CISOs frequently talk to us about the challenges they face dealing with corporate politics. They’re trying to make their organizations more secure, but no one will get out of their way and let them do their job. Every initiative becomes a battle, making progress difficult.
Anyone that has worked in cybersecurity will recognize that story. Cybersecurity teams face an uphill battle in just about everything they do.
However, if corporate politics is the problem, then it’s also the solution. The only way to fix corporate politics is with more corporate politics. I’d argue, is where CISOs and cybersecurity teams really struggle.
Playing Politics
If you’re going to play corporate politics, which you should, the first thing to know is that it’s all about what you’re willing to lose. Sometimes you’ll find yourself in a zero sum game. No one can win every time, and especially not the IT department. You have to know what you’re willing to give up.
You also need to figure out what really matters to you. What do you want to win? Again, it can’t be everything, because you won’t win everything.
From there, it’s about trading. Trade your losses for your wins. Make deals. Figure out what you can give up to other people in exchange for what matters the most. And then go make those trades.
Lastly, look for opportunities where outcomes don't necessarily involve winners or losers. What can you do for other teams and departments to make them happy without causing a problem. And go do that, too. Go buy political capital for yourself.
You might object that you shouldn’t have to compromise on cybersecurity, but the reality is that everyone has to compromise. Cybersecurity is no exception. Your effectiveness depends on your ability to make those compromises wisely. Don’t compromise on the things that matter, but on the things that don’t.
Friendly Security Awareness is Political Capital
The fact that cybersecurity teams are bad at corporate politics is extremely clear when you look at security awareness training. Security awareness training impacts everyone in the company, so it’s a great opportunity to either make friends or enemies. The stakes are also fairly low, at least relative to something like mandatory MFA or strict access control. Security awareness training is therefore a great opportunity for IT departments to win some good will.
And yet, they usually don’t. When CISOs hear me say that I built Pistachio first and foremost for end users, not IT admins, they have a moment of repulsion. The mere idea of focusing on user experience as a primary value driver is foreign to them.
In some ways I get it. Security awareness is a rare case where IT will usually get its way. Most companies will agree that people just have to do it, and tolerate hostile policies as long as it doesn’t get out of hand.
But instead of flexing their power, CISOs should use security awareness to demonstrate that they care about internal users. Design programs that integrate seamlessly into employees' work routines. Shift the focus from punishment to creating a positive experience with security awareness.
Doing so will win political favor, or at least build trust from the rest of the company. And what does it cost? Nothing. Building a security program that respects people’s time, a program people actually like, is better for everyone. It’s a great opportunity to play a political game without giving up what matters.