Skip to main content

Winning the Room: How to Gain and Keep Executive Support


Blog Series: Your First 90 Days as a CISO

Post 4 of 4

A Plain-English Guide for New, Aspiring, and Future Security Leaders

Here's a truth that many talented security professionals discover too late: you can be technically brilliant, deeply experienced, and genuinely committed to protecting the organization — and still fail as a CISO if you don't have executive support.

Security programs require funding. They require organizational authority. They require the ability to make decisions that sometimes create friction for other business units. They require the backing to hold lines when the pressure to cut corners for speed or convenience is intense. None of that happens without the support of the people at the top of the organization.

And yet, earning and keeping executive support is exactly the area where security leaders most often struggle. The technical skills that make someone a great security professional don't automatically translate into the communication skills, the political acuity, and the business fluency that executive relationships require. This post is about how to close that gap — deliberately, strategically, and starting in your very first 90 days.

📋 ABOUT THIS SERIES

  • Post 1: Days 1–30 — Listen, Learn, and Don't Break Anything
  • Post 2: Days 31–60 — Assess the Landscape and Build Your Roadmap
  • Post 3: Days 61–90 — Start Executing and Show Early Wins
  • Post 4: Winning the Room — How to Gain and Keep Executive Support (you're here)

Understand What Executives Actually Care About

The first step in earning executive support is understanding what executives are actually trying to accomplish — and it isn't security. That's your job. Their job is to run a profitable, sustainable, legally compliant business that serves its customers, grows its market position, and delivers value to its stakeholders. Security is one input into that mission, not the mission itself.

This distinction matters enormously. Executives don't lie awake worrying about CVE scores, mean time to patch, or the percentage of endpoints with EDR deployed. They worry about business continuity — what happens if we can't serve customers? They worry about regulatory exposure — what happens if we get fined or sanctioned? They worry about reputational risk — what happens if we end up in the news for a breach? They worry about shareholder value, competitive position, and their own accountability to the board.

Every conversation you have with an executive about security needs to be grounded in those concerns — not yours. When you surface a vulnerability or a risk, your job is to translate it into business impact language before it ever reaches the executive's ears. Not "we have 47 critical vulnerabilities with a mean time to remediate of 38 days." Instead: "We have a group of critical exposures in our customer-facing systems that, if exploited, could result in a service outage during our highest-revenue period and potential notification obligations under our state privacy laws. Here's what it would take to close them."

Same information. Completely different conversation. One gets a blank stare and a polite nod. The other gets attention, questions, and — when your proposed solution is credible — support.

This translation skill — from technical risk to business impact — is one of the most valuable things you can develop as a security leader. It doesn't come naturally to everyone, but it can absolutely be learned with practice and intention.

💡 Pro Tip

Before every executive meeting or communication, ask yourself one question: "What does this person care about most, and how does what I'm about to say connect to that?" If you can't answer it in one sentence, rework your message before you deliver it. This habit will transform the quality of your executive communication over time.

Build Relationships Before You Need Them

The single most common executive relationship mistake new CISOs make is waiting until they need something to try to build a relationship. The first time they talk to the CFO is when they need budget. The first time they engage the General Counsel is when they're in the middle of a breach. The first time they're in front of the CEO without a formal agenda is when something has gone wrong.

That's backwards. Relationships built in the middle of a crisis or a budget negotiation start at a disadvantage. You're asking for something before you've given anything. You're establishing yourself in the other person's mind as someone who shows up when they want something rather than someone who's invested in understanding the broader picture.

Build your executive relationships proactively, in low-stakes moments, before you need anything. Schedule informal conversations with your C-suite peers in your first 60 days — not full meetings with presentations and agendas, but genuine conversations. Ask about their priorities. Ask about the challenges their teams are facing. Ask how security decisions in the past have affected their work, positively or negatively. Show up to cross-functional meetings not just to represent security interests, but to understand the business better.

Over time, these conversations accomplish something enormously valuable. They establish you as a peer who's engaged with the broader business, not just a technical specialist from a different corner of the organization. They give you insight into what drives each executive's decisions. And they build the kind of interpersonal trust that makes everything easier — budget conversations, risk acceptance decisions, enforcement of security requirements, and support during difficult moments.

Master Your Board Presentation

If your organization has a board of directors, getting on the agenda — and presenting well when you get there — is one of your most important professional objectives in year one. Boards are increasingly engaged on cybersecurity topics, and the CISO's relationship with the board has become a meaningful factor in organizational security posture.

The way you show up to a board presentation will define you in that room for a long time. Do it badly — walk in with dense technical slides, jargon-heavy language, and a presentation that board members can't follow — and you'll spend months recovering the credibility you lost. Do it well, and you become the security leader the board actually looks forward to hearing from. That's a rare thing, and it creates significant organizational leverage.

