Have you ever heard of a CISO or vCISO entering an organization with guns blazing, slinging policy, implementing a new method of identity and access management within the first 60 days, mandating awareness training, and launching phishing simulations without first thoroughly understanding the business, the business culture, and developing relationships with stakeholders? If you have, I’m sure the outcome wasn’t favorable. Let’s explore why relationships are the cornerstone of a CISO’s success.

In today’s fast-paced corporate world, the role of a CISO or vCISO goes far beyond technical expertise. Success hinges on understanding the organization deeply and building trusted relationships. Yet, some leaders rush in with sweeping changes, only to face resistance or failure. Why? Because they overlooked the most critical aspect of their role: relationships.

HUMANS

We are constantly surrounded by individuals from all walks of life, with different genders, races, religions, belief structures, work ethics, upbringings, education, and knowledge. No matter their title, level of education, or position in life, humans experience love, laughter, anger, disappointment, anxiety, and failures. If you identify with any of this, then you might be human.

And this shared humanity is precisely what makes relationships so critical in cybersecurity leadership. Before diving into strategies or processes, understanding the people you work with is key.

THE CHAMELEON

Why a chameleon? Because they are masters of change and adaptation, depending on their environment. CISOs must be chameleons.

Like chameleons, CISOs must blend into their surroundings—not to disappear but to observe, understand, and connect with those around them. This skill is invaluable when building bridges across diverse teams and perspectives.

Whether or not, in your personal life, you accept people who are different and have different perspectives, personalities, church affiliations, or political views, in business, you must be willing to accept them for who they are and learn to collaborate based on each other’s strengths and weaknesses effectively. As a CISO or any leader, you must adapt to each person you interact with, like a chameleon. This ongoing interaction with your peers, subordinates, or the C-Suite must remain free from stereotypes or judgment.

UNDERSTAND THE BUSINESS

A CISO who doesn’t understand the business cannot effectively prioritize risks, align with goals, or communicate with leadership. That’s why doing your homework is non-negotiable.

I’m doing my homework beforehand, understanding the organization and how they make money. Are they a retailer, bank, manufacturer, or services company? Are they publicly traded or a private LLC? If public, do they have an 8k or a 10k that I glean additional information from? If they’ve filed an 8k, how much did they disclose? What were the circumstances? If they’re a private company, have they been breached? Can I find out what their revenue projections were last year? Did they meet or exceed expectations? Who are their competitors? Who might want to do them harm? Do they transmit, process, or store sensitive information? What intellectual property may they want to protect? What compliance mandates might they be subject to?

These questions aren’t just about gathering information—they’re about framing your security strategy in a way that aligns with the organization’s mission and priorities.

TIP: Performing this type of homework before being interviewed will surely increase your chances of being hired in the first place.

ASSESS THE DYNAMIC

Adapting to people is vital, but understanding the organizational dynamic is just as crucial.

When I enter an organization as a vCISO, my goal is to learn the culture of the organization and the individuals with whom I will be spending most of my time. Usually, it’s the CIO or VP of Technology, IT manager, DevOps leader, Cloud Architect, or Security Team. I’ll stop here to break down these different roles by personality traits.

CIO: What kind of person is he or she? Is she talkative and willing to share the deep, dark secrets of the organization, or does she keep things close to her chest?

As I probe for answers related to the organization and the cybersecurity posture, do I feel overprotective of what the team has accomplished, or do I feel frustrated and want to continuously improve?

IT Manager: These conversations may start out discussing asset management, identity and access management, change control, connectivity, exposure to the Internet, and who is responsible for what. Get a feeling of whether they will work with you or against you.

Discuss what they’re passionate about regarding the security headache they created (Unnecessary Jab) or not. I’ve worked with some IT managers who are very cybersecurity savvy and implement security controls into everything they do. The point here is to build trust and credibility. Educate them without being condescending.

