September 19, 2023

CISO: This is How to Decipher your Company’s Culture

Yael N.
author
Chris Veltsos
co-author

Why should you read this?

  • Hack your company’s culture to drive an outcome.
  • Find ways to be more effective in your role.
  • You want to know what will land and what will be a landmine.

You should read this if you…

  • Wonder how to make a bigger impact at the company?
  • Wonder where to focus for greater success?
  • Are new to an organization and want to learn what things matter?

There are four elements of an organization’s culture that help CISOs:

  • Understand the ‘scope’ of your CISO role
  • Prioritize security initiatives for success

Accelerating security impact is good for business and good for security.
Read on to to learn how to interpret your company’s Decision Making, Recognition, Communication and Governance & Accountability. 

Decision Making

Inevitably, the CISO will present decisions, some more difficult than others, to their leadership. Knowing in advance, how to position and frame changes and decisions to enable a faster decision can make a significant difference. Whether it be a budget decision or in a crisis. Investigate everything about how “important” decisions get made at the company and specifically understand who are the deciders and how are decisions considered. 

Who are the deciders?

  • Understand the dynamic of decision makers as it relates to each person’s role.
  • This enables you to bring the right content to the right person at the right time. 

How are the decisions contemplated?

  • Being credible and effective is essential when presenting an idea that requires budget, resources, or buy in.
  • Success begins with getting your program approved.

How are business cases structured?

This is the easy one. Every company has a ‘process’ for business cases. 

  • Ask for a few successful examples and make them your template.
  • Remember, credibility is established by having a track record of success. 

Recognition 

To understand the “type” of CISO the company is expecting you to be consider how praise and criticism are attributed

  • Is it different for successes vs losses?
  • Is it different for individuals vs teams?

Recognition defines employee motivation.

  • Understand how people and projects are recognized.
  • Praise and recognition tell you a lot about the kinds of people that ‘thrive’ in the organization. 

How are individuals praised?

  • Notice whether a company calls out individual names, project teams, or departments in their communications.
  • This tells you just as much about how those individuals may be feeling as well as what the company values.  

How are projects recognized?

  • Every company defines the success of projects differently.
  • A company that showcases their failed projects as learning opportunities or worthwhile experiments demonstrates confidence.
  • It also gives you a peek into their values, successful projects naturally breed future projects and benefit from investments. 

Communication

The way that a company plans, organizes and delivers messages tells the CISO what will be expected of them.

  • It also provides the format for how to deliver updates about their program.

What we say matters.

  • By the same token, how we say it, when we choose to say  it, and where we say it also matter.
  • Not only does it inform our stakeholders, it also reflects our values and principles.

When are messages shared with which audience?

  • CISOs are required to balance transparency with imperfect information.
  • Further, they know when to protect the message with legal privilege. 

Are different types of messages communicated differently?

  • Every company defines their communication threshold differently.
  • A company that tunes their communication to their audience indicates maturity and situational awareness.
  • Strive to understand your audience & their expectations, and reflect them in your communication approach.

Governance & Accountability

Effective security requires a collective defense. How a company approaches governance and defines accountability is an indicator of how security priorities and investments will be set.

What is the current governance framework?

  • The discipline of governance may exist because of regulation or a prior incident.
  • Regardless of the why, understanding the way that it operates and its influence will inform the available leverage points and priorities of a control function.

How is accountability practiced?

Inherently, people prioritize the behaviors that they are rewarded and compensated for. A culture of accountability is set at the top – but only if it is a priority. 

  • How the organization defines who owns the risk and who is responsible for the controls will guide how the CISO has risk conversations. 
  • Understand who owns the risk and who is accountable for keeping risk within tolerance.

Spend the Time

Invest time to observe, analyze, and assess your company’s culture. This will enable you to optimize your efforts and resources on the programs that will drive the greatest impact and give you the ‘operating manual‘ for how to succeed in your role at this company.

This site uses cookies and may process personal data based on our Privacy Policy
Read privacy policy Ok!
Verified by MonsterInsights