This is part 2 of this 7 part series grouping together a set of prior posts into a particular theme. 

1. Security Leadership Master Class 1 : Leveling up your leadership
   

2. Security Leadership Master Class 2 : Dealing with the board and other executives
   

3. Security Leadership Master Class 3 : Building a security program
   

4. Security Leadership Master Class 4 : Enhancing or refreshing a security program 
   

5. Security Leadership Master Class 5 : Getting hired and doing hiring
   

6. Security Leadership Master Class 6 : When disaster strikes
   

7. Security Leadership Master Class 7 : Contrarian takes

In this post we’ll look at how to manage the relationships with the Board and other executives to embed security intent fabric of the organization.

Relationship management for security leaders and teams is an intrinsic part of a successful security program. Most of what we do as security professionals is to figure out ways of getting other people to do what we need them to do for the good of our customers, our business, and in many cases for society overall. This requires an ability to manage up, manage across, to create tone at the top, get some buzz at the bottom and manage a whole lot of muddle in the middle. Being a great relationship manager might come naturally to you. But, I never found this natural and I’ve spent most of my career building tools and techniques to make myself effective, if not good, at many parts of this. 

The essential attributes for relationship management and in particular managing up to the Board and working with peer or other executive leaders are: 

1. Embed Security Deeply into Enterprise Processes (Integration): Achieve widespread buy-in by diligently integrating security into the fabric of the organization's core processes, including strategy, budgeting, product development, technology lifecycle management, and personnel activities. This integration ensures security is built-in, not bolted-on, and elevates technology risk as a first-class business risk.
   

2. Drive Business Line Ownership (Create Demand Pull): Secure executive commitment by moving accountability beyond the CISO. Encourage the CEO and Board to regularly expect business line executives and functional leaders to articulate their technology and cyber risks at an appropriate level, compelling them to "pull" help from the security team rather than requiring security to constantly "push" improvements.
   

3. Frame Value Through Adjacent Benefits: Obtain support by demonstrating and actively seeking the adjacent commercial benefits that security controls provide, such as improving customer experience, enhancing developer productivity, enabling operations in new markets, or reducing costs, rather than focusing solely on avoided losses or risk reduction.
   

4. Establish Quantitative Risk Limits and Thresholds: Define specific, measurable risk limits and thresholds (often using control adherence as a proxy) that require management escalation or action if crossed. Establishing these limits drives vigorous debates among management and the Board, clarifying resource allocation and defining acceptable risk tolerances necessary to sustain the program.
   

5. Focus Board Conversations on Fundamental Risk: Guide Board discussions away from focusing exclusively on technical cyber details. Instead, focus on fundamental governance questions regarding the identification of most critical assets and business processes, the risks they face, the effectiveness of mitigation controls, continuous monitoring, and who has deemed the residual risk acceptable.

   
   

6. De-Personalize Escalation and Seek Joint Solutions: Establish clear, mandated escalation thresholds and processes so that escalation becomes a procedural requirement rather than an individual judgment, significantly contributing to psychological safety. When escalating issues involving specific areas, engage in a direct conversation with the responsible leader and aim to escalate the issue (not perceived negligence) jointly, framing the escalation as a means to secure needed resources to resolve underlying root causes (e.g., conflicting priorities).
   

7. Build a Broad Base of Support and Influence: Recognize that buy-in depends on influence, not just positional power. Systematically build a broad base of support—including key business peers, rising leaders, and the organization's "natural constituents" (like lead engineers or core business unit executives)—by being helpful, offering support opportunistically, and understanding their motivations.
   

8. Collaborate and Present a Unified Executive Front: Secure long-term commitment by presenting jointly and collaboratively with CIO/CTO and other technology/business peers, demonstrating a unified approach. This is also supported by moving away from governance structures focused exclusively on cyber (like a "Cybersecurity Committee") and integrating discussions into broader risk management committees.
   

9. Manage Relationships Deliberately and Systematically: Treat relationship management as an acquired leadership skill, not just instinct. Adopt a relationship management strategy (like a CRM) to track key stakeholders, their priorities, and plan engagement based on defined tiers of connectedness (e.g., 10 tight, 25 right, 100 light).
   

10. Be Deeply Informed About the Business: Elevate interaction quality by moving beyond surface-level knowledge of the organization’s mission or products. Security leaders should educate themselves deeply about the business dynamics, customer pain points, and strategic filings (like 10-K reports) to better contextualize risk findings, integrate mitigation efforts, and enable new opportunities.

Here’s a short video (thanks to NotebookLM) covering all of this.

Here are the top 10 posts that cover various leadership topics:

1. Managing risk appetite and risk tolerances.
   

2. The CIO and CTO perspective.
   

3. Questions about security from CEOs and Boards.
   

4. Dealing with organizational politics.
   

5. Cyber governance from the Board’s perspective.
   

6. Relationship management.

7. Getting your seat at the executive table.
   

8. Escalating issues.
   

9. Running a risk committee.
   

10. Presenting to the Board.