Executive brief on how PCI DSS 4.0 affects offensive security practices, penetration testing, and segmentation testing. Watch Now

The Human Element: Building Trust and Influence in Security Leadership

Veteran security leader Nate Lee reveals how effective cybersecurity depends as much on relationship-building as technical expertise. Learn practical strategies for gaining organizational trust, communicating effectively, and driving security initiatives through persuasion rather than mandate.

Veteran security leader Nate Lee reveals how effective cybersecurity depends as much on relationship-building as technical expertise. Learn practical strategies for gaining organizational trust, communicating effectively, and driving security initiatives through persuasion rather than mandate.

Session Summary

In this revealing conversation from RSA Conference 2024, experienced CISO Nate Lee joins Bishop Fox's Matt Twells to explore the often-neglected human dimension of security leadership. Drawing from his extensive background as both an organizational and fractional CISO, Lee argues that while technical expertise remains essential, the most effective security leaders are those who excel at building trust and influence across their organizations.

The discussion examines how security initiatives frequently fail not because of technical shortcomings but due to inadequate relationship-building. Lee emphasizes that without trust, security teams remain isolated, brought in too late to projects or only when problems have already escalated. He shares practical strategies for overcoming this challenge, including engaging with departments beyond engineering, demonstrating consistent helpfulness outside of crisis situations, and communicating complex security concepts with clarity and relevance. Throughout the conversation, Lee highlights how psychological principles like social proof and reciprocity can be leveraged effectively in security programs—from establishing security champions who model good behavior to creating genuine reciprocal relationships that make others more receptive to security guidance. The session offers a refreshing perspective that security effectiveness ultimately depends less on technical controls than on a leader's ability to build relationships, communicate persuasively, and create an environment where security becomes a shared organizational priority.

Key Takeaways

  1. Trust is the foundation of security effectiveness - Without trust, teams won't involve security early in projects or disclose potential issues until they become major problems.
  2. Relationship-building must extend beyond technical teams - Effective security leaders build connections across all business functions, understanding the unique challenges of sales, marketing, HR, and finance teams.
  3. Consistent presence matters more than crisis response - Security teams that only appear during problems create negative associations; regular, helpful engagement builds positive relationships.
  4. Communication clarity drives compliance - Focusing on two or three critical points and explaining why they matter helps people make informed decisions without overwhelming them.
  5. Social proof can drive security behavior - Implementing security champions programs leverages people's tendency to follow what they see peers doing.
  6. Reciprocity creates willing partners - Genuinely helping colleagues creates a natural sense of obligation that makes them more receptive to security requests later.

Abbreviated Transcript

Matt Twells: Hi, welcome back. I'm Matthew Twells, senior solutions architect at Bishop Fox. We're moving on to a new topic about the power of persuasion in a security program. We've got Nate Lee here. He's the CISO of Cloudsec.ai and also a former CISO at TradeShift, where you secured over a trillion dollars in trade. How are you finding San Francisco and tell us a bit about yourself?

Nate Lee: Sure. I'm no longer at TradeShift. I switched to doing fractional work and now consult as a CISO. I'm enjoying RSA and catching up with folks. The hot topic this year seems to be vulnerabilities.

Matt Twells: Yeah, AI is always a big topic here. We were discussing the importance of people skills and trust in security programs. How do you see that in your role as a CISO?

Nate Lee: Trust is crucial. People need to trust you to share problems and involve you early in projects. Without trust, they won't tell you about issues until they become major problems.

Matt Twells: Security work often involves doing things people know they should but don't want to. Do you have tips for gaining buy-in and trust?

Nate Lee: It's about creating an easy path for them and influencing them to drive positive outcomes. It's helpful to convey ideas clearly and connect with people so they understand the importance of what you're asking them to do.

Matt Twells: In the military, we always said to make friends with the chef and the clerk. In a company, who would you say are the key people to build trust with first?

Nate Lee: It's everyone, really. You need to understand different parts of the organization and their problems. Talking to sales, marketing, HR, and finance, not just engineering, helps build connections and trust.

Matt Twells: Let's talk about likability as a tool. How do you balance being likable with staying effective?

Nate Lee: It's about connecting with people genuinely and being helpful. If your team only shows up when there's a problem, it creates negative associations. By being present and helpful regularly, you build positive relationships.

Matt Twells: My background is in audit, and I found that just reassuring people we're not the cops made a huge difference. How do you make your message clear and impactful?

Nate Lee: Focus on the two or three most important things. Help people understand why something is important so they can make informed decisions. Too much information can overwhelm them.

Matt Twells: Social proof is another psychological principle. How can it be applied in cybersecurity?

Nate Lee: Using security champions within teams to model good behavior is effective. People tend to follow what they see others doing. Providing awareness training with real-life examples from their peers can also make a big impact.

Matt Twells: Reciprocity is also powerful. How do you use it in your role?

Nate Lee: Helping others genuinely can trigger a sense of obligation. When you do something nice for someone, they're more likely to help you in return. It's a deep-seated human response.

Matt Twells: Thank you, Nate. This has been a fantastic conversation. I hope you enjoy the rest of your week here in San Francisco.

Nate Lee: Thank you. I appreciate your time.


Matt Twells

About the speaker, Matt Twells

Former Senior Solutions Architect

Matthew Twells was a Senior Solutions Architect at Bishop Fox focused on technical scoping of client engagements, training and development, and sales enablement. He graduated from the University of Reading in Reading, England with a B.A. (Hons) in Economics, and has spent time working in the British Army as a Secure Communications Engineer, working with the National Health Service as part of the Cyber Defense Operations Center (CDOC) team during the COVID-19 pandemic and subsequently in a variety of cybersecurity consulting, technical project management, internal audit, and penetration testing roles over the last 7 years.

More by Matt

Extend Your Knowledge

Check out these related resources.

Spotlight session featuring John Hammond, Principal Security Researcher at Huntress, hosted by Bishop Fox Live at RSA Conference 2024.
Virtual Session

Beyond Technical Exploits: The Strategic Value of Red Team Engagements

Security researcher and YouTube educator John Hammond shares insights on effective red teaming that balances technical depth with business impact. Learn how threat intelligence, fundamentals-focused security, and emerging technologies shape today's offensive security landscape.
Learn More
Bishop Fox Livestream at RSAC 2024 with Dave Lewis
Virtual Session

The Human Side of Security Leadership: Building Teams That Thrive

Veteran security leader Dave Lewis shares his philosophy on transforming struggling teams into high-performers through trust, communication, and empathy. Learn practical approaches to leadership that enable both individual growth and organizational security.

Learn More
Spotlight session featuring Robert Hansen, Managing Director at Grossman Ventures, hosted by Bishop Fox Live during RSA Conference 2024.
Virtual Session

AI's Dark Potential: Robert Hansen, RSnake and Author of AI's Best Friend, Warns of Superintelligence Risks

Security pioneer Robert "RSnake" Hansen shares insights from his book "AI's Best Friend," revealing why artificial intelligence without moral frameworks poses unprecedented dangers that regulation alone cannot address.

Learn More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.