“To do that, CISOs have to orchestrate across the entire organization. They start by building demand and then lead the change,” he says.
“But while a lot of CISOs are mastering this capability and this skill, the overall organization in many cases is dysfunctional when it comes to digital change. And if the overall organization doesn’t have the capacity to change, then the CISO as an agent of change is not scalable,” Kopczynski says. “There are only so many things that the CISO can lean into before hitting that proverbial wall. This is a fundamental falling down point for many organizations.”
Kopczynski, co-founder and CISO in Resident of the Professional Association of CISOs as well as the author of the post “The Perils of Poor Change Management”, says CISOs in such cases must find ways to not only guide security-related changes but also inspire the organization to embrace change in general.
“You have to build a case around the organization itself building those capabilities by working with the CTO, business leaders, product folks,” he explains. “The CISO has to say, ‘We need to build this capability and have it function across the various business lines, so we can sustain change and move faster. So the next step for a CISO to mature themselves is to say, ‘I’ve got to work upstream.’ It’s an opportunity for them to show they are true business leaders.”
