For months, you worked on a comprehensive policy for clean desk practices. The document was polished, the board approved it, and the draft was discussed with the executive team. Two weeks later, you hear through informal conversations that the financial director had already told several colleagues he thought it was “overblown bureaucracy.” Formal decision making had not even started yet, but the outcome had essentially already been decided.
Policies rarely convince people. People convince people
As a security officer, you focus on frameworks, risk analyses, and scenario planning. And rightly so. Structure and methodology are the backbone of the profession. However, the effectiveness of information security is ultimately determined by the daily choices employees make. Those choices are directly influenced by what their managers, colleagues, or executives have said about you and your work. Therefore, do not think of influence as a byproduct of good policy. It is an integral part of the profession. And that influence often begins at the coffee machine.
“Informal conversations are not preparation for decision making. They are decision making, just without the meeting minutes.”.
How Informal Influence Works
Organizations are, first and foremost, social systems. Only after that are they procedural systems. Before a proposal reaches the boardroom, it has already gained momentum. Someone has already spoken positively or negatively about it in the hallway. A department head may have casually raised concerns during lunch. The CFO may have formed an opinion when your name came up in a discussion.
This may sound cynical, but the behavior described is simply human. People form opinions based on trust, relationships, and credibility, not solely on rational arguments. If you, as a security officer, are not actively participating in those relationships, someone else within the organization will fill that space. And that person may have different priorities than information security.
Common Patterns in Practice
- A security proposal is rejected by the executive team because the operations director had already expressed doubts to several colleagues.
- A new measure is enthusiastically embraced because the CISO had been informally explaining its business value for weeks.
- A security incident is resolved quickly because the security officer has built trusted relationships with key stakeholders.
- Funding for awareness initiatives disappears from the agenda because no executive sees a personal stake in the topic.
Informal stakeholder management may sound less tangible than the technical side of the profession. But consider this: how much time do you spend writing policy documents compared to having informal conversations with decision makers? In many organizations, the balance is heavily tilted toward the world of documents. That is understandable because documents feel productive. You can review them, version them, and measure them. A conversation at the coffee machine does not produce a tangible deliverable, yet it often has a greater impact.
Informal stakeholder management means consciously and deliberately investing in relationships outside formal governance structures. Not through manipulation, but through strategic communication. Understand the concerns of the operations manager. Know what keeps the CFO awake at night. Speak the language of the business. Ensure that your name becomes associated with solutions rather than obstacles.
How to do it
- Build relationships before you need support.
- Schedule regular informal conversations with key stakeholders.
- Understand business objectives and connect security initiatives to those goals.
- Explain security measures in terms of business impact rather than technical requirements.
- Listen more than you speak.
- Identify influencers within the organization, even if they are not part of formal leadership structures.
- Address concerns early, before proposals enter formal approval processes.
- Be visible, approachable, and consistent in your communication.
- Focus on trust and credibility over technical perfection.
In information security, success is rarely determined by the quality of a policy alone. It is determined by whether people trust the person presenting it. The coffee machine may not appear on an organizational chart, but it is often where the most important decisions begin. Want to know more about how we can help implementing ISO 27001? Schedule a no obligation introductory meeting and together we will explore how we can support you.
