Security executives must lead through influence rather than control

In digital world, corporate hierarchies fade, and finding best solution often takes a village

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

How do you lead when you’re not in charge? Increas­ing­ly, man­agers are find­ing them­selves in posi­tions where they are asked to lead with­out hav­ing direct control.

Grow­ing and shift­ing orga­ni­za­tions often mean few­er man­agers with posi­tion­al pow­er. Matrixed orga­ni­za­tions put man­agers in mul­ti­ple lead­er­ship and fol­low­er roles. Major cor­po­rate ini­tia­tives like qual­i­ty, secu­ri­ty, diver­si­ty and sus­tain­abil­i­ty often are led by man­agers with lit­tle direct authority.

In all of those sit­u­a­tions, suc­cess­ful lead­ers must estab­lish cred­i­bil­i­ty, build trust­ed rela­tion­ships, and per­suade oth­ers to take action.

Relat­ed video: Howard Schmidt dis­cuss­es get­ting orga­ni­za­tions to be proac­tive about security

In any gath­er­ing of secu­ri­ty exec­u­tives, the con­ver­sa­tion often turns to the chal­lenges of lead­ing with­out direct con­trol. Yes, secu­ri­ty exec­u­tives can imple­ment tech­nolo­gies that catch spam or black­list mali­cious websites.

But these kinds of ini­tia­tives only scratch the sur­face of build­ing a secure orga­ni­za­tion. In recent inter­views with chief infor­ma­tion secu­ri­ty offi­cers (CISOs), exec­u­tives shared hints on how they lead through influ­ence. Here are three themes that are use­ful for lead­ers in any area:

Stay pos­i­tive. When try­ing to get orga­ni­za­tions to change or react to a threat, it is easy to go neg­a­tive. While it is impor­tant to com­mu­ni­cate risks, there is a dif­fer­ence between illu­mi­nat­ing risks and proph­esy­ing doom. A mea­sured approach to risk will help build cred­i­bil­i­ty and give oth­ers the con­fi­dence to make need­ed changes. An end­less parade of fear even­tu­al­ly will lead to dis­be­lief and inaction.

Think crit­i­cal­ly. Put your­self in the posi­tion of oth­ers. When you are lead­ing an ini­tia­tive like diver­si­ty or secu­ri­ty, it is easy to fall into the trap of mono-think­ing. To influ­ence oth­ers, you have to under­stand and address the chal­lenges faced by oth­ers and how every­one is work­ing to achieve broad­er busi­ness goals. Con­sid­er­ing alter­na­tive per­spec­tives helps build trust. As Paul Con­nel­ly (VP and CISO of HCA Health­care) not­ed, influ­ence is about inte­gra­tion. Secu­ri­ty solu­tions “have to work with our doc­tors and our nurs­es … they have to work from the busi­ness perspective.”

Do some­thing. Influ­enc­ing is not just per­suad­ing oth­ers to act. You have to take action your­self and help oth­ers take action. Charles Lebo (VP and CISO of Kin­dred Health­care) not­ed the ever-present bal­anc­ing act between build­ing con­sen­sus and tak­ing action. You may not have a per­fect solu­tion, but wait­ing for a big­ger bud­get, more author­i­ty, or some­thing else like­ly will lead to inac­tion across the orga­ni­za­tion. By demon­strat­ing a will­ing­ness to roll up your sleeves and help oth­ers make small changes, you can influ­ence the orga­ni­za­tion to take larg­er steps.

More sto­ries relat­ed to effec­tive leadership:
Brown Uni­ver­si­ty launch­es mile­stone exec­u­tive cyber­se­cu­ri­ty program
An eth­i­cal busi­ness cul­ture should be first line of defense against cyber risk
Orga­ni­za­tions must real­ize cyber­se­cu­ri­ty is not just an IT problem