CISO as Super-Facilitator: Elevating Board and C-Suite Security Leadership

How do CISOs elevate board and executive security leadership instead of just reporting to them? Apply the 'super-facilitator' approach to transform your leadership team from audience into collaborators who drive organizational security strategy.

CISO as Super-Facilitator: Elevating Board and C-Suite Security Leadership
Photo by @dannylines on Unsplash

In Harvard Business Review's September 2025 article "Every Team Needs a Super-Facilitator," Stanford psychologist Jamil Zaki introduces a compelling concept through the lens of NBA star Chris Paul. Individual scoring records don't define Paul's remarkable career, but by what's become known as the "Chris Paul effect" – four times he's joined a new team, and each time that team posted its best record ever within two years. No other NBA player has had that kind of impact.

Zaki calls Paul a "super-facilitator" – someone who integrates diverse expertise, promotes equitable contributions, and cultivates trust to generate collective intelligence. He's not just a star player, says Zaki; he's a star-maker.

For CISOs, this framing illuminates a valuable but often misunderstood (or ignored!) opportunity to elevate the security leadership capabilities of senior executives and board members. The job isn't really to dazzle the board with your technical expertise, but to transform them into sophisticated security decision-makers.

Reframing the C-Suite and Board as Your Team

Most CISOs think of executives and board members as our audience, our approvers, our budget gatekeepers. We prepare for board meetings as if we're presenting to external stakeholders, simplifying and translating, hoping they'll understand enough to say yes.

But what if we reframed this relationship entirely? What if the senior leadership team isn't your audience – they're your team? This reframe follows the same communications principle we've discussed before, asking "what could go right" instead of "what could go wrong," opening up possibilities that deficit-based thinking obscures.

According to Zaki, Chris Paul doesn't treat his teammates as people he performs for. He treats them as collaborators whose performance he's responsible for elevating. When Paul joins a team, he's not thinking "how do I impress these players?" He's thinking, "How do I make these players better?"

The super-facilitator CISO asks the same question about executives and board members: How do I make this leadership team better at security governance? Not simply better at understanding my security program, but genuinely better at leading security strategy for the organization.

The Star Player CISO vs. The Star-Maker CISO

The distinction matters enormously in executive-level communications because how we communicate doesn’t just reflect our identity; it creates it. We’ve discussed this before in our post about Constitutive Theory

The star player CISO communicates to demonstrate competence:

  • "Our threat landscape looks like this."
  • "We're addressing it this way."
  • "These metrics show we're doing well (or not)."
  • "We need this to continue succeeding."

This CISO is the expert, and everyone else is the non-expert. The implicit message: "Trust me, I've got this."

The star-maker CISO communicates to develop capability:

  • "This threat landscape connects directly to each of your strategic priorities."
  • "You're uniquely positioned to influence these outcomes."
  • "Your governance decisions shaped our current security posture."
  • "We need your specific expertise to make better security trade-offs."

This CISO is the facilitator, and everyone else is a contributor. The implicit message: "We've got this – together."

The difference isn't rhetorical. In practice, one approach isolates security as a specialist function, while the other integrates security into strategic leadership. I think this is what many people envision when they talk about “shared responsibility,” but then they continue communicating in the opposite direction. 

Attunement: Understanding What Executives Really Need

In his article, Zaki identifies attunement (using perception and empathy to understand what the team needs) as the first super-facilitator capability. For CISOs, this means recognizing that executives and board members don't need simpler security explanations. They need security framed in terms of the complex decisions they're already making.

The CFO doesn't need cyber risk explained in kindergarten terms. They need to understand within the same framework they use for financial, market, and operational risk. They need to see how security investments complement and protect other capital allocation decisions.

The CEO doesn't need lectures about phishing, but they do need insight into how security (or its absence) affects customer trust, competitive positioning, and deal velocity.

Board members don't need the acronyms for certification explained. What they need is to understand how security governance connects to their fiduciary duties, strategic oversight, and risk committee responsibilities.

Attunement in the context of a CISO means investing time in understanding:

  • What keeps each executive up at night (and it's not vulnerability management – it's quarterly targets, competitive threats, talent retention, etc.)?
  • How does each board member think about their governance role?
  • What questions do they wish they knew how to ask about security?
  • Where do they feel most uncertain or vulnerable in security discussions?
  • What would make them feel genuinely confident in security oversight, not just reassured?

This requires humility. You might be the security expert, but they're the experts in business strategy, financial stewardship, market dynamics, and governance. Attunement means recognizing that your job isn't to make them security experts, but to help them apply their current expertise to security decisions.

Communication: Making Board Members Security Leaders

Super-facilitators, Zaki explains, mentor others and express genuine belief in their colleagues' capabilities. This is a radical (& exciting!) reframe for CISO-board relationships.

Most CISOs would never describe their interactions with board members as mentoring them. That likely sounds presumptuous to most people, but it’s exactly what super-facilitation requires – believing that executives and board members can develop genuine security leadership capability and helping them do it. This doesn't mean teaching board members about industry frameworks. It means:

  • Developing their security judgment: When presenting a security investment decision, don't just recommend an answer. Walk them through your decision framework. "Here's how I weighed the residual risk against the operational impact. What factors am I underweighting from your perspective?"
  • Building their security intuition: Share how you think about security trade-offs, not just your conclusions. "My instinct here was to prioritize detection over prevention because of our cloud architecture. Does that intuition align with the business direction you're seeing?"
  • Strengthening their security dialogue: Provide them with language and frameworks that empower them to engage more effectively. Not security jargon – I mean, actually strategic vocabulary. "You might think of our security posture as having three horizons: immediate operational resilience, medium-term capability building, and long-term architecture transformation."
  • Expressing belief in their capability: When board members ask sharp questions, call it out: "That question gets at exactly the tension we're managing." When they challenge your thinking, embrace it: "That's the perspective I was missing – you're right that the customer trust implications change the calculus."

The message you're sending is: "You belong in this conversation. Your judgment matters here. You can lead security oversight, not just receive security reports."

Over time, this transforms board dynamics. Security stops being the mysterious technical briefing that everyone tolerates. It becomes a strategic dialogue that executives and board members actively drive.

The Courage to Facilitate, Not Just Perform

This approach requires courage. It's vulnerable to treat your board as your team rather than your evaluators. It's risky to shift from demonstrating competence to developing it in others. What if they don't rise to it? What if you look less impressive when you're not the only one talking?

But consider what Chris Paul risks every time he passes to a teammate in a crucial moment. He's trusting them to make the shot when he could take it himself. He's creating space for them to be the hero when he could be. This is the bet super-facilitators make — that the collective capability they build will outperform individual heroics, meaning that a team of security-literate executives makes better decisions than one brilliant CISO. The evidence supports this bet. Paul's teams consistently overperform. Organizations with security-sophisticated boards and executive teams consistently outperform in both security outcomes and business results.

The traditional CISO success narrative is about personal mastery, i.e., the expert who keeps the organization secure through superior technical knowledge, vigilant monitoring, and heroic incident response. The super-facilitator CISO success narrative is about leadership multiplication with a facilitator who elevates executive and board security capability so that strategic decisions, governance oversight, and organizational culture become the security program.

Communication becomes a superpower, not persuading executives to approve your security program, but developing their capacity to lead organizational security strategy, which ultimately gives you a lot more influence over the outcomes.

Executives and board members should leave security conversations feeling more capable, more confident, and with more ownership of security results. That's super-facilitator work.

This is your team. Make them better at the game.