The Role of Negotiation in Cybersecurity Leadership

Why good negotiation skills are critical for enterprise security leadership

This article was written to supplement Dr. Amoroso's course Enterprise Security Leadership: Negotiation Skills for Cyber Leaders.

For decades, cybersecurity was purely the domain of the IT department. Measures to protect an organization against cyberthreats were viewed almost entirely from a technical perspective. For everyone else, cybersecurity knowledge barely extended beyond the belief that antivirus software was the be-all and end-all of digital safety.

In those times, the role of chief information security officer (CISO) didn’t exist. But that’s all changed over the past fifteen years. Today, almost every enterprise has a security executive who oversees the corporate culture, strategy, and measures applied to ensure information assets and technologies are suitably protected.

Today’s CISOs are leaders of digital transformation. No longer the department of ‘no’, they’re enablers of innovation and, like any leadership role, it’s more about people than technology. That’s why soft skills like communication abilities, empathy, teamwork, and strong leadership are now essential to the role. After all, people, rather than technology, are the first and last line of defense when it comes to good digital security hygiene. Moreover, that applies to everyone in the organization no matter their positions and responsibilities.

To become enablers of change, cybersecurity leaders also need to be masters of negotiation. They need to lead by example and hold close ties with every department across the enterprise. This approach will enable them to achieve win-win agreements when it comes to applying new cybersecurity measures and empowering innovation without adding risk.

How negotiation transcends pure logic

It’s easy to think of negotiation from the point of view of pure logic. However, if both sides are trying to negotiate from strength alone, there’s no scope for bargaining. In the case of digital security, a CISO could approach the board with a logical argument backed up by rock-solid statistics and studies tackling the dangers of, say, social engineering attacks. But the problem with this approach is that everyone else then starts thinking there’s a huge divide between the needs of the business and what the CISO wants. All too often do these two factors fail to align.

The most important part of any modern CISO’s job is communication. Of course, the need for technical expertise is a given, but these hard skills are widely viewed as replaceable. However, being a strong leader who can earn a place in the board room is not. To become a leader, you need to develop a personal negotiating skill that helps you bridge the communications divide between cybersecurity and a multitude of other parties. These include funding sources, peer managers, end users, auditors, technology vendors, industry regulators and, sometimes, even malicious actors themselves.

Cybersecurity leadership typically comes from one of three directions. Firstly, there are those with a more technical-minded view, who are adept at solving problems themselves. Secondly, there are people who favor teamwork above all else. Finally, there are others are motivated by doing the right thing in the name of justice and compliance. All of these approaches have one thing in common – they rely heavily on laying out logic to earn support for their projects. It’s important to compensate for this by developing a negotiation style that complements your personality.

Know what you’re trying to accomplish There are two key approaches to negotiation – caring deeply and not caring too much. Neither approach is necessarily better than the other, depending on the situation. But, when it comes to cybersecurity, which is rooted in belief, caring deeply is part of the job. Any decent security leader believes that cybersecurity makes the world a better place. Yet that doesn’t mean he or she should be the person who says ‘no’.

CISOs are ultimately trying to accomplish one thing – to increase their business’s cyber risk maturity. The challenge lies in the fact that this often ends up clashing with the goals of other departments. For example, the marketing team might consider social media a critical part of their operations, while cybersecurity leaders might fear the numerous privacy and security concerns that come with it. Instead of saying ‘no’ to the marketing team’s use of social media, CISOs instead need to look at how they can use it without adding risk to the organization.

Mitigating the risk social media presents to the company might, for example, involve creating acceptable use policies and enforcing them using technical measures like data loss prevention and account-level monitoring. In this scenario, the CISO needs to garner an understanding of the needs and challenges of the marketing team and match their solutions accordingly. Thus, the question isn’t about yes or no, but rather how.

Understanding both the worst- and best-case scenarios the person you’re negotiating with is facing is essential for finding the agreement zone. In this case, the best-case scenario for marketing is to continue using social media. On the other hand, the worst-case scenario for them would be to lose an asset that’s probably critical for customer interaction. A CISO’s job is to help them achieve the best-case scenario possible without increasing the cybersecurity risk. In other words, it’s not a competition, but about finding a win-win scenario.

The first rule of negotiations

Anything can be negotiated to some degree, even when it comes to cybersecurity. That’s because things like security audit decisions and investments all consist of a lot of moving parts. As such, there’s always some scope for compromise. Even if you shouldn’t compromise on cybersecurity itself, there are factors like timing and even the words that go into audits and policies themselves, where there’s almost invariably some space to maneuver. Naturally, that’s a lot easier to do when you understand the unique needs and challenges of the people you’re negotiating with. With this approach, negotiations become less about winners or losers and more about achieving a win for all parties involved.

Cybrary helps organizations close the cybersecurity skills gap and build a workforce capable of tackling the challenges of today, and tomorrow. Request your demo of Cybrary for Teams to get started. Plus, for a limited time, anyone who schedules a demo before July 31st will get a personal invite to an AMA session with Ed Amoroso.