The Human Element: Building Trust and Influence in Security Leadership
Veteran security leader Nate Lee reveals how effective cybersecurity depends as much on relationship-building as technical expertise. Learn practical strategies for gaining organizational trust, communicating effectively, and driving security initiatives through persuasion rather than mandate.
Veteran security leader Nate Lee reveals how effective cybersecurity depends as much on relationship-building as technical expertise. Learn practical strategies for gaining organizational trust, communicating effectively, and driving security initiatives through persuasion rather than mandate.
Session Summary
In this revealing conversation from RSA Conference 2024, experienced CISO Nate Lee joins Bishop Fox's Matt Twells to explore the often-neglected human dimension of security leadership. Drawing from his extensive background as both an organizational and fractional CISO, Lee argues that while technical expertise remains essential, the most effective security leaders are those who excel at building trust and influence across their organizations.
The discussion examines how security initiatives frequently fail not because of technical shortcomings but due to inadequate relationship-building. Lee emphasizes that without trust, security teams remain isolated, brought in too late to projects or only when problems have already escalated. He shares practical strategies for overcoming this challenge, including engaging with departments beyond engineering, demonstrating consistent helpfulness outside of crisis situations, and communicating complex security concepts with clarity and relevance. Throughout the conversation, Lee highlights how psychological principles like social proof and reciprocity can be leveraged effectively in security programs—from establishing security champions who model good behavior to creating genuine reciprocal relationships that make others more receptive to security guidance. The session offers a refreshing perspective that security effectiveness ultimately depends less on technical controls than on a leader's ability to build relationships, communicate persuasively, and create an environment where security becomes a shared organizational priority.
Key Takeaways
- Trust is the foundation of security effectiveness - Without trust, teams won't involve security early in projects or disclose potential issues until they become major problems.
- Relationship-building must extend beyond technical teams - Effective security leaders build connections across all business functions, understanding the unique challenges of sales, marketing, HR, and finance teams.
- Consistent presence matters more than crisis response - Security teams that only appear during problems create negative associations; regular, helpful engagement builds positive relationships.
- Communication clarity drives compliance - Focusing on two or three critical points and explaining why they matter helps people make informed decisions without overwhelming them.
- Social proof can drive security behavior - Implementing security champions programs leverages people's tendency to follow what they see peers doing.
- Reciprocity creates willing partners - Genuinely helping colleagues creates a natural sense of obligation that makes them more receptive to security requests later.
Abbreviated Transcript
Matt Twells: Hi, welcome back. I'm Matthew Twells, senior solutions architect at Bishop Fox. We're moving on to a new topic about the power of persuasion in a security program. We've got Nate Lee here. He's the CISO of Cloudsec.ai and also a former CISO at TradeShift, where you secured over a trillion dollars in trade. How are you finding San Francisco and tell us a bit about yourself?
Nate Lee: Sure. I'm no longer at TradeShift. I switched to doing fractional work and now consult as a CISO. I'm enjoying RSA and catching up with folks. The hot topic this year seems to be vulnerabilities.
Matt Twells: Yeah, AI is always a big topic here. We were discussing the importance of people skills and trust in security programs. How do you see that in your role as a CISO?
Nate Lee: Trust is crucial. People need to trust you to share problems and involve you early in projects. Without trust, they won't tell you about issues until they become major problems.
Matt Twells: Security work often involves doing things people know they should but don't want to. Do you have tips for gaining buy-in and trust?
Nate Lee: It's about creating an easy path for them and influencing them to drive positive outcomes. It's helpful to convey ideas clearly and connect with people so they understand the importance of what you're asking them to do.
Matt Twells: In the military, we always said to make friends with the chef and the clerk. In a company, who would you say are the key people to build trust with first?
Nate Lee: It's everyone, really. You need to understand different parts of the organization and their problems. Talking to sales, marketing, HR, and finance, not just engineering, helps build connections and trust.
Matt Twells: Let's talk about likability as a tool. How do you balance being likable with staying effective?
Nate Lee: It's about connecting with people genuinely and being helpful. If your team only shows up when there's a problem, it creates negative associations. By being present and helpful regularly, you build positive relationships.
Matt Twells: My background is in audit, and I found that just reassuring people we're not the cops made a huge difference. How do you make your message clear and impactful?
Nate Lee: Focus on the two or three most important things. Help people understand why something is important so they can make informed decisions. Too much information can overwhelm them.
Matt Twells: Social proof is another psychological principle. How can it be applied in cybersecurity?
Nate Lee: Using security champions within teams to model good behavior is effective. People tend to follow what they see others doing. Providing awareness training with real-life examples from their peers can also make a big impact.
Matt Twells: Reciprocity is also powerful. How do you use it in your role?
Nate Lee: Helping others genuinely can trigger a sense of obligation. When you do something nice for someone, they're more likely to help you in return. It's a deep-seated human response.
Matt Twells: Thank you, Nate. This has been a fantastic conversation. I hope you enjoy the rest of your week here in San Francisco.
Nate Lee: Thank you. I appreciate your time.