GUEST ESSAY: The case for CISOs to lead through influencing behaviors

By M. Eric Johnson

How do you lead when you’re not in charge? Increasingly, managers are finding themselves in positions where they are asked to lead without having direct control.

Growing and shifting organizations often mean fewer managers with positional power. Matrixed organizations put managers in multiple leadership and follower roles. Major corporate initiatives like quality, security, diversity and sustainability often are led by managers with little direct authority.

In all of those situations, successful leaders must establish credibility, build trusted relationships, and persuade others to take action.

Related video: Howard Schmidt discusses getting organizations to be proactive about security

In any gathering of security executives, the conversation often turns to the challenges of leading without direct control. Yes, security executives can implement technologies that catch spam or blacklist malicious websites.


But these kinds of initiatives only scratch the surface of building a secure organization. In recent interviews with chief information security officers (CISOs), executives shared hints on how they lead through influence. Here are three themes that are useful for leaders in any area:

Stay positive. When trying to get organizations to change or react to a threat, it is easy to go negative. While it is important to communicate risks, there is a difference between illuminating risks and prophesying doom. A measured approach to risk will help build credibility and give others the confidence to make needed changes. An endless parade of fear eventually will lead to disbelief and inaction.

Think critically. Put yourself in the position of others. When you are leading an initiative like diversity or security, it is easy to fall into the trap of mono-thinking. To influence others, you have to understand and address the challenges faced by others and how everyone is working to achieve broader business goals. Considering alternative perspectives helps build trust. As Paul Connelly (VP and CISO of HCA Healthcare) noted, influence is about integration. Security solutions “have to work with our doctors and our nurses … they have to work from the business perspective.”

Do something. Influencing is not just persuading others to act. You have to take action yourself and help others take action. Charles Lebo (VP and CISO of Kindred Healthcare) noted the ever-present balancing act between building consensus and taking action. You may not have a perfect solution, but waiting for a bigger budget, more authority, or something else likely will lead to inaction across the organization. By demonstrating a willingness to roll up your sleeves and help others make small changes, you can influence the organization to take larger steps.

About the essayist: M. Eric Johnson is Dean of Vanderbilt University’s Owen Graduate School of Management

More stories related to effective leadership:
Brown University launches milestone executive cybersecurity program
An ethical business culture should be first line of defense against cyber risk
Organizations must realize cybersecurity is not just an IT problem

 This article originally appeared on

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone