CISOs and trust first principles

Trust is the bedrock of any successful and healthy relationships. In organizations, it fosters collaboration, empowers team members, strengthens decision-making, and inspires confidence in leadership. Building trust takes time and consistent effort, but the rewards are a culture of transparency, accountability, and a workforce that is both motivated and secure. Therefore it is critical for CISOs and security teams to master the art of developing relationships and trust. At Trust core there are first principles that serve as building blocks that I will explore in this post.

What are First Principles?

First principles are the fundamental truths or basic building blocks of a system. They’re the unshakeable underlying elements that everything else is built on. In philosophy, these are propositions that we accept as true without needing justification. Science relies on them too, constantly questioning and testing our understanding of the world.

First Principles Thinking in Action

Imagine an artist creating a new painting. They don’t just follow a recipe; they understand the fundamentals of color, light, emotion, and expression. This allows them to experiment and create something truly unique. First Principles thinking works very similarly to how the artist create something unique out of the basic building blocks.

Applying First Principles thinking usually includes the following steps:

1. Identify the Problem: Clearly define the issue you’re trying to solve.
2. Break it Down: What are the fundamental elements at play?
3. Challenge Assumptions: Question everything you think you know about the problem.
4. Rebuild from Scratch: Imagine you’re creating a solution from the ground up, using only the basic truths you identified.

What does it have to do with Trust?

Trust is personal, and the process of building trust varies by every individual, but the first principles of trust are the same and by understanding them we can build trust more effectively. While I was exploring the topic of trust, the following concepts were repeatedly mentioned.

1. Authenticity – We all have fears, doubts, and things that we think we need to hide (whether for the right or wrong reasons). Authenticity allows people to see the genuine person behind the mask. This genuineness fosters a sense of security and predictability, making people more likely to trust and rely on one another.
2. Accountability – When someone is accountable, they take ownership of their actions and commitments. This means people can depend on them to follow through on their commitments. Accountability also fosters a sense of security and predictability, knowing someone will act as they say they will.
3. Courage – Fear is probably the greatest trust inhibitor. Whether it is fear of rejection, disappointment, or exposure, it is part of our survival mechanism. Getting over that fear requires a great deal of courage. The courage to do the right thing even if it is not comfortable, or the courage to make the first step when building relationship with someone you don’t know. It is often the first step in building trust.
4. Empathy – Empathy allows you to see things from another person’s point of view. This means understanding their needs, concerns, and motivations. In essence, empathy allows you to connect with people on a deeper level. By demonstrating empathy, you create a space where people feel valued, understood, and respected, ultimately leading to a more trusting and collaborative relationships. Here is a little trick, empathy is about what you do for others, and all you need to do is simply show up!
5. Integrity – Integrity signifies a strong moral compass and unwavering commitment to ethical principles. It embodies the core values we look for in trustworthy individuals, and demonstrates a commitment to doing the right thing, even when it’s difficult. This unwavering commitment to ethical principles builds trust because it shows a person is reliable, honest, and fair.
6. Confidentiality – Confidentiality creates a safe space for open communication, and demonstrates respect for the privacy of others. Conversely, breaches of confidentiality can have a devastating impact on trust, it can lead to feelings of betrayal, resentment, and a reluctance to share openly in the future. Rebuilding trust after a confidentiality breach can be a long and challenging process.
7. Calm – Calmness projects a sense of security, clear thinking, and resilience – qualities that people value in those they trust. Especially in stressful situations, it is hard to trust someone that is panicking and falls apart under pressure.
8. Candor or Transparency – Being frank, open, and sincere reflect genuineness and a commitment to truthfulness. When someone is sincere, their words and actions align with their values. This builds trust because it fosters credibility and allows people to believe what they are being told. In contrast, being secretive or disingenuous make people become suspicious and hesitant to share information, hindering the relationships.

Using these concepts intentionally create predictability and safety in the relationships, which are important in every day affairs but especially critical in times of crisis.

CISOs and Trust

Trust is one of the most critical elements for the role of the CISO. In fact, CISOs ability to establish trust upward, downward, and laterally, both inside and outside of the organization, is probably the single most critical skill for CISOs to have. From getting buy-in from executive leadership, to instilling a culture of the security in the organization and acquiring and retaining top security talent, the ability to build and maintain trust is crucial for the CISO success.

