Respect the Past and Plan for the Future

The post is about how a new CISO, or any leader for that matter, can be more successful by spending time understanding the people around them and their decisions before they start plotting out immediate changes.

Using empathy to succeed in a new role

Whether you’re a first-timer or veteran CISO, stepping in as the new leader of a security organization can simultaneously feel thrilling and terrifying. We want to make a lasting impact and to make things better, but navigating the waters of a new organization is not trivial. Both you and your new organization are entering a relationship with established bias formed by previous experiences that affects the way you think about security and solving problems in general. I know first-hand that ignoring or misunderstanding this dynamic doesn’t only impact your success as a CISO, but the success of your team as well.

The post is about how a new CISO, or any leader for that matter, can be more successful by spending time understanding the people around them and their decisions before they start plotting out immediate changes.

Empathy gives you critical context

Raise your hand if you’ve ever joined a new company, poked around their environment, and thought, “What a mess! Who did this and how quickly can I change it?” ✋🏼Yea, me too and I was wrong. Too often, we assume that our own experience – the time we spent in whatever industries, sectors, or cultures that shaped our perspective – is the only valid one.

You arrive at a new company with a certain set of experiences. Some experiences you add to your toolkit because they are great, while others you add to a list of things to never do. A common tendency is to enforce those pre-existing conclusions at the new organization, before you’ve taken adequate stock of why certain decisions were made before you showed up. The company, team, and staff also have pre-existing opinions of the situation, attitudes towards other teams (good and bad), and ideas about what should or shouldn’t be done.

An effective leader takes the time to understand why previous decisions were made because they were made for a reason. They may not make sense now, but they did at the time. And the truth is, organizations protect their assets and data in different, but legitimate ways based on their specific mission and needs.

Even companies within the same industry or peer group have different ways of engaging with their users and stakeholders because their technology behaves differently. Additionally, security at every organization is built overtime by a string of decisions made to support the specific situations and threats they faced. Eventually this evolves into the security program you find on day one.

There are many different combinations of decisions, situations, and people that shape how security grows inside a company. So, our own previous experiences as security professionals, however long or deep they may be, aren’t written in stone as a single source of truth for everyone else on how things should be done.

I started my tech career in the Marine Corps as a communications officer responsible for setting up a complete communications package (radio, computers, sat links, etc.) anywhere in the world within 12 hours. At the time, my objectives and thoughts about security were purely physical (dust, heat, etc.). It was someone else’s job to worry about digital adversaries, so I didn’t think that much about it.

That changed as I transitioned into a cybersecurity role at Marine Corps Recruiting Command, where I had to learn how to relate new digital concepts to the physical ones I already knew, like how to secure endpoints whose physical presence I couldn’t control. I immediately discovered that my toolkit of go-to actions were largely irrelevant in this new environment and I had to quickly take stock of the cultural and technical history of each new organization to determine the best path forward.

Empathy also earns you influence

As a new leader joining the team, you have a rare opportunity to view the situation with fresh eyes. Here are a few of my go-to tips based on multiple experiences as the new leader or CISO:

  1. Take the opinions, attitudes, and ideas of existing staff as points of information that carry equal (if not greater) weight to your own experience and opinions.
  2. Do so with empathy, attempt to see the emotional and squishy logic behind the actions of individuals and history between teams.
  3. Include your leadership and company management in your assessment before making big decisions. Ask yourself what your peers and your leadership are worried about or concerned with. Did they have a contentious relationship with your predecessor?

Being able to conceptualize another person’s motivations, background, current state, and what they may want out of a certain situation is a super power inside a company. Unfortunately, a lot of security leaders misunderstand their role and approach security as a performance art rather than a service role, digging in their heels like the leader of a band that never makes music for anyone else to listen to. Effective security teams, and the people who lead them, make themselves critical to the company’s mission by taking the time to understand how we got to this point and where we’re going next. At companies where security teams can’t empathize with the situations, needs, and motivations of others, their function is viewed as a zero sum game where money is the answer and avoiding awareness of breaches is paramount. Take the time and consideration to build empathy into your evaluation and planning process so you can become a valued addition to the leadership team and company’s mission.