Cybersecurity Leadership

5 Strategies for Cybersecurity Leaders to Influence Without Authority

Discover 5 powerful strategies for cybersecurity leaders to influence without authority. Learn how to build trust, tell compelling stories, cultivate champions, leverage reciprocity, and align security with business outcomes.

6 min read
Nikoloz Kokhreidze from Mandos: 5 Strategies for Cybersecurity Leaders to Influence Without Authority

As a cybersecurity leader with over 12 years in the trenches, I've learned a hard truth: our ability to influence often trumps our technical prowess. In many organizations, we're not the ones calling the shots. We don't have direct authority over the teams whose buy-in we desperately need. So how do we drive change and make an impact? Let me share five battle-tested strategies I've used to influence without authority in the wild world of cybersecurity.

1. Build Trust Through Radical Transparency

Look, I get it. As security professionals, we're often seen as the "Department of No" - the folks who make everyone's jobs harder. To break through this perception, we need to be radically transparent about our motivations, challenges, and yes, even our failures.

I'll never forget the time I royally screwed up early in my career. I was pushing hard for a new data loss prevention (DLP) system. I thought I had all the answers, but I failed to involve key stakeholders early on. The result? A complete disaster. The system disrupted workflows, generated false positives left and right, and tanked trust in the security team.

Instead of trying to save face, I owned up to my mistakes. I called a meeting with department heads, laid out where I went wrong, and asked for their help in finding a better solution. This vulnerability opened the door to real collaboration. We ended up with a much more effective and widely accepted DLP implementation.

💡
Key Takeaway: Don't be afraid to show your human side. Admit when you're wrong or unsure. People are more likely to trust and follow someone who's authentic and humble.

2. Become a Master Storyteller

Data and technical details are our bread and butter, but let's face it - they rarely move people to action. Stories, on the other hand, can change hearts and minds. As cybersecurity leaders, we need to become adept at translating complex security concepts into compelling narratives.

One of my go-to stories is the "Crown Jewels" analogy. I ask executives to imagine their most valuable data assets as crown jewels in a museum. Then we walk through the various security measures in place - the walls, alarms, guards, etc. This provides a tangible framework for discussing cybersecurity strategy and investments.

But don't just rely on analogies. Real-world case studies of security breaches and their consequences can be incredibly powerful. I often share anonymized stories from my network about companies that suffered major breaches. These tales can be a wake-up call for complacent organizations.

💡
Key Takeaway: Invest time in developing your storytelling skills. Collect and curate stories that illustrate key security principles and risks. Practice delivering these stories in a way that resonates with your audience.

3. Cultivate a Network of Security Champions

Here's the thing: you can't be everywhere at once, and you can't influence everyone directly. That's why it's crucial to build a network of security champions throughout the organization. These are individuals in various departments who understand and advocate for good security practices.

In my experience, the most effective security champions aren't necessarily the most technical people. They're the ones who are well-respected in their teams and have a knack for communication. Your job is to equip them with knowledge, support them, and empower them to be your voice when you're not in the room.

Now, here's a controversial opinion: I believe every cybersecurity leader should spend at least 20% of their time on champion development. This might seem like a lot, but the force multiplier effect is enormous. When security becomes part of the culture, driven by peers rather than imposed from above, that's when real change happens.

💡
Key Takeaway: Identify potential security champions in each department. Invest in their development and give them the tools to advocate for security within their teams.

4. Leverage the Power of Reciprocity

Human beings are hardwired to reciprocate. If someone does us a favor, we feel compelled to return it. As cybersecurity leaders, we can use this principle ethically to build influence.

Look for opportunities to help others achieve their goals, even if it's not directly related to security. Can you use your technical skills to automate a tedious process for the marketing team? Can you share insights from your threat intelligence that might help the product team build a better feature?

I once spent a week helping our sales team build a more secure demo environment. It wasn't strictly part of my job, but it solved a real pain point for them. Months later, when I needed their support for a major security initiative, they were eager to help. The goodwill I had built paid off in spades.

💡
Key Takeaway: Be generous with your time and expertise. Look for ways to help others succeed, and they'll be more likely to support your security initiatives when the time comes.

5. Frame Security in Terms of Business Outcomes

Too often, we frame security in terms of risk mitigation or compliance. While these are important, they don't always resonate with business leaders focused on growth and innovation. To truly influence without authority, we need to align our security goals with broader business outcomes.

For example, instead of talking about reducing the risk of a data breach, frame it in terms of protecting customer trust and brand reputation. Instead of focusing on compliance requirements, emphasize how strong security practices can be a competitive differentiator in the market.

I once worked with a company that was hesitant to invest in a comprehensive security program (as most are). Rather than hammering on risks and threats, I helped them see how a robust security posture could open up new market opportunities. We positioned security as an enabler of innovation, allowing the company to handle more sensitive data and take on higher-value clients. This reframing turned security from a cost center to a revenue driver in the eyes of leadership.

💡
Key Takeaway: Always tie your security initiatives back to business goals. Speak the language of growth, efficiency, and competitive advantage.

Putting It All Together

Influencing without authority requires a mix of emotional intelligence, strategic thinking, and persistent effort. By building trust, telling compelling stories, cultivating champions, leveraging reciprocity, and aligning with business outcomes, you can drive significant change even without formal authority.

Influence is not about manipulation or forcing your will on others - never try to do this. It's about creating a shared vision of a more secure future and inspiring others to join you in making it a reality.

I'd love to hear your thoughts and experiences. Have you used any of these strategies in your organization? What other methods have you found effective for influencing without authority in the cybersecurity realm? Share your insights in the comments below!

Share This Post

Check out these related posts

3 Critical Steps to Build an Intelligence-Led SOC

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 5 min read

Choosing a Security Operations Center: In-House, Hybrid, or Outsourced

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 14 min read

The Perils of Platform Dependence: Lessons from the Great CrowdStrike Meltdown

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read