CISO is a critical function to the organization, especially when the organization is under a cyber attack. It is important for organizations to have a CISO they can trust to have a steady hand on the wheel when dealing with the crisis in partnership with the other executives. Conversely, not being able to establish trust or worse losing trust is probably the fastest way for CISOs to find themselves ousted from the organization.

Who should the CISO build trust with?

CISOs should prioritize building trust with a variety of stakeholders, both internally and externally, to create a strong cybersecurity ecosystem.

Inside the Organization

• Senior Leadership (CEO, CFO, Board): CISOs need to translate cybersecurity risks into business terms that resonate with leadership. Building trust allows them to secure support and advocate for a security-conscious culture.
• IT and Engineering Teams: Trusting relationships with IT ensures alignment between security protocols and operational needs. Trust with Engineering teams fosters a collaborative environment where security becomes an integral part of the development process, leading to more secure applications and faster deployments.
• Business Unit Leaders: CISOs need to understand business goals and tailor security measures accordingly. Trust fosters open communication and collaboration, leading to more effective security solutions that don’t hinder business objectives.
• Employees: A security-aware and committed workforce is vital. Engaged and security minded employees are one of the best lines of defense for any organization.
• Other departments: As security becomes more critical to any modern business, it is important to engage and maintain great relationships with other departments including Audit, Legal, Procurement, Human Resources, Sales, Marketing, and more. Maintaining relationships based on trust with all of them is critical for business enablement or when dealing with bad days.

Outside the organization

• Vendors: Yes, we tend to complain a lot about vendors, but the in reality our mutual success is based on strong partnerships and at the end of the day we need each other and must work together to deliver our mission .
• Industry Peers: Sharing best practices and collaborating on threat intelligence strengthens the overall cybersecurity landscape. Trusting relationships with industry peers facilitate knowledge exchange and coordinated responses to emerging threats.
• Regulators: By working together, regulators and businesses can develop clearer and more efficient compliance processes. This may lead to improved Regulatory Outcomes, foster innovation in both regulatory approaches and industry practices, and increased public trust in both regulatory bodies and the regulated industries.
• Law Enforcement: Collaboration with law enforcement might be necessary when dealing with cybercrime and nation-state adversaries. Building trust facilitates smoother information sharing and investigation processes.
• Other CISOs: It takes a village to stand against a common adversary, and being part of a community of CISOs is one of the greatest things about the security industry. While most CISO communities are informal, they are extremely effective in sharing knowledge, sharing intelligence, and supporting the community based on strong bonds of trust.

How do you build trust?

Trust building starts with intention. You should think strategically about using these principles for building trust with others.

The roadmap

With the other person in mind, start by finding out what is important to them by being genuinely curious about them. A good way to do it is by asking open questions and by listening carefully to their responses. For example, instead of asking “How are you doing?”, you can ask “How are you feeling?”. When you ask someone “How are you doing?” the answer is usually very close and simple “Fine”, but when you ask “How are you feeling?” you will likely get an answer that can be opened further for discussion.

if you hear the response “I feel great!”, you can reply with “Wow, that is awesome. Can you please share why?”. If you hear the response “I feel lousy”, you can respond with “Any thing I can do for you?”. If you are being Authentic and mean it truly, this is a great opportunity to show up for them! This is Empathy.

If you focus on what is important to them and made a commitment to do something (in other words, you showed up for them), this is an opportunity to demonstrate that you are Accountable for them!

Of course, you always have to operate with Integrity and maintain Confidentiality in your dealings with the other person as expected by them. This is not a one and done action, you must do it over and over again, and never compromise!

The secret ingrEdiEnt

Trust building often start from scratch and like with any dealing between two or more people someone needs to go first and take a risk. This requires Courage (which many people don’t have) so if you can get over your fears you will have a great power for good.

Lastly, it is important to note, that in stressful situations, when the stakes are high, keeping Calm and cool headed not only will allow you to make better decisions but will make others look up to you as a safe harbor in the storm; and the more you keep calm in the storm, the more people will trust you!

Conclusion

Relationships and Trust Building are some of the most critical skills for CISOs to have. Vision, Subject matter expertise, ability to execute, and communication are required from everyone who is striving to become a CISO one day, but the ability to build deep, meaningful, authentic and trusting relationships is what truly separate great CISOs for the rest of the pack.

What has been your experience? I would love to hear from you about how you build trust.