Blog Viewer

Becoming a Modern CISO

By Andrea Scholfield posted 10-04-2023 14:45

Please enjoy this blog posted on behalf of: Carlos Rodriguez, CEO & vCISO, CA2Security.

The Modern CISO must become a trusted business leader.

The modern Chief Information Security Officer (CISO) at leading law firms must evolve from being a purely technical cybersecurity role to a strategic leader that can enable attorneys to practice law securely and safely by forging connections across practice groups, supporting departments and clients, influence decision-making; be a servant and trusted advisors; and have an in-depth understanding of The Firm's goals and culture. This shift in responsibilities demands a new skill set beyond technical prowess. Thus, the C in CISO is for Connecting. The I in CISO is for Influencing. The S in CISO is for Servant Leader. And the O in CISO is for Organizational Savviness. In this blog entry, we delve into real-world insights to shed light on the evolving role of the CISO. We'll explore the benefits of a CISO who can connect, influence, serve, and understand The Law Firm and how this transformation is crucial for implementing an effective Risk Management Program that enables the secure law practice. Stay tuned for actionable advice on how aspiring CISOs can develop these critical skills to succeed in the dynamic world of cybersecurity leadership.
The C in CISO is for Connecting

Security teams never have home-field advantage.
Last year I ran a survey in LinkedIn on what each letter of the CISO acronym means to others. It started with the C in CISO. You can see the results below, and I got the results I thought I would, I didn't expect not to get a single vote on Connecting.
The C in CISO is for CONNECTING; that is what it means to me.

  • Connecting WITH people to build trust and gain support.
  • Connecting people to purpose.
  • Connecting people to people.
  • Connecting business strategy to security strategy.

I get it, we can all argue that Collaboration and Communication are also critical to all of us; in fact, they are crucial. They are to me, too. While I understand that to connect, you must be a good communicator, I believe that connecting is the vital outcome of communication. I think that in our role as leaders (of any practice), we must be able to influence others, and yes, you must also be an excellent communicator in order to influence others. However, as John Maxwell puts it in his book Everyone Communicates, Few Connect, "Connecting increases your influence in every situation" and he defines Connecting as "the ability to identify with people and relate to them in such a way that it increases our influence in them". This means to me that as a leader, I must show empathy to others and stand in their shoes to understand what matters to them, what they are going through, and what their concerns and constraints are so I can better understand how the security program may impact them; and to communicate the What's In It For Me (WIIFM). By connecting with others, you are on the right path to building trust with all your stakeholders who will support your program and define its success or failure.

The modern CISO must be able to build a security and risk management program (the program) that is aligned with the overall business strategies. This is achieved by seeking out and connecting with executives and business unit leaders who can provide insight into the past, present, and future strategy of The Firm. Having these conversations is also an opportunity to show that the security team wants to collaborate and figure out emerging risks together to understand where to focus the security and risk management strategy to deliver business value. This connection, in a visual form, will also be a powerful communication tool in the leaders' interaction with partners, the executive team, and the board that will show them that the security team is a Business Unit, and as such is there to support The Firm by delivering business outcomes. Here is a simple sample of such a communication tool.

Security leaders rely on people to deliver value, to deliver the program itself. Thus, once the security and business strategies are linked together (preferably in the form of a visual communication tool), the leadership team must go to work and clearly communicate what the team's role is in the strategy and the benefits to The Firm, the team and the individuals (the WIIFM). A team that understands its purpose and how it fits into the high-level business strategy will become more engaged with the program and the leadership team. Connecting your people to the program's purpose will translate into support throughout the life of the program and ultimately, there is no better team than one that is engaged. Give me a junior section that is highly vested and passionate about the mission and vision of the program; over a team of many senior and experienced people that are not vested in the benefit of the program. I take the former without hesitation any day! Finally, CISOs lead Teams of Teams, and communicating how those supporting your initiatives from other departments fit into the security and business strategies will go a long way and add unexpected supporters for the program.
Connecting people to people is a great way to score small wins that lead to trust. When I meet with partners, practice groups, and business unit leaders, I always ask them what their concerns are in general, not just related to security and because in my role, I talk to a lot of people across The Firm; thus, sometimes I can provide insight into how others have solved similar challenges or at least who could be a good resource in that particular situation. I remember a situation where a business unit leader was dealing with a legacy database. Her team was struggling with strategizing about moving the data to a modern platform and upon hearing this I was able to quickly connect the unit to our data analytics leader. A few months later this director reached out to me to thank me for the connection because the two teams were working together on a solution to solve the issue. As a result, this director started bringing me into conversations that had little or nothing to do with information security because she knew I had a broader reach and deeper insights into what was going on at The Firm in general.

