How leading CISOs build business-critical cyber cultures

Most IT and information security leaders are very familiar with the term VUCA. Standing for volatility, uncertainty, complexity, and ambiguity, it encapsulates the world we’re operating in today, one that is only going to grow more complex and uncertain over time. The best cybersecurity leaders are not only intensely aware of this reality; they’re also intentionally focused on developing and implementing strategies for thriving in a VUCA world and creating a pipeline of future-ready cyber leaders to stay ahead of ongoing disruption.At SecureIT New York last month, I had the opportunity to moderate a panel on how to empower a cyber-resilient culture, featuring three powerhouse CISOs: Laura Deaner, CISO at Northwestern Mutual; Nada Noaman, CISO at The Estée Lauder Companies (ELC); and Liz Rodgers, CISO at RAND.Amid a growing threat landscape, these CISOs emphasized the need for cybersecurity teams to understand and speak the language of the business, with a strategic eye toward driving greater customer and stakeholder value.As Noaman says, “This isn’t a job for the weak.” That’s also why it’s such a thrilling profession, and it takes more than technical skills to successfully navigate this territory. Our conversation touched on what defines a great information security leader today and how those leadership attributes fuel results for the business.The North Star: Connecting cybersecurity to the missionWith its end-to-end view of the enterprise, the cybersecurity organization is in a unique position to anticipate issues and needs, influence business strategy, and proactively drive business change and impact. Yet many cyber professionals remain head-down in the weeds, lacking perspective on the role they play in advancing the business mission. The best CISOs are intentional about making sure their people understand their purpose and connection to the business. It’s part of how they elevate the function beyond tactical order-taker or trusted advisor to forward-thinking, innovative partner.ELC’s Noaman has made it a priority to develop this business-first orientation across her organization. “I tell them that, no matter what role you play, you are a piece of a puzzle, and without that piece, the puzzle is not complete. You have to know where you fit into that puzzle to be able to say, ‘If I didn’t do this contributing part, we would never achieve that goal.’ To know where you fit and to know how the work you do contributes to the end goal is everything.”Nada Noaman, CISO, The Estée Lauder CompaniesThe Estée Lauder CompaniesThis mindset is evident in the way her team members “show up” with their business colleagues, she says. They’re thinking about the value they provide in terms of both the problem they’re working on and their overarching mission, which is customer-focused security.Ultimately, she says, this is about building consensus, and the No. 1 stakeholder in building consensus is your team.“When you get them to understand the North Star of what you’re trying to achieve, the why — they know the security reasons why, but do they understand the business reasons why — that’s the part that gets them focused and motivated to move in the same direction, and to row at the exact same speed,” Noaman says. “You have to tell them what the end goal is.”Speaking the language of businessShowing up as mission-focused business enablers is key to building credibility and getting buy-in for critical security initiatives. But you can’t credibly connect with business counterparts if you don’t speak their language. In fact, one of the biggest skill gaps at all levels of the cybersecurity profession isn’t technical; it’s human: communication.“I have an amazing, dynamic, very technical team,” says Northwestern Mutual’s Deaner. “But when you’re having conversations with the business and other strategic stakeholders, they don’t necessarily know what single sign-on or muti-factor is. All they want to know is how to solve the problem.”Laura Deaner, CISO, Northwestern MutualNorthwestern MutualThe simpler you can convey it, the better. Too often, cybersecurity professionals get mired in technical jargon only to lose their audience. “Be clear, unambiguous, and direct,” Noaman advises. “If you’re up front and say exactly what you need to do and put in terms of the why, you don’t have to explain the technical things, because now everyone gets the why.”Communicating within the context of business realities is also imperative — and that requires familiarity with what business colleagues are experiencing daily. Deaner encourages her team to get to know the business, visit call centers, and listen in on calls “so that they start to feel the emotion that the person on the other end might be feeling.”Above all, says RAND’s Rodgers, remember this basic yet fundamental mantra: “Keep the priorities of the business in every conversation.”What differentiates top cyber leadersAt the leadership level, where advanced communication skills are even more important, the skills gap is often even wider. Cybersecurity and other technology professionals are typically promoted into leadership based on accomplishments as technologists. While their technical credentials may be top notch, many haven’t had much development or mentorship, if any, in core leadership competencies such as communication, influencing, client orientation, and business acumen. As