Everyone I’m speaking with in security at the moment is going through some kind of an uplift, transformation, or major program (e.g., Zero Trust). As someone who’s had to kick off and lead large transformation in large, bureaucratic organizations, I know exactly the challenges involved. They are mostly internal and political (I use the P word a lot in this research). So this research was almost cathartic for me. I spoke with many CISOs, change managers, executive coaches, C-level executives from other disciplines (business, risk, IT), and people from various disciplines.

Are CISOs prepared for implementing the necessary large-scale (nontechnology) change? I don’t think we are. We’re bombarded with tactical requests; not everyone in the org loves the security team; security folk generally hate the idea of politics and avoid it at all costs; and a lot of detractors come out of the woodwork when change occurs.

How do you navigate your way through large organizations to create change? In this research, I write about the 3 P’s: people, process, and politics. Remember that everything comes down to human interactions, and human interaction is inherently political. So if I can leave you with anything that came out of this research: Learn how to be political with transparency and integrity.

Forrester clients can read this research here. Some of my key takeaways:

  • Work with your supporters and manage your detractors. This will require you, as a leader, to identify the key players in your organization, do the groundwork, and turn feedback and criticisms into a solution rather than an offense. I have a couple of handy graphics about key player types and how to work with and influence them.
  • Embrace politics. Yep, easier said than done, especially when we all have such a horrible image of what “being political” means. Yet I have learned from experience and research that politics doesn’t have to be a dirty word. Many leaders I spoke with said that it’s simply an opportunity to understand and engage. In this research, I give a couple of nuggets for how to be political with integrity.
  • Commit to being a leader of change. That’s job No. 1; being a technician is a distant second. This means that there are skills that you need to build and amplify, such as public speaking, negotiation, and communication skills. It also means homing in on the fact that you’re a people leader and need to reach everyone, from the CEO to your SOC analysts.
  • Manage your mental health to avoid burnout. All leaders experience stress, which they need to manage. I will be doing a lot more research on this topic this coming year. This report only scratches the surface, but I wanted to note it as a hugely important part of managing change.
  • Recruit change management skills. It amazes me how many security programs still lack change managers. And we wonder why projects and programs aren’t successful! This is not an optional skill — but neither is it one that most of us have.

Finally, I’ll leave you with my favorite quote from one of my interviewees: “For me, politics is an opportunity. If you understand what people are actually saying as part of raising their comments and take that as an opportunity to turn their concern into a solution, it becomes a different conversation.”