One thing to remember as a security leader is that, as I often say, "security never has home-field advantage". Let's face it, attorneys are not likely to come looking for the security leader and ask her to give them more security. This is important to understand because it will likely be challenging to build relationships and gain support for the program and as a leader early on (also heavily dependent on The Firm’s culture). A CISO’s success depends on her ability to establish Trusted Relationships and to do so, one must be intentional about building long-lasting and authentic partnerships throughout The Firm by getting to know the key players and catalysts driving The Firm. Being intentional matters a lot because it is on a leader to seek out others and build those relationships, especially for a security leader who, remember, is often the "away team." A CISO must genuinely understand what's critical to not only these stakeholders' objectives but also try to relate to them as people; what excites them; what concerns them; how they think; how they view the roles of security in their value stream. By connecting to the individuals and showing them how the program has or will deliver value, the leader will build a solid partner, supporter, and advocate for the security team, which will help the program continue to mature and increase her ability to influence decision-making throughout The Firm. 

Remember, a leader influences decision-making in any organization. A CISO who builds trusted relationships will be able to guide other leaders and stakeholders through the risk landscape; will build a highly engaged team who understand how they fit into The Firm, and ultimately deliver value by aligning the security strategy to business outcomes even if weight is not in the form of a security initiative. Do not wait for others to come seeking you out; be proactive, get out there, and connect to others by building relationships across the business while focusing on them to build trust!

The I in CISO is for Influence.

As I reflected on the survey results on the I in CISO I realized that I really didn't capture my approach. First, let's take a look at that survey:
When I look at this image, I realize that I failed at identifying the true meaning to me, of what the letter I in CISO is. While I believe that all four options presented are essential to be a successful CISO, I believe that the I in CISO stands for INFLUENCE.
  • Influence others by building Trust.
  • Influence by Empowering others to make educated, risk-based decisions.
  • Influence your team; Influence your peers; and Influence those above you making business decisions.
  • Ultimately, Influence the culture of The Firm.

Building Trust. In my opinion, this is the foundation of relationships and influence. However, earning Trust is also the hardest thing to achieve in any relationship. As I wrote in the last section, John Maxwell defines Connecting as "the ability to identify with people and relate to them in such a way that it increases our Influence in them". Connecting with others is one of the things that has worked for me best because I am intentional about making meaningful connections and understanding what's important to the people I work with. There are other ways to earn trust, such as delivering results and value, but being empathetic and intentional about connecting with others has been the key to my success as a leader who can both influence others and be influenced by others as well.

Empowering Others. Many people believe that leadership is about making decisions and I going to disagree with that notion kindly. Sure, it is an integral part of it and something we as leaders do every day. However, as an excellent CEO once told me, the key is to have the right team around you who bring their experience and expertise to complement you. The leader's role is to keep an eye on the guardrails that you establish with the team and then empower them to make decisions based on the vision and mission that the team is pursuing. You hired them because you had every reason to believe they were experts in their field and would add value to you and The Firm. Let Them!

Your influence Circle. CISOs, like most C-level leaders, have an extensive influence range. We interact and can influence people from all areas of The Firm in our daily interactions. We talk with attorneys, practice groups and business unit leaders, vendors, IT, HR, you name it; we support them all and usually are in constant communication with them either directly or through our team. Let's not forget that and the fact that we lead a Team of Teams. Don't think so? how about a look at this short list of some of the members of your "core" stakeholders such as:

  • Your team. Ensure that your influence is positive. Let's not forget that there is also a negative side of influence and there is a fine line to walk, which can be unintentionally trespassed on by the leader. Be mindful because they are watching you and hopefully following you.
  • Your peers. Per Patrick Lencioni in The Five Dysfunctions of a Team, this is your core team. Why? This is usually the team that is collaborating to set strategies that the CISO must turn into a vision and objectives for middle management and staff to execute. Thus, this is also the team that needs your attention the most; and who you must influence the most. Your ability to influence this particular team will be critical to your success.
  • Your Customers and Stakeholders. Think of this group as those you are delivering your program to; these are generally the attorneys and other departments. These folks can be your sponsors and champions; go after them and ensure you connect and understand them. 
  • Your superiors and The Partnership. Failing to influence your leaders will translate into a lack of trust by your peers and your direct team. How will you move your program forward without the support of this group?

