Have you ever taken on a CISO role where your predecessor didn’t collaborate well with business leaders? What tactics did you use to rehabilitate the security organization’s existing image so it’s no longer seen as the department of “no”?
Sort by:
Hi there,
I would start by meeting with the stakeholders you are going to be working with. Ask them what some of the things were that your group does that was going well for the stakeholder, and what some of the things are that are not going so well.
I think the biggest thing you can do in any environment that you are starting new in is to get in front of the people you will be working with. Having them hear your point of view, and allowing them to express what worked/didn't work, and tell you about successes or failures of your predecessor will be important for you moving forward.
Talk to your staff/boss about the same things, and then let the conversations go normally, and you will learn about people who are important to the organization, and you will get a lay of the politics as well. You'll hear the same names over and over again. Make sure you know who those people are, and meet with them as well.
For me, at my current job, I met with everyone who was on our departmental leadership team, who was on my interview panel, then with all my staff, and the people in the departments who help us with information security.
From my recent experience, people tend to be very open with new folks because they have no history with you, and if they are hoping for change, that will be the best time to influence someone.
Good luck, hope this helps
Sven
As a CISO, your first critical step is to actively listen—**not only to the members of your own department but also to colleagues across other departments. This early engagement will uncover valuable informal insights that are often missed in official reports.
Being new in the role works to your advantage—many employees will approach you to test your judgment by sharing their ideas or highlighting issues they felt previously overlooked. Treat this as an opportunity to map the real influence landscape.
In parallel, prioritize relationship-building. Regular visits to other departments, even informal ones—just a chat or a coffee—can resolve issues that the former CISO might have left untouched. These soft approaches often reveal more than structured meetings, and they help you establish trust quickly across the organization.
Absolutely. I’ve stepped into roles where the security organization was viewed more as an obstacle than a partner. The first and most critical step I take is to open direct dialogue with all key stakeholders—right from the start. I focus on listening to their concerns, understanding their priorities, and framing cybersecurity as a business enabler rather than just a risk manager.
Education is another essential pillar. I work to make cybersecurity relatable by connecting it directly to what matters most to them: protecting products, safeguarding customer data, and preventing costly outages or disruptions. When people see that security protects their goals, the dynamic changes.
For project work across business units, I push to involve security as early as possible—during ideation, not just before go-live. This avoids last-minute blockers and instead positions the CISO team as a force multiplier that accelerates delivery and reduces downstream risk.
Close partnership with IT is absolutely non-negotiable. For example, when it comes to vulnerability remediation, I avoid overwhelming them with endless lists. Instead, I provide a focused “top 10–25” list each week—aligned to critical risks. This approach builds momentum, shows progress quickly, and turns security into a practical, achievable part of their work rather than an additional burden. Over time, we shift from fighting fires to optimizing best practices.
It’s also important to adapt to how IT and other teams prefer to collaborate. I’ve found a standing 15-minute huddle each Monday helps align priorities and surface issues early. I also embed security architects into Sprint Teams to provide real-time guidance and review outputs like SAST/DAST scans daily, ensuring security is built into delivery without slowing teams down.
Finally, one of the most important ways to rebuild trust is by improving the customer experience—securely. Our goal is never to simply say “no.” Instead, we work to find secure alternatives that allow the business to move forward safely and confidently. Security should be seen as a trusted advisor that enables innovation, not an obstacle to it.
Ultimately, it’s about showing that cybersecurity isn’t the department of "no"—we're the department of "how."