Board members don't need technical detail. They need to understand four things: What is our current risk level, in plain terms? What are we doing about the most significant risks? How does our security posture compare to what's expected of organizations like ours, given our industry and regulatory environment? And what decisions or resources are needed from the board level to continue moving in the right direction?

Answer those four questions clearly, in plain language, in under 30 minutes, and you'll be the CISO whose board presentations board members actually pay attention to instead of checking their phones through. Keep your slides minimal and visual. Use analogies. If you have to explain a technical concept, do it in one sentence and move on. The detail lives in appendices that board members can review if they want depth on a specific topic.

One more board-specific piece of advice: treat questions from board members with genuine engagement, not defensiveness. A board member who asks a challenging or skeptical question is doing their job. Respond to those questions as what they are — smart people trying to ensure the organization is well-governed — rather than as attacks on your program or your credibility.

Be a Business Enabler, Not a Roadblock

Nothing erodes executive support faster than developing a reputation as the security leader who always says no. Who always surfaces problems without solutions. Who slows down every initiative with security reviews that take too long and produce too many "we can't do that" conclusions. That reputation, once established, is very hard to shake — and it makes every future conversation about security resources and authority a much harder fight.

The alternative isn't lowering your security standards. It's changing the frame of how you engage with the business on security questions. Instead of "we can't do that," the question becomes "how do we do that in a way that manages the security risk acceptably?" Instead of showing up to business conversations as the person who's going to identify reasons something can't happen, you show up as the person who's going to help figure out how it can happen safely.

This reframe requires that you actually understand the business well enough to propose realistic solutions rather than just identifying problems. It requires that you have a genuine risk tolerance conversation with leadership — because not every security risk needs to be eliminated; some can be accepted, mitigated, or transferred — and that you work within those risk parameters rather than against them.

When executives learn that bringing you into a conversation early saves time and produces better outcomes than involving you late or not at all, they start including you earlier. That's when security truly becomes part of the business rather than a separate function that interacts with the business mostly through conflict. It's a culture shift that takes time, but it starts with how you show up to every individual conversation.

💡 Pro Tip

When you're presented with a security challenge related to a business initiative, lead with "here's how we can make this work" before you lead with the risks. It doesn't mean ignoring the risks — it means demonstrating that your default orientation is toward finding solutions, not building walls. That shift in framing changes how people experience interacting with the security team.

Report Consistently, in Business Terms

Consistent, clear communication is one of the most powerful trust-building tools available to a CISO, and it's one of the most underutilized. Many security leaders present to leadership only when they have something major to announce — a big win, a significant incident, or a budget ask. The gaps between those moments become gaps in the relationship, and gaps in the relationship become gaps in understanding and support.

Establish a regular reporting cadence. Monthly or quarterly executive security updates — brief, structured, and consistently formatted — keep security visible and keep your stakeholders informed without requiring them to sit through lengthy meetings. The format matters as much as the frequency. A two-page summary with a handful of clear metrics and a brief narrative on key developments gets read. A twenty-page report gets filed.

Your metrics should tell a story of progress over time. Track the things that matter most — risk reduction trend, critical vulnerability remediation rates, incident volume and response times, training completion, audit findings status — and present them consistently so trends become visible. When your metrics are improving, the story tells itself. When they're not, you get ahead of the issue by presenting it alongside your plan to address it, rather than waiting for someone to notice and ask uncomfortable questions.

One format that many security leaders find highly effective is a one-page executive dashboard — a visual summary of key security metrics that any executive can read and understand in under two minutes. Busy leaders who can stay meaningfully informed on security without dedicating significant time to it are much more engaged stakeholders than those who feel like security is a black box they can only learn about in formal presentations.

Find and Cultivate Your Executive Champion

Every successful CISO eventually develops at least one executive champion — someone in the C-suite who genuinely believes in the security program, advocates for it in conversations you're not part of, and is willing to use their organizational influence to support your work when you need it.

This person might be the CEO or the CTO, but it might also be the CFO who understands risk, the General Counsel who sees security through a regulatory lens, or another executive who had a previous experience — a near-miss, a vendor breach, a regulatory close call — that made security personal for them. The champion doesn't need deep technical security knowledge. They need to trust you and be willing to act on that trust.

Sometimes a champion emerges naturally. More often, you have to cultivate the relationship deliberately. Invest more time in executives who show genuine curiosity about security. Share relevant external news and data that speaks to their specific concerns — a breach that affected a peer company, a regulatory action in your industry, research that quantifies the business impact of specific types of incidents. Over time, demonstrating that you understand their world and bring them information that's relevant to their responsibilities builds the kind of relationship where advocacy feels natural.

Once you've identified a champion, don't take the relationship for granted. Keep them informed. Involve them in your thinking on significant decisions. Give them the context they need to represent the security program credibly in settings where you're not present. A well-informed champion is worth an enormous amount; a champion who's been left out of the loop will eventually stop advocating because they don't know what they're advocating for anymore.

