In the high-stakes world of information security, technical prowess is often prioritized over soft skills. However, for Shivani Arni, CISO at TransUnion CIBIL (India), the “secret sauce” to building a resilient security program is Emotional Intelligence (EI). With over 18 years of experience spanning security operations, consulting, and auditing, Shivani argues that EI is not just a leadership trait but a fundamental requirement for managing the impulsive and often volatile nature of cybersecurity.
Our conversation with Shivani on the Scale To Zero podcast explored how self-awareness, empathy, and social skills can transform a security leader’s effectiveness — from managing crisis situations to fostering innovation within their teams.
You can read the complete transcript of the epiosde here >
What is Emotional Intelligence (EI)?
Shivani defines Emotional Intelligence as the ability to understand and manage one’s own emotions while recognizing the emotional state of those around you. In a professional context, it involves five core parameters:
- Self-Awareness: The ability to identify your own emotions and understand if they are becoming a strength or a weakness.
- Self-Regulation: Handling impulsive situations in a healthy way and maintaining self-discipline.
- Self-Motivation: Cultivating the drive to achieve goals from within, rather than relying solely on external praise or feedback.
- Empathy: Moving beyond mere sympathy to truly understand a colleague’s perspective and feelings while maintaining an internal balance.
- Social Skills: The ability to network, build meaningful relationships, and continuously learn from others.
These five pillars form the foundation of effective security leadership, enabling CISOs to navigate the complex interpersonal dynamics that come with protecting an organization.
Why EI Matters for the “Red Chair”
Shivani describes the role of a security leader as sitting in a “red chair” that could blow up at any time due to a security incident or an unwanted surprise. When a breach occurs, leaders are often tempted to make impulsive decisions out of panic.
High EI allows a CISO to remain calm, process the situation objectively, and manage complex relationships with IT, business, risk, and compliance teams. By understanding the diverse perspectives and emotions of stakeholders during a crisis, a leader can find a balanced path forward. This composure is critical during incident response scenarios where clear-headed decision-making can mean the difference between containment and catastrophe.
Building Psychological Safety and Innovation
A strong security culture is built on psychological safety, where team members feel comfortable reporting mistakes and sharing learnings without fear of retribution. Shivani advocates for a leadership style that rejects micromanagement and provides space for the team to work. This philosophy aligns closely with the principles of building a resilient security culture through trust and empowerment.
Encouraging Calculated Risks
Leaders should encourage their teams — especially younger professionals — to explore new ideas and take risks. This freedom is the catalyst for innovation. When failures occur, the leader must demonstrate they “have the team’s back.” Without risk-taking, there is no innovation, and without innovation, security programs stagnate in the face of evolving threats.
The Power of Leader Vulnerability
Vulnerability is a critical component of safety. When a leader is honest about their own genuine mistakes or admits that a proposed solution might not be the right fit, it empowers the team to have the courage to speak up. This open conversation prevents the repetition of errors and strengthens the overall security posture — a principle that resonates with the human-centered approach to security that treats people as assets rather than liabilities.
Fostering a Security-Centric Culture
Transitioning an organization from a “fault-finding” mindset to a security-centric one requires a shift in how recommendations are delivered. Recommendations should be framed around how they help achieve business goals — such as clearing a certification — rather than simply pointing out failures.
- Security Help Desk: Shivani views herself as an “Information Security Help Desk,” an approachable resource where employees can walk up and ask how to handle sensitive client RFPs or internal policies.
- Engagement with Developers: By integrating security scans and reporting directly into the CI/CD pipeline, security becomes a transparent part of the change management process.
- Celebrating Small Successes: Recognizing “Security Champions” in public motivates others and demonstrates that the security team values collaborative efforts. This mirrors the approach of scaling security champions programs that turn compliance into culture.
Scaling Through Third-Party Risk Management (TPRM)
As organizations outsource more functions, Third-Party Risk Management becomes a baseline requirement for businesses of all sizes. Shivani structures this into three distinct phases:
1. Pre-Onboarding
Moving beyond simple questionnaires to conduct deep-dive audits of network diagrams, data environment segregation (dedicated vs. shared servers), and access control policies. This thorough vetting process ensures that vendors meet security standards before they gain access to sensitive data.
2. Post-Onboarding
Implementing technical controls such as IP whitelisting, certificate generation for API integrations, and Web Application Firewalls (WAF). These controls create a hardened boundary between your organization and its vendors.
3. Governance and Monitoring
Establishing continuous visibility into the vendor’s health. Legal clauses alone are insufficient; leaders should use external monitoring portals (like BitSight or RiskRecon) to receive real-time alerts if a vendor’s security score drops or if they appear in breach news.
For a deeper dive into vendor assessment frameworks, see our free vendor risk assessment template.
The Tiering Strategy
To manage hundreds of vendors efficiently, Shivani recommends bucketing vendors into tiers (1–5) based on criticality. This allows the security team to prioritize Tier 1 vendors for frequent audits and deep monitoring, while providing more leeway for less critical Tier 5 providers. This tiered approach is a practical framework that any organization can adopt regardless of size.
Conclusion: Setting Priorities in a Cloud-First World
When asked to rate modern security practices, Shivani identifies Access Control as the absolute top priority for any organization, noting that in a remote, cloud-first world, identity is the new perimeter. This perspective aligns with the broader industry shift toward Zero Trust security models where every access request is verified regardless of origin.
For leaders looking to further their own emotional intelligence and leadership skills, Shivani recommends the following resources:
Learning Resources Recommended by Shivani Arni
-
Information Security Media Group (ISMG)
ISMG offers news, views, research, and education on the top industry, security, regulatory, and technology challenges worldwide.
-
Comprehensive Leadership Programs by Harvard Business School
Fast-track your leadership growth — and your career — through a transformative learning experience focused on broad business management and leadership.
Comprehensive Leadership Programs >
-
Podcast: “Women at Work” on Spotify
A podcast exploring the challenges and triumphs of women in professional environments, offering practical advice for navigating workplace dynamics.
People Also Read
- What is Identity and Access Management?
- What is Third Party Risk Management?
- Emotional Intelligence - CISO(s) POV
- How to Respond to a Data or Security Breach?
- Building A Resilient Security Culture With Mauricio Duarte
- Demystifying Identity Access Management (IAM Security)
- The Human Firewall: Designing for Behavior in Modern Security
- Navigating Third-Party Risk Across Business Realms
