🏛️ Power and Politics
How CISOs Navigate Complex Corporate Structures
By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.
Cybersecurity leadership is never only technical.
That may be uncomfortable for some security professionals, especially those who built their credibility through deep technical expertise, incident response, architecture, governance, or compliance. But the reality is clear: a CISO who understands technology but does not understand power will eventually reach a ceiling.
Because in large organizations, cybersecurity decisions are rarely made in isolation.
They are shaped by budgets, reporting lines, executive priorities, delivery pressure, regulatory exposure, personal incentives, internal alliances, historic conflicts, vendor relationships, transformation programs, and the political reality of who owns what.
This does not mean cybersecurity leadership must become manipulative.
It means the opposite.
The CISO must learn how to navigate organizational power ethically, transparently, and effectively — because security risks often emerge precisely where formal responsibility, informal influence, and business pressure collide.
The modern CISO is not only a technical leader.
The modern CISO is a diplomat.
A translator.
A negotiator.
A coalition builder.
And, when necessary, a calm but persistent challenger of convenient assumptions.
The Myth of Purely Rational Security Decisions
Many security professionals assume that if the risk is real, the organization will act.
- If the vulnerability is critical, it will be fixed.
- If the control is necessary, it will be funded.
- If the policy is approved, it will be followed.
- If the audit finding is severe, it will be prioritized.
- If the CISO explains the risk clearly enough, leadership will make the right decision.
Sometimes that happens.
Often, it does not.
- Not because executives are careless.
- Not because business units are irresponsible.
- Not because IT does not understand security.
But because organizations do not operate as purely rational systems. They operate as human systems. And human systems are shaped by competing objectives, limited resources, accountability concerns, political incentives, personal relationships, and the desire to avoid visible conflict.
A security requirement may be technically correct and still lose against a delivery deadline.
A risk may be strategically important and still be deferred because no one wants to own the cost.
A policy may be formally approved and still ignored because local leadership sees it as unrealistic.
A critical control may be delayed because it threatens an established operating model.
A cloud security decision may become difficult because it challenges a strategic vendor commitment.
This is the world in which CISOs operate.
Ignoring it does not make the CISO more principled.
It makes the CISO less effective.
Power Is Not a Dirty Word
Many security leaders are uncomfortable talking about power.
They prefer to talk about risk, controls, governance, technology, and compliance. Those topics feel objective. Power feels political. Politics feels dangerous.
But power is simply the ability to influence decisions, allocate resources, define priorities, shape narratives, and determine what becomes visible.
Every organization has power structures.
Some are formal: reporting lines, committees, mandates, budgets, decision rights.
Others are informal: trusted advisors, long-standing relationships, influential experts, executive preferences, cultural norms, historical loyalties, and unwritten rules.
A CISO who only understands the formal structure will misunderstand the organization.
The org chart shows authority.
It does not always show influence.
The committee structure shows process.
It does not always show where decisions are actually shaped.
The policy framework shows requirements.
It does not always show whether the organization is willing to enforce them.
To lead security effectively, the CISO must understand both formal and informal power.
Not to play games.
But to ensure that real risks reach the right decision-makers before they become incidents.
The CISO’s Structural Challenge
Many CISOs carry responsibility without full control.
They are accountable for advising on cybersecurity risk, but they may not own all the systems.
They define requirements, but IT implements them.
They identify supplier risks, but procurement signs the contracts.
They warn about data protection implications, but business units create the processes.
They escalate resilience concerns, but operations own continuity.
They report risk, but executives decide what to fund.
They design governance, but local entities may interpret it differently.
This structural gap is one of the defining realities of the CISO role.
The CISO is expected to protect the organization, but the levers of protection are distributed across the organization.
That is why influence matters.
A CISO who relies only on formal authority will struggle. In many environments, the CISO simply does not have enough direct authority to enforce everything that matters.
But a CISO who builds trust, understands incentives, and shapes decisions early can achieve far more than one who waits to escalate after resistance has hardened.
Mapping the Political Landscape
A practical CISO needs a map of the organization.
Not only the official structure.
A real map.
Who controls the budget?
Who controls architecture decisions?
Who influences the CIO?
Who has the trust of the executive board?
Who can delay a project without appearing to block it?
Who owns the data?
Who owns the process?
Who owns the system?
Who owns the supplier relationship?
Who is seen as credible in a crisis?
Who is defensive because of past audit findings?
Who has been burned by security before?