Handle Crises With Integrity — Your Reputation Depends on It

At some point in your tenure, something significant will go wrong. A breach. A ransomware attack. A compliance failure. A vendor incident that affects your environment. A vulnerability gets disclosed publicly before you've had a chance to patch it. How you respond to these moments will define your reputation with executive leadership more than anything that happens when things are running smoothly.

The instinct when something goes wrong is to manage the narrative — to present the situation in the most favorable light, downplay the severity, and project confidence you may not yet have. Resist that instinct completely. Executives can handle bad news. What they cannot handle — what destroys trust permanently — is discovering that the CISO had information they didn't share, softened the picture in ways that prevented good decision-making, or allowed them to be blindsided by information they needed earlier.

When a crisis hits, communicate early and often. Even before you have complete information, let the right people know what you know and what you're working to find out. Be honest about uncertainty — "we don't yet know the full scope, but here's what we do know and here's what we're doing" is a much better message than false certainty that gets revised downward as facts emerge. Focus your energy on containment, recovery, and getting the organization the information it needs to make good decisions, not on protecting yourself from scrutiny.

After the crisis is resolved, conduct a genuine after-action review. Not a blame exercise — a learning exercise. What happened? What controls failed? What worked well in the response? What would we do differently? Document it. Share it. And then follow through on the improvements it identifies. An organization that treats every significant security event as a learning opportunity gets better over time. One that sweeps incidents under the rug repeats the same mistakes.

Your credibility as a CISO is built over many interactions and tested in moments of crisis. Protect it by being consistently honest, consistently prepared, and consistently focused on the organization's best interests — not your own comfort or political position. That kind of integrity is noticed, and it compounds over time into the most valuable thing a security leader can have: an executive team that trusts you completely, even when the news is bad.

💭 Final Thought

The most effective CISOs in the world aren't necessarily the most technically skilled ones. They're the leaders who understand that security is a business function — and that doing it well requires bringing people along, not just being right. Build your relationships before you need them. Speak the language of business, not just security. Be honest when it's uncomfortable. Show up as a partner to every part of the organization. And when things go wrong, be exactly the leader your organization needs in that moment rather than the one that's easiest to be. Do those things consistently, and you won't just survive your first 90 days. You'll build a security program — and a career — worth being proud of.

Series Complete

Thanks for reading the full series. If this helped you, share it with someone who's on their way up in security leadership.

www.infosecmadeeasy.com

Labels:

Comments

Post a Comment

Popular posts from this blog

Asset Management - Physical Devices - What do you have? Do you know?

Asset management and inventorying your physical systems, we all know we should do it, and I am sure most try.  I am not going to talk about the should have, would have or could have. Instead, I am going to focus on the risks associated with the NIST CSF control ID-AM.1.   The control simply states, “Physical devices and systems within the organization are inventoried.”  At the simplest level, this control is saying that the organization inventories all physical systems that are apart of the information system. In my opinion, the control is foundational because how can you secure something if you don't know it exists.  If you are not inventorying your systems, how do you know if they have adequate controls to protect the data and network.   If you had a breach of data, would you know what type of data was involved, or would you even know if you had a breach?  To further extend this, how can you perform a risk assessment on the system to understand and relay ...
Post a Comment
Read more

Vulnerability Management… It’s easy - Planning

I am sure you have had either consultants, vendors, or heard at a conference that vulnerability management is foundational security control.  While I agree that it is an essential control, I also understand that it is challenging to implement.  Vulnerability management is not just to pick a tool, scan, and fix issues.  Many components make it a complicated journey.  This series will attempt to help break it down and give you ideas on how this complex service and be delivered effectively.    Planning   Objective When you start, I recommend creating a targeted objective and set of measures against your objective.   Ensure that you keep in mind your organization’s culture, politics, and risk appetite as you are developing your objective.   I have seen some target just “critical” systems for regulatory compliance, whereas others have targeted their entire enterprise.   No matter your scope, keep in mind your team’s current resource...
Post a Comment
Read more

The Detect Function in NIST CSF 2.0: The Risk of Seeing Too Late—or Too Much

In NIST Cybersecurity Framework 2.0 (CSF 2.0) , the Detect function represents the organization’s ability to identify the occurrence of a cybersecurity event in a timely and reliable manner . While Protect focuses on reducing the likelihood of compromise, Detect determines how quickly and how accurately an organization recognizes that something has gone wrong. For CISOs and security leaders, detection is where many programs quietly fail. Not due to a lack of tools, but due to poor signal quality, unclear objectives, and misalignment with business impact. Detection that is late, noisy, or misunderstood can be as damaging as no detection at all. Official NIST CSF 2.0 guidance is available here: https://www.nist.gov/publications/nist-cybersecurity-framework-csf-20 What the Detect Function Is (and What It Enables) Under CSF 2.0, the Detect (DE) function focuses on outcomes related to: Continuous monitoring Anomalies and event detection Security logging and analysis Threat intelligence ...
Post a Comment
Read more