As a Corporate Vice President and Deputy CISO leading much of cyber security for NCR Voyix, I’m entrusted with protecting the #1 digital commerce platform used by retailers, restaurants, and financial institutions, the work of 15,000 employees — and our trusted, 140-year-old brand. I wanted to share the biggest lessons I’ve learned (sometimes the hard way) over my own 30-year career: What you do matters, but how you do it matters even more.
Cyber security professionals need the requisite training and certifications; but, a servant-leader mindset helps you deliver more value and grow your influence beyond the cyber security team. For example, a recent Gartner survey found that more than two-thirds (65%) of top-performing CISOs primarily build relationships with senior-decision makers outside of the context of projects. High-performing CISOs also regularly meet with three times as many non-IT stakeholders (e.g., sales/marketing, business unit leaders) compared to IT stakeholders.
For me, successfully aligning cyber security with business outcomes starts with a human-centric approach. Here are five practical ways security leaders can advance a service mindset:
1. Leave your ego behind. Our executive director of product management for Digital Banking recently shared how banks and credit unions increasingly prioritize “ways to incorporate more empathy and personalization” into digital experiences, to help drive consumer loyalty. Just as building digital experiences requires focusing on each step of the human experience, securing those experiences requires empathy for the people your business serves.
I’ve been in cyber security for 25 years and held roles in systems engineering, architecture, and consulting for even longer. But, long before that, I worked my way at a hotel from bellhop to manager, where I learned how to listen, solve problems calmly, and that attention to the details mattered. Well-rounded, service-oriented experiences have helped me be a more effective security leader.
If you haven’t already, expand your own knowledge beyond the security domain. Get to know your business: Learn from people working on the front lines of customer service or in the back office. Do a “ride along” or a job rotation so you can understand and empathize with their challenges and job pressures. A broader perspective will ultimately help you more effectively develop and communicate why cyber security is so important to your many stakeholders.
Attackers think outside the box. You should, too. Can someone who most recently managed a tire shop become a great security analyst? In my experience, yes! With the right training and mentoring, their ability to calmly resolve high-stress customer situations makes them unflappable at fighting sophisticated attacks, too.
Welcoming diverse educational backgrounds can also improve talent retention and cyber security team performance. Look beyond traditional hiring pathways and consider people who stepped off the four-year college track, took an alternative career path, want a career change, or who are returning to a career after a break. You will find people who have strong motivation to learn, proven problem-solving skills, and the grit to succeed.
2. Put people before tasks—every time. There’s always a lot to do. But, if you laser-focus on tasks, your relationships become transactional and impersonal. Being real and genuine is critical to building trust in any relationship. Actively listen to your team, peers, and stakeholders. Take the time to understand the other person’s perspective. Be curious about them.
Creating and mentoring an inclusive team has its own reward, as it often seems that I learn as much as they do, which helps me be a more effective leader.
As Steven Spear, co-author of ‘Wiring the Winning Organization’ shares, without the right organizational mindset, employees won’t have the opportunities to solve problems. High-velocity organizations have management systems that free people’s minds — “individually and through collective, creative collaboration — to tackle super hard problems.”
People will listen to you after they feel heard. Teams that know and trust each other are more engaged, more motivated, and ultimately more effective.
3. Be transparent and over-communicate. The National Institute of Standards and Technology (NIST) wrote in 2023:
“Many of our conversations about connected products focus on connectivity in the technical sense (protocols, algorithms, etc.). Promoting trust among participants in the ecosystem and reducing the cybersecurity risks associated with using these products relies on a different type of communication: open dialogue and sharing information."
Within my team, sharing information means speaking the truth—even when it’s uncomfortable. Whether you are junior or senior, if you don’t think a particular security approach will work, it is your obligation to say something. Transparency builds trust, and that allows you to uncover and address potential threats, incidents, and problems faster.
Ask for feedback from others (and take it). Honest feedback is a gift. In my experience, everyone makes mistakes, but it’s how you react and recover from those mistakes that really matter. Stay humble and do the right thing.
4. Have a bias for action. Cyber security at NCR Voyix is large and complex—and constantly changing. But my teams don’t get bogged down. It’s important to focus on what we can control within our organization—and then take action.
Don’t wait until you have a perfect solution to a problem. Maybe you are only 60% or 70% of the way there, but make a decision and get started. You can incorporate missing information and make iterative improvements. Whether as an individual or as a team, it’s critical to always finish what you started—and finish on time. This builds trust both at the individual and team level.
“Low trust slows everything—every decision, every communication, and every relationship.” -Stephen M.R. Covey, The SPEED of Trust: The One Thing that Changes Everything
You never know when you will need to draw on that trust. For example, when there are security flare-ups, you must move quickly and delegate tasks in all directions. The team is much more effective and achieves better outcomes with less stress, when the people that make up the team know they can lean on each other because the individuals on that team consistently deliver on their commitments.
5. Remember (and remind your teams) how cyber security boosts business outcomes. As CISOs become more business-focused, rather than internally focused, they are under greater pressure to show ROI for their technology investments, which can be very difficult to prove.
However, you can reframe the discussion around the value of being a good steward of the business. Accenture reports that organizations that align cyber security with business objectives are 18% “more likely to drive revenue growth, expand market share and enhance customer satisfaction and employee productivity.”
Bring your business stakeholders along with the “why” of cyber security to give them the understanding to move forward. Are business disruptions rising due to unprotected attack surfaces? Are bad bots threatening legitimate customer transactions?
Remind everyone of the business problems cyber security solves. No matter what your role is or where you work, people want to be recognized as delivering value.
A service-oriented mindset can make you more effective whether you are early career or an experienced CISO. When you have transparency, inclusivity, and confidence in the business value your team delivers, there are no limits to what you — and your team — can achieve.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Check out Cloudflare’s ROI calculator to estimate the potential benefits of strengthening security everywhere you do business.
Start calculating!Paul Farley — @allaboutrisk
Corporate Vice President & Deputy CISO
NCR Voyix
After reading this article you will be able to understand:
How a service-oriented mindset can help safeguard the business
5 recommendations for leading high-performing cyber security teams
The importance of communicating strategic business outcomes