The other 90 days: Founders — Pensées · Mallet Stratégie et Sécurité

After the quick intro from the other day, let's dive in. Today, in the other first 90 days I'd like to write about business owners.

By its essence, our work as CISOs requires us to understand risk, deeply and intimately but at the same time maintain a cool head and emotional distance. We are both trusted advisors and executants.

Trusted by whom? The business. But who's the business? Or rather whose business?

When working with any organization, one of the first things I map is what the ownership looks like. To advise, one must know exactly whom one is advising.

Today we'll talk about founders.

I have had the privilege to work in startup environments with great founders. Driven individuals, with impressive technical chops. The only time I had to tell anyone that not scoring perfect marks at awareness training didn't deserve a professional summary execution but instead pedagogy and consideration as a signal for continuous improvement was in a conversation with a founder.

Founders can fall anywhere on the continuum of risk appetite, several patterns do emerge:

startup environments => go big or go home. High risk appetite, only grows as runway left shrinks. As a CISO you must help making sure some lines are never crossed. Oftentimes you have to be the party pooper quoting regulations to them.
- What helps => mapping those regulations to consequences for themselves and their company
- Who to enlist => legal counsel, you want to work with them as much as possible
established SMBs => Keep things going (especially in family-owned companies when a scion is learning the ropes on the job). The lack of risk appetite might mean missing opportunities (eg: leveraging cost-saving technologies, migrating to cloud environments when it would make sense financially or operationally)
- What helps => understanding their specific culture and language. You can never be part of the "family" and you shouldn't try to, you will rarely be as trusted an advisor as their family member no matter your qualifications. Yet you must still get your point across
- Who to enlist => their immediate trusted advisor circle, first to understand the culture and the unspoken policies that underpin their business-making then to ensure appropriateness and eventual buy-in for your advised course of action