How do you “read between the lines” when engaging stakeholders to better understand their needs or concerns? How can a CISO navigate those conversations to surface what might otherwise be left unsaid?

Over my 27 years in this field, one of the essential secrets to my success has been starting conversations without mentioning cybersecurity. When I first meet someone, I focus on understanding the organization and its people. I intend to make a difference, which begins with building genuine relationships with senior executives, often over a simple coffee or lunch. It takes a blend of IQ, EQ (emotional intelligence), and SQ (social intelligence) to truly listen and grasp their challenges—almost like conducting an interview to unearth the pain points and risks they see in their business units. This approach sets the foundation for meaningful change.

It's an unconventional approach for cybersecurity professionals, who have traditionally been deeply technical and less inclined to engage in these conversations. However, understanding how I can genuinely help and uncover unique solutions from a customer's perspective is crucial. For example, in one multinational company, I identified that executives were juggling 27 different accounts with cumbersome password processes. We streamlined their workflow by eliminating passwords and introducing smart cards with PIN numbers and SSO—a game-changer for daily operations.

As a CISO, avoiding technical jargon and acronyms when communicating with stakeholders is critical. My quarterly CISO reports are entirely business-focused and free of any technical mumbo jumbo, which is why they resonate so well with the board. This approach enhances understanding and sparks healthy competition and synergy within the organization, as different business units strive to improve based on the actionable feedback they receive.

I'd suggest that if you aren't already, change the way you're listening to feedback or input. Listen for potential mismatches between what your stakeholders are saying, and how they say it, then ask clarifying questions to dig deeper into the statements being made.

Try to identify pain points by listening for feedback that illustrates frustrations, obstacles, roadblocks, challenges etc. Probe further if possible, to try to understand root causes and impact of the frustrations being experienced. Empathise with the situation and listen to learn/understand, not to rebut.

Try to align expectations by having regular check-ins with your stakeholders (particularly those whose needs you're still trying to surface).Follow up the conversations with email summaries of what was discussed, what was agreed upon etc to ensure clear communication and to avoid misunderstandings.

Establishing trust and building a rapport with your stakeholders helps to encourage open communication. Avoid being defensive about concerns raised to you - remember you're trying to surface these needs and concerns with a view to resolving them. Collaborate to find mutually agreeable way to address underlying issues. Also, ensure you always follow up promptly to show responsiveness and accountability. 

It is important to provide a safe place where people are open, honest and transparent to work through challenges.  it should always be like an RCA or post mortem where there is no blame, no hiding and only focused on how to improve.