Rodgers puts it, “What got you here won’t get you there. You know how to configure a firewall, but now you have to communicate to executives. You have to know the business and be able to talk about your technology, your security, the solution through the language of the business. Being able to have those conversations is what differentiates great leaders.”Liz Rodgers, CISO, RANDRANDBecause they are so foundational to the role, great communication skills have a ripple effect in leadership effectiveness. Transparency, for example, tends to build more trust, which leads to better collaboration and cooperation. “There’s less questioning of motive,” Noaman says. “We’re talking to each other and you get why we need to do this. I think the only way you can have collaboration is through transparency and simplicity of message. Because I might think we’re aligned, but unless you’re in the boat rowing with me, we aren’t.”These intuitive, human-centered skills are pivotal, particularly in the kinds of high-stress, high-stakes situations CISOs regularly deal with. As Deaner says, “I can talk about the CVSS score. But at the end of the day, nobody wants to have a bad day. And I think that’s a much better way of positioning it than getting too technical, or using fear, uncertainty, and doubt, or not making it simple and meeting people where they are.”Inspiring personal and team resilienceIn information security, where risk is widespread, attacks are becoming increasingly sophisticated, and so much is on the line, one defining attributes of successful CISOs is their courage. The good news is, courage is a muscle that can be developed just like any other. It’s also a mindset. The CISOs on this panel described various internal motivators that keep them in the game, resilient, and adaptable, even in the face of daunting challenges. They made it clear that it’s a lot easier to be courageous when you’re driven by a love for what you do and maintain a clear line of sight to the impact you’re making.One of the common threads is their focus on “moments of truth,” those points of contact between cybersecurity and various stakeholders. Leaders who are intentional about this find they’re better able to see around corners and show up more strategically as business enablers.Rodgers says it’s a lesson she learned in the early days of her career when she worked on a help desk. Fielding complaints all day takes its own kind of courage. “But the beauty of it is, you get to know people and how they work,” she says. “I got to a point where I could anticipate what they were going to want, so I started proactively providing those things. Now I’m applying that same lesson in my leadership position to anticipate what a business unit needs.”Adds Deaner, “Knowing our customers has been helpful for my team to get up to speed, and it helps you understand what you’re doing all the work for. We’re passionate, but we have a lot of days where it’s just like, man, this is crazy. Getting that sense of, I’m making an impact and protecting my customer, that’s wonderful.”In this industry, “there’s always something that keeps you completely on your toes,” Noaman says. “It’s built into the job description but also built in those of us who were raised in the cyber field. We learn it through scar tissue.”It takes great leaders to build a culture where people can thrive in a high-pressure environment rather than getting dragged down by it. With burnout on the rise, cultivating, attracting, engaging, and retaining the best talent is priority No. 1 for top-performing CISOs — because they know they can’t protect stakeholders and accomplish the mission without a skilled, inspired, and aligned team.“I use the analogy of driving cross country,” Noaman says. “We’re going from point A to point B, and we have these goals. I’m not going to tell you how you need to get there. I’m not going to tell you what you need to do. That’s your jobs. It’s my job to get you ready for the road trip, because it’s a journey. As a leader, I have to set that vision and then bring the world along with me.”The leadership balancing actAs these three CISOs show, the best leaders lead with humility, empathy, adaptability, resiliency, and transparency (HEART), while holding their people accountable and focusing on delivering results. It’s a tricky balancing act. Too much focus on results, and you lose your people. But too much focus on HEART, and you lose your job.It’s something to keep in mind as we look toward developing a healthy pipeline of future-ready cybersecurity leaders. We need to make sure we’re equipping them with the technical, business, and leadership competencies this job demands. That means meeting them where they are and preparing them for the journey.“How I’ve moved people up the curve varies,” Rodgers says. “It depends on identifying leadership skills gaps. It depends on the person and where they want to go. It also depends a lot on the environment you’re in. Sometimes people haven’t been given the exposure or opportunity to shine. To pull young leaders up the curve, you have to be intentional.”If there’s one overarching lesson to be gleaned from these leaders’ successes, it is exactly that: Be intentional. Consider how much change is going on in your world right now. This is the slowest that change is ever going to be going forward. Intentionality and focus — on culture, talent, and business impact — have never been more essential.