12 Steps Every CISO Should Take To Earn Buy-In
So you’re a Chief Information Security Officer? Things are looking up. The CISO position is escalating in terms of pay, credibility, and relevance within organizations year over year. According to ISACA’s State of Cybersecurity Report 2017, 65% of organizations now employ a CISO – up from just 50% last year.
Despite the added grandeur and responsibility, you may not always get the respect you deserve. The rest of the C-suite often doesn’t understand how security fits into the business equation. Often times, it’s not them, it’s you. Not all CISOs are seasoned at playing by the traditional rules of the executive team. Many security leaders have grown into their role from a functional and technical background and lack true business or executive experience. For this reason, many initiatives pitched by the average CISO fail to garner support or receive funding. If you’re a CISO looking to have your next project approved, here are some prescriptive dos and don’ts of your next pitch.
1. Choose Your Battles
Before you start selling your next initiative, be sure it is one that will help the business. An information security solution is only appealing to your executive team if it solves a business issue. The average information security officer does not have opportunities to spearhead costly security-driven initiatives. Make the ones you pursue count by aligning them to business needs.
2. Do Your Homework
Determine which initiative has the largest impact on your ability to make progress on your cybersecurity strategy, fulfill your duties as CISO, and best serve the needs of the business. After you have settled on your selection, be sure to outline a clear plan of action for the problem you are looking to solve and research how implementing a particular program will lead to an overall return on investment to the business (not just the information security group). Create a list of measurable objectives that represent a “successful” initiative. If you are seeking a solution, be sure to explore five or more solutions, with a target of three candidates for final consideration. Don’t be bothered by provider pitches. Remember, it’s you who will be doing the selling! Understand how the solution measures against your objectives and rely only on currently available solutions and features.
3. Know your Senior Executive Audience
You’re not the only one in the organization with goals. Remember that every member of the executive team, including the CEO, has a particular vision he or she is trying to execute, whether it’s increasing customer engagement, expanding research and development, or focusing on top-line revenue. Each executive is evaluated on those goals through a set of key performance indicators (KPIs). If you have a complete understanding of how each member of the team contributes to the business and how they are evaluated, then you have a defined path to determine how to persuade those individuals.
4. Make Executive Allies
Taking the previous suggestion a step further, try to go battle with an ally. Coalitions work. If you know how other team members are evaluated and you have a clear understanding the objectives targeted within your initiative, then you can start to piece together how your project also might suit the needs of other executive team members. Ahead of the meeting, refine your sales pitch speaking specifically to their points of interest to solicit their buy in on your program implementation. Get them on your side prior to the big meeting.
5. Practice Your Pitch
You’re good, but you’re not that good. Think through the potential holes someone could poke in your requests. Consult reliable and brutally honest colleagues as necessary. Don’t let your pride get in the way of a win.
6. Position in Terms of Organizational Benefits
Outside of individual benefits and executive evaluations, your initiative likely has some positive impact on the broader organization and its overall security posture. That’s why you’re doing this in the first place, isn’t it? The executive team needs to know that you understand how money spent on cybersecurity positively impacts the organization and moves it forward.
7. Do Not Get Technical
One of the biggest ways that CISOs undermine their own credibility is by throwing around security terminology and IT “speak” to seasoned business folks.This is not the time to give a technical lesson. This immediately causes what the late behavioral psychologist Leon Festinger would call “cognitive dissonance.” The average executive will glaze over the second you start outlining public key infrastructure. Speak to the benefits of any solution you’re exploring – don’t explain the technology unless requested to do so. If you must get technical, have a plan ahead of time of how you will convey the complexity of the technology without being too detailed or oversimplified (as this can have the opposite effect of being perceived as condescending).
8. Get to the Point
You’re not going to have a lot of time. Your initiative is likely a line item on a loaded agenda. Figure out a way to hone your pitch like you landed a five-minute spot on Shark Tank.
9. Highlight the Competition
Benchmarking can matter. Are your primary industry peers and competitors already taking advantage of the solution you’re pitching? They may have just won this battle for you. Highlight competitors who have achieved a higher level of security than the status quo in your organization. No executive wants to be behind the curve, especially if it is hurting the business.
10. Outline Opportunity Costs
Historically using fear mongering is not the best way to make a sale. That said, this is security isn’t it? The opportunity cost of failing to support your initiative is real and sizeable. You’ve likely heard a thousand pitches yourself quoting the cost of a single private record, a piece of intellectual property, and the largest breach. Be sure to be able to support your initiative by having relevant statistics that clearly outline the risks of NOT supporting your effort.
11. Provide Options
The other executives in the room have listened to your pitch – do you want to leave them with a simple yes or no and risk the demise of your initiative in a single blow? Of course not. Steal a tactic from the world of consulting and give your leadership team options. Providing choices accomplishes two major goals: 1) it makes the executive team feel like they have a say in the matter, and 2) it allows you to position your preferred option in moving forward.
12. Anchor High
As in any negotiation, it can be beneficial to anchor the negotiation well beyond what you’re willing to concede. In other words, if you need $5M for your three-year initiative, it behooves you to anchor the discussion at a value significantly greater than $5M. In this example, when you concede in compromise you end up much closer to your desired allocation.
As Ed Powers, U.S. leader of cyber risk services and principal, Deloitte & Touche LLP, stated, “An effective CISO can no longer rely on his or her technical expertise alone. They must understand how strategic initiatives create risks and develop security programs that balance the need to drive business performance with the growing realities and complexities of protecting customers, intellectual property, and brand.”
You need to prove that you truly understand the needs of organizations based on this growing expectation. If you are able to do that as CISO, you might just close the sale on your next pitch.
If you’re a CISO and your C-Suite needs training, partner with us to ensure your executives have the right knowledge. Contact us to schedule a Cyber Resolve training session for your board or executive team.