By Shira Landau, Editor-in-Chief,

When assuming a new role, top CISOs continuously stay appraised of new threats and even proactively engage with emerging technologies. But even the most astute and technically talented of CISOs can bungle this one thing…

While CISOs often approach new roles with a deep understanding of external threats, CISOs have traditionally underestimated the threats within their own perimeter.

We’re not talking about malicious insider threats here – Rather, we’re referring to the lack of interest in, resistance to and sometimes, blatant dismissal of, cyber security concerns among staff.

One of the biggest challenges for CISOs in a new role is navigating the delicate network of internal relationships and existing organizational mindsets surrounding cyber security.

Navigating (social) networks

For some enterprises, continuous operational evolution is the normal state of business. In other words, the expectation is that things will change in the interest of improvement and stronger business results.

However, even in growth-friendly, future-looking environments, change cannot be forced; it must be approached in a way that authentically shows that change is in employees’ best interests.

The T-word

Another pervasive element undermining engagement around cyber security is lack of employee trust regarding the change-manager and the changes themselves.

To present an analogy, you wouldn’t blindly follow someone through the Himalayas if you didn’t think that they knew where they were going. By the same measure, organizational staff won’t follow your lead if they can’t clearly see your competence.

Addressing the challenge

To excel in a new role, start by building bridges. Establish open lines of communication among key stakeholders, proactively engage with employees, and develop partnerships across business units.

In turn, you’ll be able to not only better align cyber security initiatives with existing expectations, but you’ll likely see a higher degree of acceptance and follow-through when it comes to new security department requests.

Becoming a student of culture

To achieve even a modicum of effectiveness when it comes to the ‘human element’ within security, new CISOs also need to spend time evaluating the organizational culture.

CISOs need to conduct informal analyses of nuances that are liable to make security initiatives either wildly successful or extremely sluggish.

After accumulating these insights, CISOs can develop approaches that align with existing expectations, modus operandi and cultural norms, and thus, are more likely to be well-received than otherwise.

Selling security

When you finally do move forward with policy, procedural or other security-related changes that affect a significant number of employees, remember to explain the ‘why’ and connect the endeavor to employees’ well-being and that of the organization.

For example, explain that new procedures contribute to a secure work environment, protecting sensitive information (including all of the details that HR retains about each employee), safeguarding both personal and professional interests.


At the beginning of a new tenure, the biggest challenge for CISOs is arguably navigating the internal organizational landscape.

By sussing out organizational dynamics and observing the psychology behind them, CISOs can better address the ‘human element’ and security at-large, enabling more effective management and mitigation of risks.

In cyber security, a CISO’s most effective ‘secret weapons’ may be establishing trust among stakeholders and employees, and ensuring that initiatives don’t come across as culturally insensitive or out-of-place.

For more CISO strategy insights, please see’s past coverage. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the newsletter.