Kelli Burns, SVP and CISO at Accolade, says collaboration and co-ownership helps security to move faster and leads to inclusion of CISOs beyond tech projects.

Kelli Burns paints a picture of the CISO job in terms of relationships – including communication, partnership, healthy tension and uncomfortable conversations – and any successful relationship involves collaboration.

Burns is SVP and CISO at Accolade, a Seattle-based provider of healthcare delivery, healthcare system navigation, and care advocacy services. Previously she was VP and CISO at financial service and insurance company Symetra. At both companies, Burns took on responsibility for not only security and other technology teams, but also aspects of overall employee experience. That is a logical extension of CISO work, according to Burns, since security touches on every aspect of business and employee experience. 

Burns has spent the past five-plus years demonstrating to executives that security leaders are high-impact business leaders as well. Burns argues that knowing the business deeply and partnering with tech and non-tech teams alike can help build a more productive sense of co-ownership of security. In this July 2024 discussion, she also talks about the necessity of communication plans, willingness to debate and “get into some good trouble,” and more.

Derek Slater: Your responsibilities for employee experience are unusual for a CISO. What’s the connection?

Kelli BurnsKelli Burns: A lot of times security leaders get labeled as highly technical, like “just” security people. So, one of the things that I focus on deeply is demonstrating that a security leader is in fact a business leader.

At Symetra, I had the responsibility for all of IT, and then I also had the opportunity to lead product and engineering teams, who really owned the experience of the company’s employees. Think of the team that owns Teams and Office 365. A lot of times companies just use them straight out of the box, and don't use them to full capability. But what if you treat them as an internal product function, where you say, What's the roadmap to roll things out? What do we want to enable from the security side? What do we want to enable from an employee’s experience side? Sometimes those two can contradict each other.

That work was fun, because security touches everything. And what it naturally did is let us move faster. If someone else owns these capabilities, they would have to come partner with security, and ask “Can we do this, can we do that?” With this approach, we could move with more ease, because I was already familiar with the risks and could support decisions of my team quickly.

At Accolade, I joined as a security team leader, and have since gotten the opportunity to lead cloud infrastructure, engineering and tech services.

So, it's just about being a business leader. Security is embedded in product tech, ops, sales, marketing; I am proud to have strong partnerships across the whole organization. It helps us move faster.

How do you communicate the value of security to those functions?

It's like anything in life – people need to understand what's in it for them, and as a leader it’s important for me to speak in a language that's going to work for them. If I'm talking to someone that doesn't have any security background, I'm not going to explain what a Transport Layer Security protocol is. I’ll say we need to think about upgrading our TLS protocol, because this is what could result.

But also, I focus on being reasonable. I find that for a lot of my peers in the profession, it's their way or the highway. It's black and white. “If you don't do this, we're not secure!” Well, we already know that everybody's not secure; no one can claim 100% safety. So, what we can do as leaders is to be reasonable. You can say, “I get where you're coming from; what if we went for that [security fix] in Q2, instead of Q1?” Collaborate with your peers, have those conversations. It'll go a long way.

When I sit down with business leaders, I don't go in and say, “Why isn't this done? Get it done!” It’s like parenting – if you talk to a kid that way, if you just command them “Go clean your room!” they’ll just look at you and say “Why are you talking to me like this? Why are you angry?” Whereas if you give them some ownership, you can make more progress.

Every time you give a little bit, you build trust. Every good business demands trust, and trust starts with respect. 

How else do you build that trust — especially when you have disagreements about accepting risk?

I believe in the idea that there's a right answer and a best answer.

As security professionals, we really want to just go with the right answer, but it’s not always the best answer. Because I can play out a few times where selecting “the right answer” caused different issues to the business. So, we lost all the work that could have happened.

But when we choose the best answer, which was co-authoring the answer with other business leaders, we create ownership together. Then we can move things forward.

As leaders, we're great at delivering results most of the time. But we get so focused on the what: What's next? What are the outcomes? What are the metrics? And we forget the how, which is like, Did we bring people along? Did we communicate well? Did we learn from this? Did we celebrate people, give recognition?

Sometimes, yes, you must step back and do a quick read — if something's off and we are not operating well as a team, are we all on the same page? If we're not, that's okay; first we have to debate it. And then we've all got to support [the decisions] and move forward.

 

Related article:

How to Avoid CISO Burnout

By Andrius Minkevičius

 

In the cases when you didn’t do that, what happened?

Stakeholder management, that’s where issues can come up. We pushed out something that impacts the whole organization, and we didn't communicate it. You're moving fast, you don't slow down, you make a change without communicating.

So my team hears this from me all the time: What's the communication plan for that? It can be just a half page: On the 23rd we're going to communicate to these people, on the 24th it's going to all employees, on the 25th we're going to flip the switch, on the 26th we're going to have office hours so that people can show up and ask questions if they're concerned. You have to do it, and it works every time when you do.

Sometimes you have to move fast, and you slip up. But then you’ve got to repair relationships and take accountability.

I tell my engineers to understand how we move forward after feeling their feelings. What I want is accountability to say, how do we not do that again? I don't mind when we make mistakes, but if we make the same ones over and over, we're missing something or not spending that time to reflect and repair.

If I didn't reach out to the right people, now we have someone that feels excluded. Sharing more information is always good, always good. This whole notion that you hear sometimes of ‘less is more’ in internal communication – I don't agree with it.

I actually think that oversharing, being transparent about what's going on and what's not working, speaks to a highly engaged culture.

But when you can't reach agreement, is CEO intervention necessary? Or is that a road to mutually assured destruction, in relationships with other business leaders?

I have been lucky to have very few escalations to the top. What I do find is when things wind up going to the CEO, that means everybody in that room missed the mark. It should never have to get to that. It means we didn't have healthy tension.

Two expressions resonate with me.

First is, “Say the elephant in the room.” As a leader, it can go a long way. Because everybody's thinking it. So the more you can get it out there – and you don't need to be mean or petty – if you say, “Is anybody else feeling this way?” someone will say “Yeah, I am,” and someone else will say “See, I don't agree because of this or that.” Now we've opened the discussion.

The second is, “Get into some good trouble.” Like when something's not right, and you have power or privilege in a business, say something. Even if you weren’t directly involved. “Hey, I understand this happened. Is there anything we can do to make it right?”

Sometimes we can't make that specific situation right, but we can sow seeds for the years to come.

Even if it’s uncomfortable, sometimes we have to get in good trouble.

Roles We Recruit


 

Read our weekly e-newsletter packed with career advice and resources for the strategic technology leader, and information about active searches.

The Heller Report

Add a Comment

Training Developers for AI: One CIO’s Approach

Nov 20, 2024

Becoming a CISO, Part 2: Your First 90 Days

Nov 20, 2024