Editor’s note: The following is a guest article from Nader Henein, a VP Analyst at Gartner who focuses on best practices to enable businesses and cybersecurity leadership.
Job descriptions for CISOs consistently include lists of requirements that repeat a series of open-ended, nonquantifiable targets, such as reducing enterprise risk or malware attacks. Demands that are impossible to attain or to track can lead to a sense of low professional efficacy.
Consequently, this has led to CISOs experiencing one of the worst burnout rates.
Trust is an indispensable asset to organizations and employees and is considered one of the best indicators of business success, yet it rarely appears in a CISO’s job description. Instead of focusing on a list of nebulous targets, CISOs should focus on delivering trust to three key constituencies: their leadership, their peers and their inner circle.
It can be challenging for senior leadership to build and develop trust, so it is important to focus on defining what trust means to the CISO.
How to build trust among senior leaders
Traditionally, CISOs lay out a strategy to enforce better compliance, develop security rigor and lower incident rates. These initiatives can contribute to the development of trust for one or more of their constituencies. However, incidents will happen, rigor will falter, and without trust, constituencies will start to look elsewhere for support.
In order for senior business leaders to trust CISOs with necessary power and resources, they must know that the CISO understands the organization’s goals and can adapt quickly as business needs shift, aligning their team to support and deliver against these priorities.
Oftentimes, if CISOs go back to their job descriptions, there will be nothing related to understanding, adapting to or aligning with organizational goals. This is because job descriptions are typically written by professionals within HR, who may lack a true understanding of CISOs’ responsibilities and requirements.
Senior leadership does not have a dashboard to track how well CISOs have adapted these requirements. Because of this, CISOs should consider taking measures such as tracking security staff engagement and turnover, and report on continuous improvement in the capability maturity of the organization’s cybersecurity program.
How to build trust among employees
The CISO’s inner circle will, by definition, work very closely with the CISO on a day-to-day basis. For these employees, trust is a question of communication and delegation.
Many leaders fail on the subject of communication. Specifically, they fail to communicate their values and instead give blind direction. It is important for leaders to have open dialogue with their employees so they can understand the reasoning behind the CISO’s decisions, the team’s work and the importance of their role.
Doing so creates a community of increased trust and shared meaning.
Although many CISOs have the technical background to make many decisions that cross their desk, it doesn’t mean they should be making all the decisions. The further a decision is made from the outcome, the more error-prone that decision is likely to be.
By delegating, leaders empower their employees, making them feel more valued and trusted in their roles, thus improving the probability of success along the way. Developing trust within the CISO’s inner circle starts by trusting them to own their responsibility and make their own decisions.
The importance of trust among leaders and employees
Many CISOs see trust represented as a series of vectors, such as integrity, reliability and competency. Organizations that can organically build trust will secure the engagement and resources necessary to build a credible security program that balances protection, cost and stakeholder definability.
When other executive leaders trust the CISO, they are less likely to micromanage and become more inclined to support their security program, knowing they are working toward reaching leadership’s expectations. When trust is established among leaders, employees will listen when their CISO needs to drive new priorities.
Conversely, when leaders lose trust in a CISO, they may bypass their CISO and go directly to a security vendor for incident reports.
Overall, trust between senior leadership and the CISO enables a collaborative and proactive approach to security, as well as an agile and resilient response to security incidents and crises.
Regarding the CISO’s inner circle of employees, trust empowers them to lead and influence a culture of security and awareness across the organization. Trust enables the organization to attract and retain talent in a competitive market.
Employees who trust their leader are far more likely to follow them through good and bad times.