DevOps Leader: Well, we all know that developers are a different breed. Extremely smart and focused, able to take a set of requirements and turn it into a robust, well-thought-out interface. They understand version control, dependencies and libraries, APIs, and often multiple coding languages. But are they social individuals? Most of the time, not so much, and if they haven’t taken a secure coding class, the last thing they want to do is hear you tell them how to implement the OWASP top 10.

You must adapt to their way of interaction and build trust over time. If immediate changes need to be made, sit down with him or her and help them understand the implications of not making the change. Again, they are very smart individuals.

Cloud Architect: Often, these are engineers who saw an opportunity to learn complex, dynamic, and ever-changing new things. This person understands things like Kubernetes, containers, microservices, EC2 instances, S3 buckets, and blobs. Blobs…blobs, what’s a blob? A blob is the Microsoft Azure version of an S3 bucket in AWS or a GCS Bucket in Google Cloud used to store files, media, backups, etc.

Work with this person to understand his or her vision for how the architecture will grow and remain resilient. Ask how you can help improve how things are currently being done or make user management more efficient. Who is this person? Is he or she lazy, motivated, or extremely passionate? No matter what version you see, it’s your responsibility to develop trust and credibility.

THE BUSINESS MACHINE

Now that we’ve discussed the technical side of the business, I’ll address the business machine. CISOs or vCISOs must often learn about and understand the company from a business perspective. That means understanding a little about Human Resources, Finance, Legal, Mergers and acquisitions, and Procurement. Each of these areas plays a significant role in the success or failure of a vCISO.

Human resources, for instance, aside from the fact that you wouldn’t have a job without them, you must understand hiring and exit processes and procedures. This group will interact directly with IT during onboarding and offboarding, so it’s essential to understand the process flow, whether background checks are done, and whether there is a checklist and process for bringing on new hires and showing others the door. What type of user awareness training do they provide? Do they incorporate security training and phishing testing, or is that IT’s responsibility? Most importantly, what systems store employee records?

Finance: this person can make or break your success when requesting a sizable budget for next year’s cybersecurity initiatives. This is also the person who can help you understand the financial aspects of the business, which is a big help when you go in front of the board or the C-Suite to present your quarterly report. You’ve heard the phrase, ‘You must learn to speak in business terms.’ Well, this will help quantify some of your metrics and perhaps show off that you eliminated a tool that costs $250k per year and backfilled the function with a tool that already exists but has been untouched. Getting the tool functioning and performing its tasks only costs an extra headcount at $110k per year, with a total cost savings of $140k. WINNING!

Be good friends with the legal team and use them often. Legal will help you stay out of trouble and guide you through some of the cryptic language of regulatory compliance mandates. You will want legal by your side when you develop an incident response plan and CIRT to ensure that you are working within the confines of the law, especially regarding data handling and preservation, referred to as chain-of-custody.

Procurement will help you sort through all your vendors and understand the relationship between the vendor and your organization. Do third- and fourth-party risks come to mind? Procurement will fight to keep costs down when purchasing goods and services by haggling with the vendors for better pricing. I don’t think they use the term haggling, but you get the idea.

TO THE POINT

The point is this: in cybersecurity leadership, you must be able to adapt, accept, communicate, and partner with individuals throughout your organization. “You get more bees with honey than you do with vinegar,” as the saying goes, and it applies here. Don’t get me wrong, you don’t have to be a pushover or have beers with the CFO every Friday after work, but being a cybersecurity leader takes strong leadership abilities. You will face adversity and pushback, but when you build trusting relationships, life will be much easier for you and the organization.

In the end, the CISO’s success doesn’t rest solely on their technical skills but on their ability to understand people, the business, and the bigger picture. By fostering trust and collaboration, you not only enhance security but also become a vital partner in your organization’s success.

CLOSING THOUGHT

I will leave you with this:

“People don’t care how much you know until they know how much you care.”
–Theodore Roosevelt

By: Brett Price – Lead Cybersecurity Consultant – C|CISO, CISSP, CISM, CISA