CISO Executive Forum: How to Lead Like a Fortune 500 CISO

The CISO Executive Forum, led by Tim Howard, of Fortify Experts emphasized the evolving role of the CISO from a technical consultant to a strategic business partner. This forum focused on how to lead more like a Fortune 500 CISO. Here are the key points:

Speak the Business Language:

“Once you understand how the business makes money, then you can align security expectations to support that effort.” 
  • Read your company’s disclosure (10-K’s):
    1. Know how the business makes money and what they’re reporting to the street.
    2. What are the external forces on the business?
    3. Why is the business struggling or succeeding?
  • Ask your Business Leaders:
    1. How can you help remove friction to increase their revenue?
    2. What are your opinions on the business plan? (Have your own too)
    3. If your operations go down as a result of a cyber attack, what impact will it have on the business? 
    4. How is the employee experience around security?
“You have to talk with them in layman’s terms so they can see how partnering with the cybersecurity team will help them meet their financial goals.”

Playing Politics:

“Once you rise above the director level in any company, you are company property. You are part of the political machine inside that organization. So don’t talk badly about anyone, because it will get back to them.”
It is so crucial to listen for:
  • What people have as their priorities.
  • What is not a priority? And why it is not a priority. 
  • Who do they consider their tribe?
  • Who is in their circle of trust?

Building Advocates:

“You’re gonna need champions. You’re gonna need advocates. You’re gonna need people who want to help you“
Therefore, how can you make your agenda a win for the other person? The CFO may need the budget to be managed at a certain level, or the legal officer may want reassurance the company will be kept out of trouble. Know what the hot things are for each person. What exactly are the metrics and measurements that they’re trying to achieve?  They will be willing to support your agenda if you can help them win too.
“Be their advocate, advisor, and teammate, not as their adversary.”
Before going to the Board, make sure the CIO and CFO are on board with what you are committing them to. They then can become your supporters in the boardroom. There’s also a lot of right timing involved. Sometimes it might feel like an urgent need, but if it’s not the right time based on the overall business priorities, then wait until you have the support.
“I need to warm everybody up early, so when I go for the ask is not a big surprise. So you’ve got to campaign. You gotta get people saying, yep, we need to support this.”
“The amount of campaigning I need to do ahead of time is much more significant in an F500 than other firms.”

Be Presidential:

To be seen as an executive, you need to act ‘Presidential.”  This means you need to have a strategy, with 3 to 5 executable plans that can be turned into campaigns and missions for the organization.  These need to be aligned with the priorities of the organization.  
“You always get delegated to the person that you most talk like.” 
If you continue to talk like a technical person, you will always report through the IT / CIO route. If you can master communicating like the executives, you have a better chance of being seen as a peer at the strategic executive level.

Know the Why:

Always ask to understand the “Why” something needs to be done instead of just moving on to the “How” it should be done. If you understand the “Why,” your motivation and your “How” may change. When presenting to executives. “Start with the ‘Why’ first, then come down to the ‘How’. If you have been tasked with something that is going into the boardroom, always start with the ‘Why’ and then fill in the details.” This will help them see you as a “Why” person and not a “How” person.

Non-Cyber Training:

To hone, expand, and refine your skills, consider training that would be outside of cybersecurity. Such as:
  • Risk Management Training – Risk Management is the language of large organizations. 
  • Non-Cybersecurity Groups – Get involved in other business groups to broaden your knowledge.
  • MBA – Consider an MBA or even an abbreviated MBA to expose yourself to the challenges and solutions around running a business.

CISO Coaching:

Every executive needs a coach. Coaches ensure you are getting good constructive feedback. It will help you develop that executive presence. It will help you articulate a message that is clear, simple, and concise. 
“It’s very important for you to have several coaches that will give you an honest perspective on yourself.”
Sometimes you only have 2 minutes to grab someone’s attention. so you got to hit the ball out of the park. You need someone to coach you all through that.
Note:  If you are looking for a CISO coach, contact Tim Howard.  I have several CISO Coaches I can highly recommend.

Stay Strategic:

“How do you stay at the strategic level and avoid getting pulled down into the technical level?”
  1. “You do what I call a flyover. Stay at the very 20,000 foot level. 
  2. Answer the question, but in a more high-level way that gives them enough flavor of your background, and experience that you know what you’re talking about. 
  3. But then, pivot because you wanna drive the company in a positive direction so they treat you as a strategic partner and not a technologist order taker.”
Work with the business to define the materiality threshold. It’s a great way to move the discussion from a technical one to being risk-focused.  This will help define the business’s risk appetite which may Risk Executives and Legal involved as well.
“Pull yourself out of the technical discussions.”
You need to build a leadership team that you can trust to handle the technical challenges. The only way to gain support for the program is to spend enough time with the business leaders to align your priorities with their priorities.

Other Resources Discussed:

In Summary:

Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to lead like a Fortune 500 CISO. If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.

About Tim Howard

Tim Howard is the founder of 5 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet, provides vCISO/Advisory consulting, and NIST-based 3rd party security assessments How I can help you:
  1.  Join over 30,000 People Getting Free Security Leadership Improvement Advice ➡ Follow me on LinkedIn.
  2.  If you want to raise the expertise or performance level of your security team, Contact me. 
  3.  If you don’t have a Clear Picture of Your Cybersecurity Maturity Level or Need a Strategic Improvement Roadmap ➡ Contact me.
  4.  Join our interactive Monthly CISO Forums.

Leave a comment