Your Relationships Are a Risk Control (And You Can Prove It)
A State CISO applies FAIR risk quantification to relationship-building, proving that connection capital with agency heads is a measurable risk-reduction lever.
Jason Walker
State CISO, Florida
Picture this: a ransomware variant hits one of your 35 agencies on a Friday afternoon. Your Cyber Security Operations Center picks it up. You have indicators of compromise ready to distribute within the hour. The question that determines how bad the weekend gets is not technical. It is this: do your agency IT directors actually answer when you call?
That question used to feel like a soft leadership problem. It is not. It is a quantifiable risk exposure, and most CISOs are leaving it unmodeled.
What Everyone Gets Wrong
The security industry has spent decades treating relationship-building as a career development skill. You network so you get promoted. You build rapport so meetings go smoother. That framing is not wrong, but it is dangerously incomplete.
When you manage cybersecurity across 35 state agencies with 202,000 devices and no direct authority over most of the humans running them, your relationships are not a professional courtesy. They are a control. And like every other control, their absence has a cost you can calculate.
The mistake most enterprise security leaders make is treating "stakeholder engagement" as something you do after the risk program is built. Connection capital gets listed under leadership development, not the risk register. That separation is the problem.
The FAIR Model Hiding in Plain Sight
FAIR (Factor Analysis of Information Risk) gives us a clean decomposition of risk into two primary variables: Loss Event Frequency and Loss Magnitude. Most practitioners spend their energy on the magnitude side, estimating breach costs, regulatory fines, recovery expenses. That work matters. But frequency is where relationship capital lives, and it is chronically undermodeled.
Loss Event Frequency in FAIR breaks down further into two components: Threat Event Frequency (how often a threat actor acts against you) and Vulnerability (the probability that an action results in a loss). Vulnerability is where your agency relationships either carry weight or cost you.
Here is the specific mechanism: your primary defense against lateral spread across agencies is timely threat intelligence sharing and coordinated control adoption. Both of those depend entirely on whether agency IT directors trust your office enough to act on what you send them.
Low connection capital between your CISO office and an agency head degrades two things simultaneously. First, it slows threat intel uptake. If an agency director views your office as a compliance burden rather than a partner, your IOC distributions become emails they forward to a shared inbox. Response latency increases. The window for lateral movement widens. Second, it reduces control adoption rates. Every new configuration standard, every new endpoint policy you push enterprise-wide lands differently depending on whether the agency CIO helped shape it or received it as a mandate from strangers.
You can assign probability ranges to both of those effects. If an agency with a strong relationship to my office receives a threat advisory, historical data from our incident response tracking shows they act within hours. Agencies where the relationship is transactional take days, sometimes longer. That delta in response time is a direct input into your Vulnerability estimate in FAIR.
What the Numbers Actually Show
Managing cybersecurity at the state enterprise level, I track control implementation rates across agencies. The pattern is consistent. Agencies where my team has invested in regular touchpoints, joint exercises, and direct working relationships with IT leadership implement new controls at higher rates and faster timelines than agencies where our interaction is limited to compliance reporting cycles.
I am not talking about small differences. The gap between a highly engaged agency and a low-engagement agency on a given control implementation can run 40-60 percentage points in the first 90 days after rollout. That is not a people skills story. That is a control effectiveness story.
Now run that through a FAIR model. If your enterprise control adoption rate is artificially suppressed by poor relationship capital across a subset of agencies, your actual Vulnerability is higher than your risk models reflect. You are understating your Loss Event Frequency. Every risk report you send to leadership is optimistic in a way that has nothing to do with your technical controls and everything to do with whether your phone calls get returned.
The Investment Calculus
Here is where this gets actionable. If relationship capital is a risk control, then investing in it competes directly with other control investments on the same ledger. Not on a separate leadership development budget. On the risk reduction ledger.
The time I spend at an agency doing a joint tabletop exercise is not a soft skill activity. It is a control investment with an expected value. I can model the reduction in Vulnerability that comes from moving an agency from "transactional" to "trusted partner" status and compare that expected value against, say, deploying an additional security tool to that same agency.
In many cases, the relationship investment wins. A tool an agency deploys poorly because they do not trust the guidance behind it does less risk reduction than a tool an agency deploys thoroughly because they have a working relationship with the team asking them to deploy it.
What You Should Do Differently
Stop tracking relationship health in your leadership journal and start tracking it in your risk register.
Build a simple taxonomy for agency relationship status: transactional, developing, trusted partner. Assign each agency a current state. Then model the Vulnerability delta between your current distribution and a world where every agency is at trusted partner status. That delta represents the risk reduction opportunity sitting in your calendar, not your technology budget.
Use that model to justify relationship investment with specifics. When you go to your State CIO and say you need resources for agency engagement, you are no longer asking for soft leadership support. You are presenting a risk reduction opportunity with a quantified expected value.
Then do the actual work. Get in the room with agency IT leadership before there is a crisis. Run joint exercises. Ask what security controls are getting in their way and actually fix the ones you can. When an agency reaches out with a problem, respond fast and solve it. Every one of those interactions moves the needle on connection capital, and that movement has a direct, calculable effect on how your next incident plays out.
Your relationships are not a career asset. They are a risk control. Model them that way, invest in them that way, and your program will outperform any stack of tools you deploy to agencies who do not trust you.