As a cybersecurity leader with over 12 years in the trenches, I've learned a hard truth: our ability to influence often trumps our technical prowess. In many organizations, we're not the ones calling the shots. We don't have direct authority over the teams whose buy-in we desperately need. So how do we drive change and make an impact? Let me share five battle-tested strategies I've used to influence without authority in the wild world of cybersecurity.
1. Build Trust Through Radical Transparency
Look, I get it. As security professionals, we're often seen as the "Department of No" - the folks who make everyone's jobs harder. To break through this perception, we need to be radically transparent about our motivations, challenges, and yes, even our failures.
I'll never forget the time I royally screwed up early in my career. I was pushing hard for a new data loss prevention (DLP) system. I thought I had all the answers, but I failed to involve key stakeholders early on. The result? A complete disaster. The system disrupted workflows, generated false positives left and right, and tanked trust in the security team.
Instead of trying to save face, I owned up to my mistakes. I called a meeting with department heads, laid out where I went wrong, and asked for their help in finding a better solution. This vulnerability opened the door to real collaboration. We ended up with a much more effective and widely accepted DLP implementation.
2. Become a Master Storyteller
Data and technical details are our bread and butter, but let's face it - they rarely move people to action. Stories, on the other hand, can change hearts and minds. As cybersecurity leaders, we need to become adept at translating complex security concepts into compelling narratives.
One of my go-to stories is the "Crown Jewels" analogy. I ask executives to imagine their most valuable data assets as crown jewels in a museum. Then we walk through the various security measures in place - the walls, alarms, guards, etc. This provides a tangible framework for discussing cybersecurity strategy and investments.
But don't just rely on analogies. Real-world case studies of security breaches and their consequences can be incredibly powerful. I often share anonymized stories from my network about companies that suffered major breaches. These tales can be a wake-up call for complacent organizations.
3. Cultivate a Network of Security Champions
Here's the thing: you can't be everywhere at once, and you can't influence everyone directly. That's why it's crucial to build a network of security champions throughout the organization. These are individuals in various departments who understand and advocate for good security practices.
In my experience, the most effective security champions aren't necessarily the most technical people. They're the ones who are well-respected in their teams and have a knack for communication. Your job is to equip them with knowledge, support them, and empower them to be your voice when you're not in the room.
Now, here's a controversial opinion: I believe every cybersecurity leader should spend at least 20% of their time on champion development. This might seem like a lot, but the force multiplier effect is enormous. When security becomes part of the culture, driven by peers rather than imposed from above, that's when real change happens.
4. Leverage the Power of Reciprocity
Human beings are hardwired to reciprocate. If someone does us a favor, we feel compelled to return it. As cybersecurity leaders, we can use this principle ethically to build influence.
Look for opportunities to help others achieve their goals, even if it's not directly related to security. Can you use your technical skills to automate a tedious process for the marketing team? Can you share insights from your threat intelligence that might help the product team build a better feature?
I once spent a week helping our sales team build a more secure demo environment. It wasn't strictly part of my job, but it solved a real pain point for them. Months later, when I needed their support for a major security initiative, they were eager to help. The goodwill I had built paid off in spades.
5. Frame Security in Terms of Business Outcomes
Too often, we frame security in terms of risk mitigation or compliance. While these are important, they don't always resonate with business leaders focused on growth and innovation. To truly influence without authority, we need to align our security goals with broader business outcomes.
For example, instead of talking about reducing the risk of a data breach, frame it in terms of protecting customer trust and brand reputation. Instead of focusing on compliance requirements, emphasize how strong security practices can be a competitive differentiator in the market.
I once worked with a company that was hesitant to invest in a comprehensive security program (as most are). Rather than hammering on risks and threats, I helped them see how a robust security posture could open up new market opportunities. We positioned security as an enabler of innovation, allowing the company to handle more sensitive data and take on higher-value clients. This reframing turned security from a cost center to a revenue driver in the eyes of leadership.
Putting It All Together
Influencing without authority requires a mix of emotional intelligence, strategic thinking, and persistent effort. By building trust, telling compelling stories, cultivating champions, leveraging reciprocity, and aligning with business outcomes, you can drive significant change even without formal authority.
Influence is not about manipulation or forcing your will on others - never try to do this. It's about creating a shared vision of a more secure future and inspiring others to join you in making it a reality.
I'd love to hear your thoughts and experiences. Have you used any of these strategies in your organization? What other methods have you found effective for influencing without authority in the cybersecurity realm? Share your insights in the comments below!