This blog post is part of a series based on a webinar series of the same name conducted by Vantage in partnership with EDUCAUSE. The insights shared here are based on the robust conversations we had during that webinar series. We’d like to extend a special thanks to our panel members: Lanita Collette, Deputy CIO at the University of Arizona; Helen Patton, Cybersecurity Advisor at Cisco Systems, Inc.; and David Sherry, most recently CISO at Princeton University (on sabbatical at the time of this publication). This conversation was hosted by Vantage team members Joanna Grama, Senior Principal and Partner, and Valerie Vogel, Senior Strategic Consultant.
In the first installment of this blog series, we examined what it takes to move into a CISO role in higher education. In this post, we’ll attempt to tackle the next question: How can CISOs become influential leaders once they have the job?
Modern CISOs aren’t just technologists. They must also be skilled leaders and diplomats, navigating complex institutional dynamics with finesse. The ability to exert influence across campus in ways that achieve an information program’s strategic goals without causing friction is paramount for a successful CISO.
Being Heard on Campus
Unlike CIOs, CFOs, and other C-level positions that traditionally report directly to the institution’s president and/or board, the CISO’s reporting structure varies, both in the private sector and in higher education. Some report to CIOs, while others have reporting lines to compliance officers, CFOs, and yes, sometimes directly to the president. What matters most isn’t where the CISO sits on the org chart, but that they are heard and trusted when it counts.
Regardless of reporting structure, CISOs must build a strong partnership with their supervisors to ensure that critical information security issues reach institutional senior leadership. Many CIOs and other leaders are great advocates for their CISOs when they serve as an effective conduit to the president and/or board. But if the message is getting lost or diluted before it reaches institutional decision-makers, it may be time to strengthen that communication path. CISOs should collaborate with the reporting line leader to elevate information security at the executive level and consistently demonstrate the value an information security program brings to managing institutional risk.
Earn Credibility, Gain Influence
When CISOs struggle to gain traction with institutional leaders or direct supervisors, it is often helpful to go back to the basics. This begins with aligning the information security strategy with institutional priorities and then consistently delivering on the goals set for the information security program. From that foundation, CISOs can focus on building relationships with colleagues and peers.
CISOs need to get comfortable with sharing program success stories with leaders and peers. So much of what CISOs and their teams do (and what they prevent from happening) takes place behind the scenes. While humility is important, it’s essential to showcase the value that the information security programs bring to the institution. Highlighting the team behind the program is equally important. CISOs must create opportunities for their teams to interact and work with other departments on common efforts. This builds appreciation for the security team’s contributions across campus while also demonstrating the expertise and insights they bring to achieving institutional goals.
As the information security program earns credibility, CISOs can further their influence by bringing together leaders from across campus to tackle security questions. One way to do this is through information security governance work. Consider establishing a cross-functional team of leaders with authority from across the institution (think academics, research, athletics, compliance, student life, and other areas), and collaborate with that group to surface issues, develop policies, and create buy-in.
Preparing to Lead During Crises
Security incidents are going to happen. No CISO escapes unscathed. The first time an incident occurs and institutional leaders turn to the CISO for answers can be extremely nerve-racking. Early preparation is key to navigating these moments with confidence and can help establish the CISO’s credibility and influence.
As leaders of the information security function, CISOs will guide their teams and campuses through many incident response preparedness exercises and training sessions. Conducting a personal version of these drills can be equally valuable. They should ask themselves questions such as:
- When the time comes for me to lead through a crisis, how will I respond?
- What steps will I need to take to ensure my team can act quickly and that I can reassure the campus community?
- What potential pitfalls can I predict and how will I avoid them?
This type of thought exercise can help CISOs anticipate challenges and stay calm in times of turmoil.
During a crisis, CISOs’ ability to stay composed, read the room, and respond with empathy is their most important asset. CISOs need to be steadfast leaders who keep their teams grounded. It’s important to think about the messages and information stakeholders need to receive and communicate them clearly. How CISOs handle moments of chaos will enhance the influence they wield during times of stability.
Translate Facts and Data into Stories
Being persuasive, especially in higher education, hinges on a leader’s ability to tell stories that capture the attention and emotional investment of their audience. While there are likely mountains of data upon which a campus security strategy is built, leading with that data won’t get CISOs where they want to go when speaking with institutional leadership.
Instead, CISOs must pivot to telling stories that will resonate with their audiences. That may be research funding, student safety, institutional reputation, or something else. For instance, when trying to gain support for institutional investment in a new security tool, CISOs shouldn’t start with an overview of the threat landscape. They’ll likely be more successful by invoking a story about a student who got scammed or a peer institution whose security mishaps earned them bad press. Using a narrative supported by data to make the problem real, and then presenting the request as a necessary solution, is a much stronger approach.
Build Confidence Through Connection
Being a CISO is a complex role, but it doesn’t have to be an isolating one . Engaging with fellow CISOs provides opportunities to share insights, collaborate on challenges, and support one another through the unique demands of the role. We love the community of CISOs with whom we’ve connected through EDUCAUSE, and we highly recommend tapping into the resources available there. CISOs can also find local or regional groups where peers share information and swap stories from the field . Building connections and opportunities for collaboration is a great way for CISOs to become more confident and influential leaders.
Looking for the condensed version? Here’s what we think are the most important components of becoming an influential leader as a CISO:
Key Takeaways
- Gain trust and develop the ability to influence decision-making (this matters more than who the CISO reports to).
- Focus on results and collaboration, and share security program successes to build credibility.
- Make a personal plan for handling the next security crisis, and demonstrate the security team’s expertise by how it leads the institution through crises.
- Focus on what the audience cares about and tell stories that matter to them rather than just relying on data.
- Get involved in peer networks through local or national organizations, like EDUCAUSE.
This post is the second in our “Empowering the Modern CISO” series and was co-authored by Senior Principal and Partner Joanna Lyn Grama, JD, CISSP, who works with clients to examine and improve their technology governance, compliance, information security, and data privacy programs; and Senior Strategic Consultant Valerie Vogel, who advises clients on information security program development, information security and privacy awareness programs, and IT organizational assessments.
Need Help?
Our team of higher education experts is available to facilitate strategic planning and other services with your organization.