Who wants security as an ally?
Who sees security as a threat?
These questions are not cynical.
They are necessary.
Without this understanding, the CISO may bring the right message to the wrong person, at the wrong time, in the wrong language, through the wrong channel.
Security leadership fails not only when the analysis is wrong.
It also fails when influence is misdirected.
The CIO Relationship
The relationship between CISO and CIO is one of the most important political relationships in the enterprise.
It can be highly productive.
It can also be structurally tense.
The CIO is often responsible for technology delivery, operational stability, cost efficiency, user experience, platform modernization, and transformation execution. The CISO is responsible for making security risk visible, defining requirements, challenging weaknesses, and ensuring that technology decisions do not create unacceptable exposure.
These roles overlap.
They also create friction.
The CIO may experience security as slowing delivery. The CISO may experience IT as accepting too much operational risk. The CIO may prioritize service continuity. The CISO may prioritize control effectiveness. The CIO may see legacy constraints. The CISO may see accumulated risk.
A mature relationship does not deny these tensions.
It makes them governable.
The CISO should not position themselves as the enemy of IT.
But neither should the CISO become absorbed into IT delivery logic to the point where independent risk visibility disappears.
The key is to build alignment without losing independence.
That means shared objectives, clear escalation paths, transparent risk acceptance, and a mutual understanding that security is not there to embarrass IT — but also not there to hide risk for the sake of harmony.
The CFO Relationship
The CFO relationship is often decisive because many security risks eventually become investment decisions.
CISOs who cannot speak the language of finance will struggle to gain support.
But speaking finance does not mean pretending that every cybersecurity decision has a precise return on investment. It means explaining exposure, cost of delay, investment logic, avoided loss, resilience value, regulatory exposure, and prioritization.
A CFO does not need fear.
A CFO needs clarity.
What risk are we reducing?
Why now?
What happens if we defer?
Which business process is exposed?
What is the realistic cost range of inaction?
Which investments are mandatory, and which are discretionary?
Which controls reduce several risks at once?
Where are we spending money without improving capability?
A strong CISO-CFO relationship turns cybersecurity from a budget request into a risk investment conversation.
That is a major political advantage.
The Legal and Compliance Relationship
Legal and compliance functions can be powerful allies.
They understand obligation, defensibility, liability, and evidence. They can help the CISO explain why certain decisions cannot be treated as purely technical preferences.
But there is also a risk.
In some organizations, cybersecurity is reduced to compliance. The CISO becomes the function that produces evidence, closes findings, supports audits, and updates policies — while deeper strategic risks remain unresolved.
The CISO must work closely with legal and compliance without becoming trapped in a purely compliance-driven security model.
The strongest relationship is one where legal, compliance, privacy, and cybersecurity jointly ask:
Can we defend this decision after an incident?
Do we have evidence that controls are effective?
Is this risk formally accepted, or merely tolerated?
Are we compliant on paper but exposed in reality?
Where does legal defensibility depend on technical truth?
This partnership can create powerful governance clarity.
The Business Unit Relationship
Business units often experience cybersecurity through friction.
Questionnaires.
Approvals.
Risk assessments.
Training.
Access reviews.
Project gates.
Policy exceptions.
Incident escalations.
If the CISO only appears as a control function, business units will learn to involve security as late as possible.
That is rational from their perspective.
The CISO must change the experience.
Security should become useful earlier.
Business leaders need to understand how security helps them protect revenue, deliver services, maintain customer trust, avoid regulatory surprises, reduce rework, and make transformation sustainable.
The CISO should learn the language of each major business unit.
What are they trying to achieve?
Where do they feel blocked?
Which risks do they underestimate?
Which security requirements are unclear?
Where can reusable patterns make their work easier?
Where does security need to say no clearly?
Where can security say yes with conditions?
This is how political resistance becomes partnership.
Not by weakening security.
But by making security relevant.
The HR Relationship
Human Resources is often underestimated in cybersecurity politics.
That is a mistake.
HR influences culture, onboarding, offboarding, leadership behavior, disciplinary processes, insider risk, awareness, role changes, and employee trust.
Many security failures have a human dimension.
Delayed deprovisioning.
Unclear responsibilities.
Unreported mistakes.
Weak security culture.
Shadow IT.
Privileged users who are not trained for their risk level.
Executives who do not model secure behavior.
The CISO needs HR as a partner because security culture cannot be imposed by the security team alone.
