Leading a cybersecurity organization is hard. You're not just responsible for security matters, despite what you were told in your interviews. You're expected to help enable the business, support sales and marketing efforts, be a good public representative, be a key component of any digital transformation efforts, and, of course, when you have spare time...protect those critical assets.
Today's CISOs find themselves at a crossroads where securing an organization and all those other sometimes unspoken responsibilities are equally imperative. After all, if an organization isn't successful, is there anything left worth securing? We've been talking as an industry for years now about how we are part of "the business" and not just some nuanced technology function. Isn't all this other stuff part of running the business, then?
This article delves into how CISOs can effectively engage with sales and marketing teams in their organizations, turning cybersecurity efforts into competitive advantages. All the while, this work positions itself as a pivotal contributor to business success. This is indeed a balancing act, and you don't get good at walking the tightrope without practice and study.
Understanding the Sales and Marketing Perspective
Sales and marketing teams are the engines driving business growth and customer engagement. Their primary goals revolve around increasing revenue, expanding market share, and building a strong brand reputation. They thrive on agility, innovation, and customer-centric strategies. For a CISO, appreciating these objectives is the first step in fostering a supportive relationship.
These teams often face intense pressures of meeting targets, adapting to market trends, and responding swiftly to customer needs. We talk about metrics in cyber, but these teams live and die by them, and this is not just for the most mature organizations. The fast-paced nature of their work can sometimes be at odds with the methodical approach of cybersecurity. Understanding these challenges is key to identifying how cybersecurity can be integrated without impeding their workflow.
Regular interactions with sales and marketing leaders can help the CISO stay attuned to their plans and challenges. This could be through joint meetings, collaborative projects, or informal catch-ups. Such engagement helps drive alignment, no matter what that needs to look like. You're also not just talking to each other when things are on fire or there's an urgent need.
Storytelling – Turning Security Into a Competitive Advantage
Storytelling in cybersecurity is more than recounting incidents; it’s about weaving a narrative that connects the dots between robust security measures and the tangible benefits they bring to customers and the business. For instance, a story about how your key investments in new technologies or services prevented a major data breach can resonate more effectively with clients than technical jargon.
Storytelling is powerful when it comes to showcasing to prospective clients how security works in your organization. It goes beyond having your SOC2 report handy. It goes beyond having technically accurate answers in all those pesky vendor security questionnaires.
You're building a narrative for someone on the outside to believe in and relate to. There are a lot of ways you can do this; here are some of my personal favorites:
- Invest in a public trust center web page where you can be open about where you are and capture details about not just security controls but the investments you're making, the team you're building, and your operating principles
- Instead of grading yourself on a compliant - yes/no scale, try to grade yourself on a maturity scale so you can showcase where you're going and why
- Use pictures, graphics, data, or anything more interesting than blocks of text to communicate
One of my all-time favorite tools in the storytelling process is something called Pip Decks. It's a deck of cards with actionable information about different story arcs and how to use them. These are an amazing desk resource when you're trying to craft a narrative - check them out for yourself.
Collaborative Strategies for CISOs and Sales and Marketing Teams
Collaboration starts with communication. Regular meetings and information-sharing sessions between the CISO and the sales/marketing teams can foster a mutual understanding of goals and challenges. For instance, a CISO can proactively contribute to sales strategies by providing insights into cybersecurity trends that can shape product development and marketing strategies. This approach not only ensures that security considerations are embedded in these strategies from the outset but also positions the CISO as a key player in driving business growth.
Some other key strategies include:
- Understanding Mutual Goals: Initiate discussions to understand the mutual objectives of both teams. While cybersecurity teams focus on safeguarding data and systems, sales teams aim to drive revenue and customer satisfaction. Finding common ground, such as the goal of enhancing customer trust through robust security, can be a starting point for collaboration.
- Regular Cross-Departmental Meetings: Establish a regular cadence of meetings between the cybersecurity and sales teams. These sessions can be used to discuss upcoming projects, potential security concerns related to new sales initiatives, and ways to incorporate security messaging into sales pitches.
- Educating Sales Teams: Cybersecurity teams should provide regular training and updates to the sales staff about the latest security measures and how they protect clients. This knowledge empowers sales teams to confidently address security queries from prospects and customers.
- Developing Joint Strategies: Work together to develop strategies where cybersecurity can be used as a selling point. This might include creating materials that highlight the organization's commitment to security, which can be used in sales proposals and presentations.
Balancing Security Needs and Business Growth
In the journey to secure your organization, it's crucial not to impede the agility that sales and marketing teams require for growth and innovation. CISOs must navigate this delicate balance, implementing security measures that safeguard the organization without stifling business opportunities. This balance involves deploying flexible, scalable security solutions that accommodate growth and change. As highlighted in a Harvard Business Review article, “Balancing Cybersecurity and Productivity,” it's about finding the sweet spot where security protocols and business efficiency coexist harmoniously.
Some of my favorite tips here are:
- Integrate Security with Business Objectives: Align cybersecurity strategies with business goals. This integration ensures that security measures support and do not hinder sales activities. Regularly review these strategies with business leaders to ensure alignment. There is an art to finding the connection between the work you're doing (or want to do) and a business objective, but when you start to connect the dots, it will be a significant value-add for your storytelling.
- Educate and Empower the Sales Team: Equip the sales team with the necessary knowledge to confidently discuss security measures with clients. This can include training sessions, easy-to-understand collateral, and regular updates on security developments. This goes beyond your basic phishing or security awareness training. Help them better understand what is happening at your business and why it matters to the end customers.
- Collaborative Risk Assessment: Involve sales teams (and others really) in risk assessment processes, particularly when launching new products or entering new markets. This collaborative approach ensures that security considerations are balanced with business opportunities.
Positioning Yourself as a Business Enabler
A CISO's role today is not just to develop and enforce security policies but to act as a catalyst for business success. This transition from a gatekeeper to an enabler involves understanding the business model, identifying how cybersecurity can add value, and communicating this effectively. By aligning security initiatives with business goals, CISOs can move cybersecurity from "just a cost center" place to a strategic asset that can drive competitive advantage and business growth. This concept is driven home throughout Michael Porter's Competitive Advantage, where he argues that strategic positioning can lead to sustainable competitive advantages.
If you're a CISO today or an aspiring CISO, you need to wear a lot of hats. You need to be comfortable balancing the needs of selling, embracing compliance, and, of course, thinking about securing your organization. Working with sales instead of against them is going to position you to thrive in this role. You will be able to move beyond the imaginary boundaries drawn in org charts and enable. But collaborating is going to stretch your soft skills in ways you probably never have had to deal with in an individual contributor or technically focused role. But ultimately, you're moving towards a place of enablement, so the juice is worth the squeeze.