Deepening Your Defenses

Why CISOs must lead with emotional intelligence to maximize cybersecurity outcomes.

Four people stand in an office, engaged in conversation while holding coffee mugs. There are plants and a clock in the background.

Share this article

Chief information security officers (CISOs) and other cybersecurity leaders looking to strengthen their organizations’ defenses should add emotional intelligence, or EQ, to their skillsets.

Emotionally intelligent leaders display qualities that contribute to a people-first environment in which team members can thrive and operate at peak efficiency. Some of the most important of these qualities are covered under the EPIC leadership program from AWS.

Icon of two people in a circle beside the word "Empathy" with a large letter "E" in the background.

Icon of a target with an arrow next to the word "Purpose" on a large, light blue letter "P" in the background.

EPIC calls for leaders to prioritize:

Empathy. Recognize and value others’ thoughts and feelings, understand their hopes and challenges and treat everyone with respect.
Purpose. Grasp the reasons for their own actions, focus on benefiting customers, the team and the larger vision.
Inspiration. Foster a positive environment, value team contributions, set ambitious standards and motivate all to achieve.
Connection. Understand employees’ core values and aspirations, be genuine and foster authenticity in the workplace.

“Security is not only a technical challenge, it’s also a human challenge,” says Rich Hua, Worldwide Head of EPIC Leadership, AWS Innovation and Transformation Programs.

“Humans need to report problems when they occur. Humans need to solve the problems. Teams must work together to come up with creative solutions in very ambiguous and complex environments. What’s needed from security leaders is very human skills to help them,” says Hua.

“Security is not only a technical challenge, it’s also a human challenge.”

Rich Hua,

Worldwide Head of EPIC Leadership, AWS Innovation and Transformation Programs

Executives who raise their emotional intelligence and EPIC-related skills can improve their own performance and that of their teams. One study showed that EQ in leaders is a better predictor of success than intelligence quotient (IQ) or past experience.¹ “CISOs need to recognize that this can be a superpower for themselves and their teams,” says Hart Rossman, Vice President, Global Services Security, AWS.

From theory to practice

Three colleagues collaborate at a desk, two seated and one standing, as they focus on a laptop screen. One person points at the screen, another holds a notebook, and a cup is on the table.

Developing skills and qualities around emotional intelligence is one thing, but they must also be put into practice. Sarah Currey, Organizational Excellence Leader, AWS Global Services Security, says, “The CISO needs to look within themselves first.” Stress can be contagious, and she recommends that before any meeting, a CISO should check in with themselves to make sure that they feel calm and in control. For moments when they don’t, Amazon teaches techniques like box breathing to calm the nervous system before any high-stress task.

Employees who feel understood and supported tend to have lower stress levels. Conversely, security pros who feel unseen or underappreciated may experience more stress. This can lead to poor decision-making and suboptimal outcomes.

“The CISO needs to look within themselves first.”

Sarah Currey,

Organizational excellence leader, AWS Global Services

“I’ve seen really smart people make really poor decisions,” says Hua. “It wasn’t because they lost IQ points, it’s because their emotions caused them to not think clearly.”

CISOs should work to create an environment where team members feel psychologically safe. One way that AWS does this is by practicing blame-free escalation. When an employee escalates a situation, they know that they or their colleagues will not get into trouble over it. In fact, the leader is encouraged to thank them for escalating.

“It helps to create empathy and de-escalate some of the emotions that are in the room, so the team can focus on mitigating the security event,” says Currey.

Diagram illustrating a cycle for positive reinforcement of escalations with icons for ideas, discussion, communication, feedback, and teamwork in a circular flow.

Flowchart showing steps to foster an equitable workplace: escalation, praise, acknowledgment, creating comfort for opinions, and discovering new issues.

Diagram of a reinforcement cycle: discovery, escalation, public praise, acknowledgment, equity, and comfort in voicing opinions, leading back to discovery.

A psychologically safe culture also encourages individuals to bring new approaches to the table, knowing that their ideas will be welcomed with respect and gratitude. “It creates an environment where there’s more innovation,” says Hua.

This is critical in today’s security environment, where new approaches are needed to deal with increasingly sophisticated threats.

“A threat actor’s behavior requires you to take risks on new solutions to emerging situations,” says Rossman. “Teams that foster psychological safety excel at innovation and outpacing adversaries.”

Protecting the talent

A woman smiling and arranging colorful sticky notes on a glass wall, collaborating with a colleague.

Emotionally intelligent leaders endeavor to know their team members as human beings whose moods and motivations can vary over time. It’s about more than just seeking to understand an individual’s perspective, it’s about actively asking questions to gain insights into what they are thinking and feeling.

