Managing Across: Finding Your Internal Influencers

Joanna McDaniel Burkey
February 10, 2026

Security programs don’t succeed because they are technically correct. They succeed because people across the organization choose to support them.

When we think about the CISO’s most important stakeholders within the enterprise, a few roles always come top of mind first – CEO, CFO, Chair of Audit Committee just for starters.  And, yes, it is critical for the CISO to “manage up” to the people in these roles.  At the same time, every CISO spends a large portion of their time managing down throughout their organization.

Where does “managing across” fit into the equation? Most cybersecurity outcomes depend on teams the CISO does not control directly — engineering, product, sales, operations, IT, and increasingly, the business itself. In that environment, influence becomes a form of risk management.  We’ve all seen technically strong mandates and policies fail because they lacked the buy-in of the broader enterprise.

Security succeeds at the speed of trust. And trust is built long before a crisis arrives.  This trust can be the difference maker when, for example, quick and unpopular controls have to be rolled out to stop the bleeding after a serious incident.

This first article in our series focuses on a foundational skill for modern CISOs: identifying the internal influencers who shape execution, surface early signals, and help navigate complexity — often without formal authority.

Why Internal Influencers Matter

Internal influencers are strategic assets. They directly affect whether security strategy translates into reality.

These individuals often are the ones shaping how work gets done at an operational level.  They can surface friction points before they become incidents, flag emerging risks and workarounds early,  and provide candid feedback that never reaches formal forums.

For CISOs, relationships with these stakeholders create political capital — not in the pejorative sense, but as a practical reserve of credibility and goodwill that can be drawn upon when tradeoffs arise.

Just as importantly, influencers expand a CISO’s situational awareness. They are frequently the first to see controls that impede work being done, vendors that are problematic, or processes that are frequently bypassed in everyday work. When CISOs can identify and then invest in these relationships, the CISO gains signal instead of surprises — and foresight instead of firefighting.

Followship Over Hierarchy

A natural but misleading belief is that influence follows title.  It is incredibly tempting to use an org chart to dictate which people and which positions must, by definition, be the most significant.

In practice, titles generally indicate decision rights, but followship reveals real influence. Followship shows up in subtle ways but can be identified by looking for the people whose opinion is always sought, whose concerns get repeated even when they aren’t in the room, and whose approval functions as an unofficial gate to progress.

In many organizations, the people who can slow you down the most don’t sit in leadership meetings. They sit inside teams, shaping norms and momentum.  To uncover the names and faces in any given company that have real followship, CISOs must become familiar with how work flows — not just how it’s documented.

As mentioned above, most executives, including CISOs, can easily list their obvious stakeholders: CIO, CTO, CFO, General Counsel, CEO, and the Board.

But some of the most impactful relationships are less visible, and require extra work to uncover.  Internal influencers are not always readily apparent, but they might be:

  • The senior engineer everyone sanity-checks decisions with
  • The product manager who owns translating the customer wishlist into reality
  • The architect whose skepticism can sink a project before it starts
  • The executive assistant or chief of staff who controls cadence, access, and timing

These individuals act as force multipliers. They detect political landmines early, understand where resistance may emerge, and often know what won’t work before leadership hears about it.  

For CISOs, ignoring these stakeholders doesn’t just limit influence — it creates blind spots.

How to Identify Internal Influencers

Finding these stakeholders doesn’t require a formal mapping exercise. It requires intentional focus and a lot of active listening.  Once a CISO knows what to look for, the following signals are roadmaps to key influencers:

  • Who gets looped in late and still changes outcomes
  • Whose opinions are cited secondhand (“They’re concerned about…”)
  • Who surfaces problems before they become urgent
  • Who others defer to in moments of uncertainty

Simple questions can help bring names to light, such as “Who else should I talk to about this?” or  “Who usually weighs in when this comes up?”

Influencers tend to appear repeatedly once you start looking. And one trusted relationship almost always leads to several more.

Internal influencers often serve as early-warning systems for organizational politics. CISOs who build trust with these stakeholders gain the ability to navigate complexity without triggering resistance. They learn when to push, when to pause, and when to reframe.

Influence Is a Security Capability

Internal influencers are not “nice-to-have” relationships. They are part of the security control plane. A CISO who understands how influence works inside the organization gains earlier visibility into risk, faster cybersecurity program execution, and fewer surprises in the course of daily business.

The CISO who has the trust of the force multipliers in any enterprise has a head start that no amount of technical arguments can provide. In Part 2 of this series, we’ll explore how CISOs can build and sustain these relationships — without creating stakeholder fatigue or burning themselves out.

Joanna McDaniel Burkey is a corporate board director and technology executive with extensive experience in cybersecurity leadership.