Security teams are heading into 2023 with strong headwinds. CISOs should take notice and consider how they adapt their playbooks to the needs of the business given the culture.

What’s different in 2023? Your security teams are tired. Constraints have multiplied. Corporate operating standards have changed and hardened. You’ve likely heard (or even said):

• “Just tell me what you want me to do”
• “Budget needs to be flat to down”; “We’re pausing hiring”; “We cannot invest in training”
• “The way we confirm and approve projects / investments is now [insert something different from before]”
• “I recently left my CISO gig, and am taking a break, I’m not sure I’ll be a CISO again.”

This article shares three strategies that will help security leaders achieve their 2023 objectives in spite of the headwinds.

Defining the 2023 Headwinds

For many security teams, heading into 2023 feels like heading into a storm. What’s driving these challenges?

• Teams are tired(er): The cognitive load of the past year, or 3 years, has worn a lot of people down. And in some cases, they’ve thrown up their hands and said, “Just tell me what to do.” Not realizing (or maybe they are realizing) that really, the thing that we “want them to do” is to think about what could be done, what should be done, how to do it, and then which way is better. All those things happen BEFORE “just tell me what you want me to do.” So, when we hear “just tell me what you want me to do” — it should be an alarm bell. People feel drained. For whatever reason, work is harder, and they feel less committed.
• Constraints are everywhere: And there seems to be a feeling that “this time is different.” Budgets are constricting, open roles are being put on hold, and whole teams are being dismantled. This is being felt internally across the enterprise and externally in our client base. No matter the industry, 2023 is unlikely to provide the same ease of access to resources that CISOs experienced in 2021 and 2022. When you do ask for more, you’ll have to do a lot better at justifying why and the ROI.
• Operating standards are being re-evaluated: Company executives are making changes to how things get done that have ripple effects at the departmental and team level. Whether intentionally communicated or on-the fly, leaders are applying new thresholds to decisions and expectations for delivery. In a hybrid work environment messages of change often lag the actual change, and department leaders, including CISOs, find themselves flat-footed or confused.

1. Address the Predictable Things

Stop. Observe. Listen. What are the things that will be asked and expected of you and your security team?

• Gather those. List them. Organize them on a schedule, so you can quickly see how these pressure points are located on your (and your team’s) calendar.
• Review your and your team’s preparation for each of those items.
• Review the audience/attendees for each. Are you pitching them the right way?

Why? This reflection activity stabilizes the business as usual (BAU). It creates a “rhythm of the business.” Being prepared counts. It helps reduce stress and is key to delivering at the level that is expected for you and your team.

Once you have gathered and reviewed all your “predictable things,” here are some strategies for making the most impact:

• Plan and assign who will work on each item. Include appropriate guidance early in the process so the team’s energy isn’t wasted going down the wrong path.
• Keep things simple, and manageable: while it may be tempting to over-engineer a solution (e.g. creating a comprehensive time and issue tracker), often the best solutions are simple and manageable, both for you and for your team.
• Recruiting / Onboarding: work with HR and members of your team that are passionate about improving the experience of new recruits. Ask for feedback and listen intently to those who recently went through the experience. What worked? What didn’t? How can the process be improved? How can human connections be strengthened? Ask the newest member of your team to take charge of the process.

2. Reboot Communications

How effective is our communication? Determining this isn’t about laying blame, but instead about reflecting on you and your team’s own successes and failures in communicating the value that the cybersecurity function brings to the business. Self-reflection is good but provides only an incomplete picture. Seek out honest and clear feedback from your peers.

What do you need to communicate? Here are some items that are routinely communicated by security departments:

• User impacting technology changes
• Integrations / cut overs
• Executive-level messages about security, whether initiated by the security function, or more likely, once the security function has been brought in the loop
• Regular course of business status updates

How effective have our communications been?

• Identify the people that we routinely communicate with. Find out how we can get feedback from them to help us improve our comms.
• What are the methods we use to communicate? Are those methods “right” for each audience?

Messages should be consumable. What does that mean?

• Messages should be in the place where people expect them, both in the moment (just sent) and if needing to be retrieved (archived).
• Some messages are to be produced on a scheduled basis (e.g. quarterly). If running behind, manage expectations. Tell your audience.

Are the format and location of the communications right?

• Emails vs documents (PDFs, docs, slides) vs other channels (intranets, wikis). Different groups and different kinds of messages should be shared via different channels.
• Audio vs visual vs reading. Should something be sent as an audio message, a visual (chart, diagram, slide), or a report to be read?

3. Nurture a Community Feel

A sense of Community needs regular care and feeding. Do your employees feel connected to the “community of security?” Are they engaged with it? The time and energy to build and maintain a sense of community helps your team achieve its full potential.

What are you doing to nurture a sense of community within your security department? How are you helping the members feel connected, like they belong?

• Do you promote team learning and solutioning, like peer reviews and/or periodic reviews of an industry trend or a new solution that just surfaced?
• Do you empower your teams to cross-train and learn from one another? This form of knowledge transfer is not only beneficial for your department, it helps foster a sense of community among your staff.
• Be wary of forced socializing. While there can be benefits to organizing social get-togethers or zoom-based happy hours, it can also create friction and alienate parts of your team.

Strategies to re-energize the team:

• Tackle problems that excite the team, even if they aren’t the most important ones.
• Use metrics to capture the baseline and measure progress concretely.
• Celebrate the outcomes intentionally. People want to feel proud of their work. Recognizing achievements reminds the team of their impact.

Conclusion

The year 2023 is already a different kind of challenge. To succeed in advancing the security program and inspiring the security team, it will require a different kind of leadership.

In times of uncertainty and stress it’s tempting to “stay the course” and “avoid rocking the boat.” Which is right up there with “just tell me what you want me to do.”

The mission of protecting data and information has never been more important — and CISOs need to continue to do what they’ve always done — which is to do things a little bit differently.

1. Address the predictable swiftly
2. Reassess and reboot communications broadly
3. And lean into fostering community

Security has always been a team sport, and sometimes we need to manage the same team a little bit differently to deliver significantly improved outcomes.

When revisiting and checking in on your 2023 roadmap, it’s more important than ever for the CISO to be attuned to their team and aligned with the business needs, even if that means reshuffling the priorities.

Complete Mindmap can be found here.