It must be embedded into how the organization develops people, manages change, handles misconduct, supports leadership, and communicates expectations.
This partnership is political because culture is political.
It touches behavior, responsibility, and leadership credibility.
The Procurement Relationship
Procurement is a major power center in modern cybersecurity.
Many critical risks enter the organization through suppliers, SaaS platforms, outsourcing arrangements, consultants, cloud providers, managed services, and technology partners.
If the CISO has no influence over procurement, supplier risk will be discovered too late.
After the contract.
After the data flow.
After the integration.
After the dependency is created.
At that point, security becomes negotiation under pressure.
The CISO must build a strategic relationship with procurement to ensure minimum security requirements are embedded before commercial commitments are made.
This includes supplier classification, security clauses, audit rights, breach notification, encryption, access control, subcontractor transparency, resilience expectations, data location, exit options, and evidence requirements.
Good supplier security is not achieved through late-stage questionnaires alone.
It is achieved through procurement governance.
The CISO as Diplomat
The CISO must often mediate between functions with legitimate but conflicting priorities.
IT wants stability and delivery.
Business units want speed and flexibility.
Finance wants cost discipline.
Legal wants defensibility.
Compliance wants evidence.
Operations wants continuity.
Procurement wants commercial efficiency.
HR wants workable people processes.
Executives want strategy execution.
Security wants risk visibility and control.
None of these perspectives is inherently wrong.
The CISO’s role is to help the organization see the trade-offs clearly.
This requires diplomacy.
Diplomacy is not weakness.
It is disciplined influence under constraint.
A diplomatic CISO knows when to push, when to pause, when to reframe, when to escalate, when to listen, and when to insist.
The goal is not to win every argument.
The goal is to ensure that the organization does not sleepwalk into unacceptable risk.
Speaking Different Languages Without Losing Integrity
Different stakeholders need different security language.
The CFO needs financial exposure and investment logic.
The CIO needs architecture, operations, prioritization, and delivery implications.
The CEO needs strategic risk, trust, resilience, and accountability.
Legal needs defensibility, liability, obligations, and evidence.
Business leaders need customer impact, speed, reliability, and risk ownership.
Operations needs continuity, recovery, and practical feasibility.
Technical teams need clarity, standards, and implementation guidance.
The CISO must adapt language without adapting the truth.
This distinction matters.
Political skill becomes dangerous when it turns into pleasing everyone. The CISO’s credibility depends on saying what is true, but in a way that each audience can understand and act upon.
The message may be tailored.
The substance must remain intact.
Neutrality Is Not Passivity
A CISO can act as a neutral mediator, but neutrality must not mean passivity.
The CISO should not be captured by IT, business units, compliance, or executive convenience. Nor should the CISO become a detached critic who only points out failures.
The CISO’s neutrality should be grounded in the organization’s long-term interest.
That means asking:
What protects the organization?
What supports its mission?
What preserves trust?
What can be defended after an incident?
What risk are we consciously accepting?
What decision is required?
This kind of neutrality gives the CISO moral and professional authority.
Not because the CISO is above politics.
But because the CISO uses political awareness to protect the organization rather than personal territory.
When to Escalate
Escalation is one of the most sensitive political tools available to a CISO.
Escalate too early or too often, and the CISO may be seen as alarmist or unable to collaborate.
Escalate too late, and the organization may drift into unacceptable exposure.
The question is not whether to escalate.
The question is when escalation becomes necessary.
Useful triggers include:
A risk exceeds defined appetite.
A critical control is repeatedly delayed without formal acceptance.
A business decision creates exposure that is not understood by accountable leadership.
A supplier or platform dependency creates strategic risk.
A project is moving toward go-live without minimum security requirements.
An incident reveals governance failure.
A risk owner lacks the authority to resolve the risk.
A pattern of exceptions indicates systemic avoidance.
Escalation should not be emotional.
It should be structured.
What is the issue?
What is at stake?
What decision is required?
Which options exist?
Who owns the risk?
What is the consequence of inaction?
This keeps escalation professional and decision-oriented.
The Danger of Being Too Useful
There is a subtle danger for CISOs in complex organizations.
They can become too useful operationally.
They solve problems.
They help projects.
They compensate for unclear ownership.
They write the risk language.
They support audits.
They mediate conflicts.
They explain technical issues.
They help business units move forward.
All of this is valuable.
But if the CISO repeatedly compensates for governance weakness, the organization may never fix the underlying issue.
