It’s the relationships, stupid.

I spend a significant amount of my time thinking about my job. Sure, being CISO, is a job with lots to worry about, but that’s not what I mean. I mean the role itself, how it fits in organizationally, and what being “good” at the job actually means. I wrote a little about some of this previously.

A CISO can develop many skills that, tactically, improve their impact (e.g.: board presence, metrics, talent and leadership development). But, there is one specific skill set that, strategically, gives the CISO, and the entire security org, the biggest impact.

Strong and Healthy Relationships

A CISO’s job is not to wield power with an iron fist, descending from on high with a mighty ‘no’ in a heroic quest to leverage secret security knowledge to save an organization from itself. The CISO’s job is about helping your organization succeed. Certainly, a CISO is in a unique position to earn sole credit for helping an organization fail. But, to help an organization truly succeed, you can’t go it alone. All CISOs operate under a common constraint: limited resources. You literally cannot succeed unilaterally. Don’t let the first time you need to ask for something from someone be the first time you’re meeting them.

Who should you be building relationships with? The effective CISO needs to understand how the organization works, both theoretically (how the org chart looks) and practically (who the real influencers are). Your partners are the people you’re working with regularly to get things done, both reactively and proactively. This is a good place to prioritize. For a CISO, at a minimum, this group is usually your organization’s General Counsel (GC), Head of Comms and/or PR. Your CTO, CIO, CFO, Head of Sales or Customer Success are great candidates too (Especially if one of these is your boss). Focus on anyone that is involved in the nexus of problems and solutions.

You may also want to spend time more broadly with some Influencers. These are the people that, even though they may not have a specific role in approving or executing on work your team is doing, are a natural kind of glue that holds the org together. Good relationships here will inevitably help things run more smoothly. These people are frequently more senior Individual Contributors (TPMs, Auditors, Architects, Principal Engineers, FP&A Analysts, etc).

Finally, it should go without saying, but your own team, big or small, is a key source of information for you as a CISO. Your security team is spending their days learning where the bodies are buried, the legends and present-day impact of historical decisions, and assessing the impact of these discoveries, all in the name of anticipating where the next big security issue could come from for your org. You will bring more value to your partners and influencers across the organization if your input to them is informed by a solid understanding of your own team’s hopes and fears.

Building relationships does not come easily to some of us. This is a skill I have to actively work at and invest time developing for myself. The good news is, there is a wealth of information out there about relationship building. You can read, listen, and watch to help level up your skills as well.

For me, I have three simple rules:

• Make time
• Listen well
• Be real

Make time: Building, developing, and maintaining good relationships is as much a part of the CISO’s job as managing risk or tweeting hot takes about security vendors. So, if you’re making time for “thought leadership” you better be making time for your relationships. This means actively asking for time and scheduling recurring sessions (meetings, coffee, lunch, etc) with the people you want to build, develop, and maintain relationships with.

Listen well: There are endless volumes written about this topic. I’m on my own journey to improve here. So, I’ll spare you any posturing that I’m an expert and just say this: You don’t learn about others by listening to what you have to say. Make this time about them. You’ll be amazed what a difference it makes.

Be real: Working relationships, like all relationships, operate on trust. You need trust. You need to give trust, just as much as you need to receive it. Sure, security is important, and the potential negative outcomes that are possible are very scary. So, you could potentially get by on fear as the basis of your relationship. For a time. But, not only is fear a poor base to build trust upon, fear is a poor way to manage and communicate about risk at scale. Instead, be clear about what you’re doing and why. Help others understand how you see problems, how you’re coming to decisions, and how their help is important to a good outcome for everyone.

So, when should you plan to start this? Now. Right now. If you’re starting a new role, that’s the perfect time. If you’ve been in your role for years, now is still a good time. Spoiler Alert: No one wants to have a bad relationship with you. Humans are social animals. If this is news to you, congratulations, you now have one more secret to help you succeed. If this is old hat, consider this your regular reminder that you need to keep at it.