Influencing the Culture of The Firm. In my opinion, the ultimate goal of the CISO is to influence Cultural and Organizational Change. Leading others to make educated risk-based decisions will go a long way to improve the security posture of The Firm. This really comes down to all the things that we have gone through in the article, such as connecting and building trust, empowerment, and influencing your core stakeholders. How do I know that we are influencing others?

  • When I see my team making daily progress in many different areas.
  • When I go to a meeting with other leaders or teams and someone is speaking about risk and security matters and why it is important, my input is simply a nod.
  • When a partner starts asking questions in non-security related conversations like "What are the chances this service provider is hit with ransomware, and it impacts us?”
  • When my team is presenting, I can tell that they have a script and are fully prepared to answer questions.
  • When my boss asks me what I think about something that is not security related.
    When our program maturity score increases.

A Few Closing Thoughts on Influence.

  • As stated above, influence can be harmful, so you must be mindful at all times to make sure that you are not drifting to "the dark side" and negatively influencing others.
  • Influence goes both ways. You should have a clear picture of who those that influence you are. Study them; learn from them; don't be shy and apply some of the things that they do and keep trying even if you fail. For example, most people who influence me are great storytellers; I am not a great one myself, but I keep trying and will continue to do because I am actually getting better at it.
  • You will fail many times in building connections and influencing. When that happens, look for alternatives. For example, I often rely on people who are closer to those I want to influence but I can't for different reasons, such as lack of access to that person or group, or a previous failure. In that case, I go to others who already have a relationship with them and try to influence these folks so they can help me.
  • Influence and Persuasion are different. Influence is something that you exercise without even trying most of the time. It is something that you earn and "is there" because people trust you and follow you. Persuasion is more intentional, factual, and an action you take to get support on something, for example.
Many signs can reveal your ability to influence others. Keep working on your influence skills; you will need them whether you lead a team or not. Keep practicing and failing if necessary; keep connecting, empowering, and getting closer to your core team!
The S in CISO is for Servant Leadership.

It is time to reflect on the S in CISO, which to me, stands for Service, for Servant Leadership.
I was recently asked what I believed were the main contributions to the organizations that I have worked with during my career, and when I looked back the answer was undoubtedly turning around ungagged tech and security teams to service teams that are closely aligned with the mission of The Firm. This, as I reflected on this question seems to be one of the themes through my career, perhaps because being of service is one of my core values. 
While our mission as security leaders is primarily to assure stakeholders that we are managing risk and protecting assets, it is essential to understand that this mission cannot be carried out without understanding what the expectations, challenges, and opportunities are from the stakeholder's point of view so that we can build strategies to address those, in essence being empathetic, a core principle of Servant Leadership. When you look at the most prominent servant leaders in history, such as Martin Luther King Jr. or Mother Teresa, you can see that they were not in it only for what they believed in, but also for the greater good, and their accomplishments were the result of being of service.
But why? Why shift to being a service organization first? By focusing on providing service to The Firm, you move security form be the "nay-sayers" to being a trusted partner who business units feel comfortable with bringing challenges up because they know that the team will work with them to find risk-based solutions that deliver value to customers while securing assets properly, which builds a community and partnership, another core principle of servant leadership. 
In the last section, I provided a list of stakeholders that you influence. Those are also the folks that you serve at The Firm. Here are some suggestions to serve stakeholders while transforming the security team into a service organization (some may or may not apply to your situation).

1. Run a SWOT exercise on the program to identify areas of Strengths, Weaknesses, Opportunities, and Threats so strategies are built to address those. It is crucial to involve your team and, when appropriate, others in this process. Communicate your findings to stakeholders.
2. Seek out practice groups and business unit leaders and understand their expectations, challenges, and opportunities. Once a strategy is formalized to address those, come back to them and communicate the plan.
3. Ask to attend practice group and business unit leadership meetings to provide updates on the program or specific matters that impact them; or simply, to be a fly on the wall and learn more about existing business processes. This will raise your and your team's visibility with them and remind them that you are there when needed. In addition, you will also raise your awareness about current and future organizational strategies. Do this as often as it is appropriate for your culture.
4. Coach the team such that they understand that negotiations will be the new norm. Instead of saying, "no, we can't do that," the team's mindset should be more like "Let's take a look at it together and figure out what the risk is and how we can deliver the solution securely."
5. Find opportunities to deliver security incrementally. Identify the “minimum security requirements” or “minimum viable product (MVP)” for supporting go-live and each product increment being delivered.
6. Build a succession plan. This is important for The Firm to ensure continuity and for many on your team who may see a career path available. Do this not only for the top leadership position, but also for the other leadership positions in the team.
What are the results of this approach? Well, in one organization, I observed the perception towards the security team shifting from "security is going at 45 mph while the rest of the business is going at 65 mph" to being engaged in supporting more than 150 initiatives across the organization in three years which is a way to measure the maturity of the program. I have also seen many business leaders reaching out to me or others in my team to consult on risk-related matters or even engage in conversations with external stakeholders. They started to see us as being "a collaborative team who will help us figure out how to solve business problems while addressing risk" as an executive put it.
By becoming a servant leader and a servant team, security will be able to manage risk in business terms and get the support needed from leadership. Try it, it is worth it!

The O in CISO is for Organizational Savvy.

Let’s close the series with what the O means to me, which I hope many agree stands for Organizational Savvy.
As a member of your Firm's leadership team and someone delivering a program that will impact The Firm in different ways, a CISO must understand the way The Firm operates, its culture, its customers, its key players, and really to wrap it all up together, the company's "Why"; or what I call "the ways of the force". Want to be an influential leader in The Firm? "This is the way".
One of the key traits we always point out that cybersecurity professionals must have is curiosity, which also applies to the CISO. Be curious about why The Firm does what it does, how they do it, and who does it. Without an understanding of the intricacies of The Firm, it will be hard to build and deliver a program aligned with its strategic objectives and the partnership group.
There are many ways to go about this process and a lot depends on your leadership style and The Firm’s culture. Here are some approaches that have worked for me in my career:
  • Early on, establish an expectation with your supervisor that you would rely heavily on him/her to learn why and how we do what we do; you must learn "the ways of the force".
  • Ask your supervisor for intros or at least identify critical stakeholders across The Firm that you need to establish a relationship with to gain an understanding of operations and gain support for your program.
  • Identify an internal Mentor. I cannot emphasize this enough. Do not rely on your supervisor only. Seek other influential leaders and ask them to mentor you and help you understand "the ways of the force."
  • Identify influential or organizationally savvy team members and peers who can help you establish connections and relationships and even deliver messages through them.
  • Understand internal learning opportunities offered at the company. For example, I have taken internal classes on Law Firm 101, Claims School (when I was in Insurance), internal leadership development programs, etc.
  • Do a tour with the primary practice groups and operational teams. For example, when I worked in a company with property management operations, I would go on property tours with the property managers in different cities to understand what was important to them. In a Law Firm, if you are setting up a War Room or some video conference deposition needs to be set up, ask to be part of the team so you can learn more about how The Firm does this.
  • Take advantage of internal volunteering opportunities to get to know people across the company and build relationships. For example, in my last enterprise role, I was part of the leadership team setting direction for Diversity and inclusion.
  • Take on leadership opportunities on efforts outside the security program. Maybe there's a Firm event you can organize or MC, like a town hall; maybe you can be part of the leadership of a corporate initiative like diversity & inclusion. I bet there are many opportunities. Building your internal brand and letting people know you can contribute beyond security is important.
There are many ways to accomplish this. The point is that you really want to put a lot of effort and time into understanding your Firm if you want to contribute to its overall mission, which is your ultimate goal as a leader. Do understand that this process takes time. In my experience, it takes around six months to start getting to know The Firm and a couple of years to be completely comfortable with the corporate culture, but that should not slow your progress down as long as you collaborate with others and accept that you need help to develop a security program that is aligned with your companies' goals. "This is the way" to influence and deliver value to your organization.
I hope you enjoyed this series and that it helps you transform into a Modern CISO. Leading law firms are looking for strategic leaders who understand the practice of law so they can manage risk and deliver secure solutions for The Firm. Connecting with partners and attorneys to influence decision-making; and serve trusted advisors; will help you transform the security culture of The Firm