“Are your security teams disengaged, more withdrawn or even overwhelmed by pressure? From there, CISOs can move into the social competence of asking more clarifying questions to remove challenges faster,” says Currey. “We’re all human. We have challenges inside and outside of work, and you really need to lean into that empathy.”

Building a culture in which cybersecurity workers feel seen and safe can help organizations attract and retain talent, which is critical given the shortage of security talent.

One reason for the worker shortage is burnout. According to one study, nearly half of cybersecurity leaders are expected to change jobs by 2025, with burnout listed among the leading causes.² In a second study, 79 percent of workers surveyed agreed that empathetic leadership decreases turnover, with 85 percent saying it boosts productivity and 90 percent saying that it leads to higher job satisfaction. Despite this, only 13 percent of cybersecurity professionals cited empathy as a valued skill.³ This suggests that leaders with a high EQ who display EPIC traits are extremely valuable to an organization.

“When a leader has a high emotional intelligence, there’s a lower incidence of burnout,” says Hua. “You have employees who are more engaged, more inspired and you retain them for longer.”

Equipping security workers with up-to-date tools and automating manual, mundane tasks through artificial intelligence can also help reduce burnout, as can establishing practices centered on fairness — such as equitable on-call schedules.

To build empathy across teams, AWS’s security leaders routinely collaborate with their executive-level peers. In its EPIC workshops, AWS holds simulations where these leaders seek to align on goals with, say, a chief financial officer by learning more about the CFO’s goals and challenges.

“When a leader has a high emotional intelligence, there’s a lower incidence of burnout.”

Rich Hua,

Worldwide Head of EPIC Leadership, AWS Innovation and Transformation Programs

“Empathy and perspective-seeking are big parts of being able to have more influence on others,” says Hua.

AWS security leaders are also encouraged to let customers and team members (or co-workers) know that their input matters. Leaders will often follow up a request or suggestion with a phrase like, “unless you know better.” That, says Rossman, “gives the recipient a license to say, ‘Hey, I actually do have a better way.’”

This can kickstart a virtuous cycle of innovation. “It starts with that messaging and then feeds back into the mechanisms, the teams, the technology that we build,” says Rossman.

AWS’s cybersecurity organization also conducts incident response simulations so teams can plan their actions in a calm environment away from the heat of the moment.

“That’s a great time to model emotionally intelligent leadership,” says Rossman. “When you have an actual escalating security issue, you’ve practiced as a leader and had your team practice as participants how to get more from themselves through emotional intelligence.”

AWS extends its internal learnings on EQ and EPIC to client engagements. As part of its consulting business, AWS helps its customers establish security leadership and practices that are grounded in safety, empathy and trust. “We’re sharing a repeatable mental model that security leaders can leverage,” says Hua.

Align security with stakeholder goals

Two women are conversing in an office, one gesturing with her hands and the other smiling.

In security, success often comes down to communication. One study found that 58 percent of CISOs have difficulty communicating technical language in a way senior leadership can understand, which can result in time and money being wasted.⁴

“I often see where CISOs discuss patching rates and CVEs in their board presentations,” says Rossman. “It can fall flat when the board is focused on higher-level objectives like cost optimization and doesn’t understand how these technical details relate to their goals.”

“If you want to be perpetually successful in delivering high-quality security outcomes for your organization, you have to invest in being an emotionally intelligent leader.”

Hart Rossman,

Vice president, Global Services Security, AWS

Security leaders can decrease friction by using EQ techniques such as perspective-seeking to better understand the needs of the business and its stakeholders. CISOs with high EQ actively try to understand the challenges and goals shared by senior leadership.

“One tactic we teach is called the Mission of Discovery,” says Hua, “This is where we provide ‘super-connector questions’ in a roleplay exercise so security leaders can practice asking stakeholders about their goals, values and challenges — allowing them to shift into different perspectives.”

Such tactics make technical security concepts easier for leadership to understand. The key is to translate security initiatives into language that resonates with business leaders. Currey suggests that “If a security leader is speaking to a finance partner, they could highlight how their security automation saved money through reducing developer hours — leading to a more aligned, influenced conversation.”

Implementing these strategies requires effort but can yield significant returns. “Emotionally intelligent leadership, particularly in a crucible environment like security, is a learned skill and often it is the difference between success and failure,” says Rossman. “It’s no longer a ‘nice to have.’ If you want to be perpetually successful in delivering high-quality security outcomes for your organization, you have to invest in being an emotionally intelligent leader.”