Chris Brown, Cyber Security leadership coach on bridging the gap between CISOs and CEOs
Often there can be a disconnect between a CISO and other executives of a company. Communicating a company's cybersecurity needs to a CEO or other executives can be hampered by the very technical skill that often got a cybersecurity leader into the CISO position. When there is a disconnect in that communication, it can lead the company to not be aware of the business risks that it faces, as well as leaving a CISO burnt out and potentially underperforming in their role.
Chris Brown, cybersecurity leadership coach for New Cyber Executive, is helping CISOs to navigate the complications of their role in cybersecurity by rethinking the role and what it takes to be successful.
When a CISO needs to share something important with leadership, the information is often presented to company executives with a technical framing, which leaves everyone in the room to figure out how it connects to the business. This leads to the two sides not being able to effectively communicate with each other on what they need to get done, leading to delayed action and rubber-stamped decisions.
During Brown's coaching, when a CISO is able to redefine how they see themselves and what their role is within a company, the executives and the board start to view them with a greater appreciation. Once the CISO is better able to connect the work that they are responsible for with the components of the company they are able to support the bottom line.
The CISOs who have gone through this process start thinking more in terms of what impact cybersecurity has on product, marketing, and sales, rather than hyper-focusing on cybersecurity for its own sake. This allows the organization to have an idea of when to bring in the CISO's expertise, and makes the experience more productive and valuable for everyone. The organizations that can best tap into their CISOs find that those skills that are unique or are more developed in a CISO can be impactful when applied to broader business challenges and aspirations.
The qualitative structured feedback process is another coaching method that Brown uses. The process is made up of two aspects; how the company views the CISO role and how the individual is performing in that role. While many other corporate functions have been around for a long time, the CISO function is relatively new. Therefore it is beneficial to have an open conversation about the nature of the role. Through the structured feedback process, Brown has found that CISOs automatically clear misunderstandings and assumptions in relation to their areas of misalignment, high performance, and development. Through a careful selection of questions, Brown leads CISOs to unlock the value of feedback conversations.
This conversation, led by the CISO, also allows the other executives to better be able to communicate what they need from a CISO. Specifically, the executives can share what drives the mechanics for success of the business, key levers and value drivers for their functional area, and collectively what's important to the company. This can significantly shape how the CISO can address risks to what's most important.
Brown has found, through his coaching, that when a CISO doesn't do these things, they become stressed from feeling misunderstood and not heard. This, of course, can have a negative impact on the morale of the CISO that leads to less creativity and loss of talent, not just for the CISO, but for the entire cybersecurity organization. For the business this can have a downstream financial or security impact.
The coaching Brown gives has had a large impact on reducing stress for CISOs and increasing their business leadership efficacy. Connecting better with the business often leads to the poignant realization that they are not as singly responsible for security as they imagined.
Brown says he has seen a history of CISOs with great strategy and technical work, wind up with untapped talents going nowhere because of the lack of communication and understanding the CISOs have with other company executives.
"I love talking to CISOs, and through the coaching process watching them rethink how they think about themselves, watch their eyes light up, and their shoulders drop when they relax. That is personally gratifying to me and the signal that I've impacted that person in a significant way," said Brown.