin Luther King Jr. or Mother Teresa, you can see that they were not in it only for what they believed in, but also for the greater good, and their accomplishments were the result of being of service.
But why? Why shift to being a service organization first? By focusing on providing service to The Firm, you move security form be the "nay-sayers" to being a trusted partner who business units feel comfortable with bringing challenges up because they know that the team will work with them to find risk-based solutions that deliver value to customers while securing assets properly, which builds a community and partnership, another core principle of servant leadership.
In the last section, I provided a list of stakeholders that you influence. Those are also the folks that you serve at The Firm. Here are some suggestions to serve stakeholders while transforming the security team into a service organization (some may or may not apply to your situation).
1. Run a SWOT exercise on the program to identify areas of Strengths, Weaknesses, Opportunities, and Threats so strategies are built to address those. It is crucial to involve your team and, when appropriate, others in this process. Communicate your findings to stakeholders.
2. Seek out practice groups and business unit leaders and understand their expectations, challenges, and opportunities. Once a strategy is formalized to address those, come back to them and communicate the plan.
3. Ask to attend practice group and business unit leadership meetings to provide updates on the program or specific matters that impact them; or simply, to be a fly on the wall and learn more about existing business processes. This will raise your and your team's visibility with them and remind them that you are there when needed. In addition, you will also raise your awareness about current and future organizational strategies. Do this as often as it is appropriate for your culture.
4. Coach the team such that they understand that negotiations will be the new norm. Instead of saying, "no, we can't do that," the team's mindset should be more like "Let's take a look at it together and figure out what the risk is and how we can deliver the solution securely."
5. Find opportunities to deliver security incrementally. Identify the “minimum security requirements” or “minimum viable product (MVP)” for supporting go-live and each product increment being delivered.
6. Build a succession plan. This is important for The Firm to ensure continuity and for many on your team who may see a career path available. Do this not only for the top leadership position, but also for the other leadership positions in the team.
What are the results of this approach? Well, in one organization, I observed the perception towards the security team shifting from "security is going at 45 mph while the rest of the business is going at 65 mph" to being engaged in supporting more than 150 initiatives across the organization in three years which is a way to measure the maturity of the program. I have also seen many business leaders reaching out to me or others in my team to consult on risk-related matters or even engage in conversations with external stakeholders. They started to see us as being "a collaborative team who will help us figure out how to solve business problems while addressing risk" as an executive put it.
By becoming a servant leader and a servant team, security will be able to manage risk in business terms and get the support needed from leadership. Try it, it is worth it!
The O in CISO is for Organizational Savvy.
Let’s close the series with what the O means to me, which I hope many agree stands for Organizational Savvy.
As a member of your Firm's leadership team and someone delivering a program that will impact The Firm in different ways, a CISO must understand the way The Firm operates, its culture, its customers, its key players, and really to wrap it all up together, the company's "Why"; or what I call "the ways of the force". Want to be an influential leader in The Firm? "This is the way".
One of the key traits we always point out that cybersecurity professionals must have is curiosity, which also applies to the CISO. Be curious about why The Firm does what it does, how they do it, and who does it. Without an understanding of the intricacies of The Firm, it will be hard to build and deliver a program aligned with its strategic objectives and the partnership group.
There are many ways to go about this process and a lot depends on your leadership style and The Firm’s culture. Here are some approaches that have worked for me in my career:
- Early on, establish an expectation with your supervisor that you would rely heavily on him/her to learn why and how we do what we do; you must learn "the ways of the force".
- Ask your supervisor for intros or at least identify critical stakeholders across The Firm that you need to establish a relationship with to gain an understanding of operations and gain support for your program.
- Identify an internal Mentor. I cannot emphasize this enough. Do not rely on your supervisor only. Seek other influential leaders and ask them to mentor you and help you understand "the ways of the force."
- Identify influential or organizationally savvy team members and peers who can help you establish connections and relationships and even deliver messages through them.
- Understand internal learning opportunities offered at the company. For example, I have taken internal classes on Law Firm 101, Claims School (when I was in Insurance), internal leadership development programs, etc.
- Do a tour with the primary practice groups and operational teams. For example, when I worked in a company with property management operations, I would go on property tours with the property managers in different cities to understand what was important to them. In a Law Firm, if you are setting up a War Room or some video conference deposition needs to be set up, ask to be part of the team so you can learn more about how The Firm does this.
- Take advantage of internal volunteering opportunities to get to know people across the company and build relationships. For example, in my last enterprise role, I was part of the leadership team setting direction for Diversity and inclusion.
- Take on leadership opportunities on efforts outside the security program. Maybe there's a Firm event you can organize or MC, like a town hall; maybe you can be part of the leadership of a corporate initiative like diversity & inclusion. I bet there are many opportunities. Building your internal brand and letting people know you can contribute beyond security is important.
There are many ways to accomplish this. The point is that you really want to put a lot of effort and time into understanding your Firm if you want to contribute to its overall mission, which is your ultimate goal as a leader. Do understand that this process takes time. In my experience, it takes around six months to start getting to know The Firm and a couple of years to be completely comfortable with the corporate culture, but that should not slow your progress down as long as you collaborate with others and accept that you need help to develop a security program that is aligned with your companies' goals. "This is the way" to influence and deliver value to your organization.
I hope you enjoyed this series and that it helps you transform into a Modern CISO. Leading law firms are looking for strategic leaders who understand the practice of law so they can manage risk and deliver secure solutions for The Firm. Connecting with partners and attorneys to influence decision-making; and serve trusted advisors; will help you transform the security culture of The Firm