The CISO becomes the bridge over every gap.
Eventually, the bridge becomes part of the operating model.
That is risky.
The CISO must help the organization solve problems without permanently absorbing responsibility that belongs elsewhere.
This requires discipline.
Support the process.
Clarify ownership.
Enable decisions.
But do not become the owner of every unresolved organizational weakness.
Building Coalitions
CISOs rarely succeed alone.
They need coalitions.
A coalition is not a political faction. It is a group of stakeholders who understand that cybersecurity supports their own objectives.
Finance may support security because it reduces fraud and unmanaged exposure.
Legal may support security because it improves defensibility.
Operations may support security because it strengthens resilience.
HR may support security because it improves culture and role clarity.
Procurement may support security because it reduces supplier surprises.
Business leaders may support security because it protects customer trust.
IT may support security because it reduces firefighting and architectural debt.
The CISO’s work is to make these connections visible.
When security becomes a shared interest, political resistance decreases.
Influence Before Formal Decision Points
The most important cybersecurity influence often happens before formal meetings.
By the time a decision reaches a steering committee, much of the real work has already happened. Positions have formed. Budgets have been discussed. Timelines have been promised. Vendors have been favored. Narratives have been shaped.
A politically aware CISO engages earlier.
They speak with stakeholders before the meeting.
They understand concerns.
They test recommendations.
They identify objections.
They prepare allies.
They clarify misunderstandings.
They make sure the formal decision does not become the first moment security is heard.
This is not manipulation.
It is preparation.
And in complex organizations, preparation is often the difference between influence and symbolic participation.
Protecting Independence
Political skill must not compromise independence.
This is especially important for CISOs.
The CISO must build relationships, but not become dependent on approval.
The CISO must collaborate with IT, but not hide IT risk.
The CISO must support business transformation, but not normalize unacceptable exposure.
The CISO must work with executives, but not soften messages until they lose meaning.
The CISO must understand politics, but not become political in the wrong sense.
Independence does not mean isolation.
It means the CISO can still speak clearly when clarity is inconvenient.
That is the foundation of trust.
A Practical Political Playbook for CISOs
CISOs navigating complex corporate structures can apply a practical approach.
First, map the decision landscape. Understand who has formal authority, who has informal influence, who controls budget, who owns processes, and who can block or enable action.
Second, build relationships before conflict. Do not wait until a risk is urgent to speak with key stakeholders.
Third, translate security into stakeholder value. Explain how security supports the objectives of finance, operations, HR, legal, procurement, IT, and business units.
Fourth, identify shared risks. Focus on problems that multiple functions already care about, such as resilience, fraud, regulatory exposure, supplier dependency, or customer trust.
Fifth, separate technical issues from decision issues. Not every vulnerability requires executive attention, but every unresolved risk outside appetite requires a decision.
Sixth, escalate with structure. Escalation should clarify options and accountability, not merely express concern.
Seventh, document decisions, not only discussions. If the organization accepts risk, make the acceptance explicit, owned, justified, and time-bound.
Eighth, protect the CISO’s independence. Influence is valuable only if the CISO remains able to speak truthfully.
This is not office politics in the shallow sense.
It is governance in practice.
Final Reflection
Power and politics are part of cybersecurity leadership.
The question is not whether the CISO participates in organizational politics.
The question is whether the CISO understands them well enough to protect the organization’s interests.
A technically excellent CISO who ignores power dynamics may produce accurate analysis that never changes decisions.
A politically skilled but unprincipled CISO may gain influence while losing trust.
The mature CISO must combine both: technical depth, strategic judgment, ethical clarity, and political intelligence.
That combination is difficult.
But it is increasingly necessary.
Because cybersecurity does not fail only when controls fail.
It also fails when risks are known but not owned.
When decisions are delayed but not escalated.
When accountability is distributed until it disappears.
When security is invited too late.
When politics hides exposure.
When harmony becomes more important than truth.
The CISO’s role is to navigate this complexity without becoming cynical.
To build alliances without losing independence.
To translate risk without diluting it.
To challenge decisions without becoming destructive.
To use influence not for personal power, but for organizational resilience.
That is the real political work of the modern CISO.
Not winning internal battles.
But making sure the organization can see clearly, decide consciously, and act before risk becomes damage.
Publication Note & Disclaimer
This article was originally published on LinkedIn on February 13, 2025 and may have been edited or updated for publication on this site.
It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.
For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.
Member discussion