Relationship Management for the InfoSec Program
A key part of any security leader's role is relationship management. In my experience this is another one of those leadership skills that people seem to fall back on instinct a lot of the time. However, as I suspect many of you have figured out, this leadership and managerial skill is something that can be developed with intent and practice.
This is not just important for the execution of your objectives but is also crucial for career and professional development within your own organization, your own sector or the professional community at large.
Sometimes you hear the lament of the talented but occasionally stuck that to get on in a career, “it’s not what you know it’s who you know”, but the right way to think about this is, “it’s who you know because of what you know”. The corollary to this is that it is also dependent on the time you took to share what you know in the right places at the right times in the right way to connect with people. Just like the other parts of our programs this is not something you learn and then become magically good at, rather, it is the case that you get good by consistently doing some specific things. Here are some of those things:
1. Adopt your own CRM
Just like businesses maintain a customer relationship management system to record customer interactions, sustain a relationship and stimulate opportunities then you can also do this for the “customers” or stakeholders of your program. Keep a log of the different key relationships to maintain and what is important to them and for you to keep them on track. Differentiate between degrees of connectedness, for example: one mnemonic is 10 tight / 25 right / 100 light. In other words, maintain extremely close almost continuous contact and support for about 10 people, sustain regular contact and check-ins with another 25 and then keep in some sort of contact, like an occasional check-in or email with about another 100 people. These people could be in your organization, your sector or profession or some other group. Of course, you could make this work with the right system at another scale like 20 / 50 / 200, but in my experience 10 / 25 / 100 is already pushing it. You also need to periodically change who is in what category, for example the leader of a business or product launch you are working with may need constant contact for the life of that project but when done less contact is needed and that time and focus can be reallocated.
2. Build an Alignment Matrix
Your team gets to work with many other teams in an organization (and beyond). One of the good things about the InfoSec role is the connectedness it brings across the organization, but with that comes the risk that the team is spread too thin and can be unfocused. So it is useful to maintain an alignment chart, for example (in this case for control teams, you could have multiple of these for business units and so on):
This forces you to think of the key activities you are involved in and which other teams you work with. For each cell in the matrix you can decide the extent of the activity and whether for now you even want to engage on that. In the beginning this might be a very sparse matrix. It is important for the especially critical intersections of activity to assign responsibility to members of your team to own that activity and relationships.
3. Show Up
This is a tricky one and is highly culturally dependent. There is good advise to try and avoid meetings that aren’t directly relevant to you and that you can easily skip. But don’t take this too far and be too dogmatic. Often a key part of relationship building is turning up (virtually or physically) and showing you care enough to prioritize being focused on someone’s critical project. Additionally, you can turn up and contribute beyond your immediate responsibilities which further develops relationships you will need at some point.
4. Soft Yes and Fast Quit vs. Hell, Yes or No
But when showing up also follow the Soft Yes and Fast Quit rule.
Prepare for meetings, interactions, and activities. There are the obvious things to prepare for, like major presentations, customer or leadership interactions. It is also important to prepare for every other moment, whether it’s a 1-1, staff meeting, routine product meeting or any other of your commitments. It is even important to prepare for a phone call you are about to make or an email you are about to send by spending a few seconds to set your intent and frame your approach. This is a useful attitudinal pause that with time you can almost do in a blink.
Seek to connect with people, projects and teams. This can be hard for those of us who are more naturally introverted, but doing this shouldn’t be left to natural extroverts. Everyone needs to reap the benefits from building a network of "weak" ties that can later be made stronger. To do this you need to do a least 2 things:
Form a plan of which teams or people you want to be closer to and determine how to engage with them. This could actually be just asking them for a briefing because you’re interested in what they do.
Opportunistically offer up support or ideas. Once you’ve primed yourself to want to connect more deeply with someone or a team you’ll be surprised how quickly you come across some means or topic to do exactly that.
7. Take a Genuine Interest in Things / Be Curious
You can't be an expert in everything, but you can develop the knowledge of how everything fits together. Deliberately developing a curiosity around topics you don't understand to build that scaffolding of a wider knowledge about a particular domain is crucial. This is a catalyst for engaging with other people and teams and to strengthen those relationships. If you don't naturally have a habit for doing this then you can develop some specific triggers that cause you to go looking. One of my favorites is to look at situations you are frustrated with, say, a team or product that just can't seem to get issues resolved quickly enough. Instead of assuming you understand why and still being frustrated, actually go digging - really digging deep - to understand their area, product, issues, and dependencies. Then, invariably, you learn the actual issues, where you can help and then you have a better chance to make a difference as well as build deeper relationships with that team. Always follow the Other Person's Viewpoint rule.
8. Be Informed about your Business
Many people have a surface level of understanding about the products and services their organization sells, or for non-commercial organizations the means of meeting their mission. It is amazing, though, how much foundational and sometimes subtle dynamics lay beneath that surface. When you understand those it is like pulling back a curtain of knowledge that elevates your ability to interact at a much deeper level with business or other colleagues. It gives you an ability to contextualize your risk findings, improve ways of embedding mitigation and enabling new ways of supporting your business and customers. You can do this in many ways, for example:
Go talk to people. Literally, asking someone to take 15 minutes to explain their business. Many business leaders at multiple levels have an innate insight into what drives their business and would love to explain it to you.
Read your companies 10-K, annual report, or similar filings. If you strip away the boiler-plate language in these things there is often the equivalent of a 10-20 page tutorial on exactly how the business works.
Read analyst reports on the industry you are in and how they view your company. Most investment banks have publicly available parts of their research. There's also a lot of research available if you have a brokerage account, and if you don't then remember you can open one for a relatively small balance requirement.
Look at where venture capital or private equity investment is going in your industry. These investors have massive networks and conduct extensive due diligence on what is going on in particular sectors. Not every specific investment reveals some insight but the macro-trends usually do and are often harbingers of shifts in your business sector you should be aware of.
Talk to your customers about that they think about your business.
Take some of your business training classes. Most organizations have on-line training for all of their businesses that are, maybe with a little bit of persuasion, open to all employees.
Join an employee affinity or other network. These are useful in and of themselves for their own mission but they also represent an opportunity to meet people from other parts of your organization that you might not normally interact with.
Bottom line: Relationship management is a crucial part of the InfoSec program. Don't think that people who are good at this are so because of some innate skill or personality trait. Some are, but relationship management and networking is a deliberate skill that can be acquired by doing certain activities consistently.