As a chief security officer, you will never have the authority or autonomy to simply make decisions. You will not be the one making top-down decisions and you will not be the one to have the final say.
It’s just the nature of the role.
You are very much so the person supporting and influencing the decision, but you should never expect to have any authority to make those decisions unilaterally.
This was a HOT topic at our last vCSO event and I wanted to take a dive into how you and your team can work through this relatively big issue.
What I highlighted last week at our event was that even though you don’t directly have authority, you certainly can lead your client through decisions.
Your super power will be elevating other people on their team. Your goal will be to turn their heads in the direction you need them to go. You will be the one forging relationships with key people on their team to get them to understand—in their context—why a security issue is important. Here are three big takeaways that every CSO will need in their back pocket to really have impact in your client’s decisions.
Takeaway 1: You are the chief educator.
First and foremost, you are the person explaining WHY change is needed. This can be a very hard sell. No one wants to change if they don’t have to.
You will need to do this by educating them with stories and explaining in contexts that they understand. It’s not good enough to simply tell them what exactly they have to do, they have to want to do it.
In this role, you are the doctor explaining the risks in a way they understand, highlighting the problem and getting them to think through what decision they need to make.
Takeaway 2: You have to show much more than tell.
Risk is a funny thing. It seems to be human nature to underestimate it.
Until you show them what is at risk—specifically show them consequences in terms that they understand, you probably will not be convincing many to make a change.
Takeaway 3: You need to help the risk owner understand why it’s important.
There is always a risk owner. Maybe it is someone responsible for a particular process. Maybe it is the CEO. Whoever is responsible for a specific risk is the person you need to engage and get to really own the change to reduce or mitigate that risk.
You will go nowhere unless you have that risk owner on board with a decision.
Need an easy way to show your clients and prospects what they leave at risk on their network by not deciding? Consider a free cyber stack assessment to evaluate your own network to see how eye opening a third-party security assessment can be to influence a decisionmaker.
