CFO: You’re asking for a security budget increase of 20% from last year and we’ve already reached our ratio on technology spend.
CISO: … but our budget was cut 30% the year before due to other strategic projects and we haven’t addressed some key gaps…
CFO : We didn’t have any security issues last year though and the feedback I’ve gotten about your team is that they slow projects, increasing timelines and costs.
CISO: We’ve been lucky as far as we know but our tools are limited, and we’re stretched thin so always playing catch up in projects.
CFO: That’s the nature of today’s business. Everyone needs to do more with less, you’ll just have to make due.
Most portrayals of cyber security people are of anti-social introverts that either madly type for 5 seconds to bypass multi-million dollar state controlled security systems or are excitedly yelling about a coming Armageddon. The first of which is definitely Hollywood, the second is…hopefully more Hollywood than not.
Despite what Hollywood would have you think, the field of security draws people from many different disciplines. The thing Hollywood does get right is that many cyber security professionals are more proficient in technical skills than they are in soft business skills.
When it comes to most roles in cyber security and especially its senior levels, books such as What got you here, Won’t get you there by Marshall Goldsmith could not be more on the nose. Its premise is that the tactical and technical capabilities that get people to where they are are different from the relationship building and strategic skills that will get you to the next level. However, unless someone is there to guide them, making that leap can be very difficult as it’s a very different way of operating.
Security roles traditionally aren’t roles new grads go directly into. Professionals become proficient in some technical aspect first in order to have a specialization, networking, app dev, auditing, etc. before moving into the security roles that help protect them. Meaning, when individuals move over to information security, they generally start working with people with similar educational backgrounds to them. It’s easier to ‘sell’ security to those people because they’re already on the same technical page.
As individuals take on greater responsibilities, they begin to work with a more diverse set of people, many of whom will not have any technical background at all…which is where the gap shows itself.
The number of jaw droppingly intelligent technical people I have seen shot down and or written off because they couldn’t put themselves in the frame of reference of their audience is too high. Technical experts feel like they are in the movie “Don’t look up” where the main characters are trying to warn the world a comet is going to wipe out the earth unless something is done but no one is willing to listen. While senior leadership feels like they are talking to conspiracy theorists. Their frame of reference is simply too far apart.
Senior Leadership Wants Good Communicators in Security Roles
Rather than expanding technical leaders’ frame of references, a disappointing number of businesses have made the decision to bring in ‘non-technical or security’ people to lead the cyber risk function because senior leadership simply doesn’t feel they can communicate with the technical leaders.
This solution helps no one. Information security covers a huge amount of ground and requires a high degree of specialization. Think of any technical or data related tool, process, situation or increasingly law and there is likely a security component to it. Would you put someone with no legal background as the Head of Legal? Putting someone with no background in technology or risk in a leadership role over specialists who have spent years learning their craft not only puts the organization at risk, what message does it send to the professionals on the team who are basically told their role is so insignificant that anyone can lead the team? (Think retention.)
This is not to advocate that any security professional should automatically be put into a leadership role after ‘x’ amount of time. Security is no different than any other role, individuals have different strengths, weaknesses, and interests. However, as Paul Hersey and Key Blanchard put forward in Management of Organizational Behavior and their Situational Leadership theory. Just because someone is strong at one thing doesn’t mean they will automatically be strong at another. Meaning, if someone is a brilliant coder it doesn’t mean they will automatically be a natural public speaker…however, and I would argue more importantly it also doesn’t mean they can’t become one.
Technical Employees Can Learn to be Great Communicators Too
Organizations spend a large amount of training dollars on technical training but at the same time are often hesitant to let technical teams talk directly to business teams due to concern about “communication”. This is itself a self-fulfilling prophecy as it creates silos and echo chambers for both technical and business teams.
The solution is to first identify potential leaders with an interest in growing as part of any organizational process, but in addition to focusing on technical skills, build skills that will put them in a position to succeed with their non-technical peers. Basic financial and modeling to help support business cases and budgets, behavioral training (Meyers-Briggs, Gartner Strengthsfinder, Four Colors Personalities, Disc, etc.) to help them understand themselves and others, make presentations to peers and managers to help build speaking skills. People don’t know what they don’t know so even the most accomplished individual in a certain area may be blind to areas of weakness and need a little guidance which will ultimately not only build their confidence but their ability to influence peers and most importantly credibility so when something needs to be considered it is given thoughtful and earnest consideration.
Making the objective the creation of a business focused security leader rather than technical wizard will help build the credibility you need in such a demanding role and position them to be able to have a more balanced discussion with their CFO:
CFO: You’re asking for a security budget increase of 20% from last year and we’ve already reached our ratio on technology spend.
CISO: The new technology could increase potential revenue by 30%, but it comes with risks we haven’t previously encountered and could incur losses that outweigh any gains. Marketing has also highlighted that branding is going to be a differentiator. If we go to market with a product that customers don’t feel they can trust because corners were cut, our brand, market penetration and customer loyalty would be negatively impacted.
CFO: So this is to support our new initiative?
CISO: Absolutely! Everything will of course be leveraged to benefit other areas and initiatives as we go but my primary purpose is to support company goals.
CFO: Okay, we may not be able to get you everything, but I see how this will provide value to our initiative and will support your team.
Strong technical skills provide the foundation of knowledge needed to secure systems. Strong communication skills provide the ability to line-up resources to better secure an entire organization.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.