Five Keys for CISO Success
I once had a meeting with my CFO to talk about security. As you might expect my goal for the meeting was to start to get her buy-in on our security business case. Just a few minutes into the meeting she stopped me and said, “Frank, we get it. We know that cybersecurity is important.†I was beginning to feel that this meeting was going in the right direction. Then she said it. The dreaded “B†word.
She continued, “BUT, what we want to know is ‘Are we spending too much? Are we spending too little? How are we doing compared to our industry peers?’â€
These are the questions that Boards and C-level executives are asking of their security leaders. How can you get ready to effectively answer these questions?
1) Choose a Framework
Select an industry recognized framework that will help you frame the work of your security program. Using a framework like the NIST Cybersecurity Framework helps simplify the complex world of security in a way that can be more easily consumed by business leaders.
2) Measure Your Maturity
It’s not enough to simply use a security framework. As you implement various controls make sure to measure maturity of your key security capabilities. That way you can show progress over time.
3) Benchmark Against Industry Peers
In an ideal world you might be tempted to achieve the “best†security possible. The reality though, as my CFO pointed out, is that the amount a business should invest is relative. As you improve your maturity identify how you are doing in relation to your industry peers as a point of comparison.
4) Set a Target
If you happen to be the on the high end of the maturity spectrum you may decide to compare yourself to another more mature industry as a stretch goal. Even if you stay within your industry for comparison purposes make sure to set a maturity goal for your security program.
5) Measure Your Effectiveness
Even with a framework, maturity model, benchmark, and goal in place there’s still one big question remaining. Are you utilizing your limited resources effectively? As you deploy, maintain, and operate your security program make sure you show that people, process, and technology are actually working as intended.
In Summary
Don't let the dreaded “B†word derail your efforts. Do these five things and you just might be able to head off any objections at the pass.
About Frank Kim: As a security executive, advisor, and educator I help you shape your strategy, master your message, and champion change to build business driven security programs. For more, visit frankkim.net
OT | ICS | Comptia S+ | GRC | IR | DR | BCP | TPRM | SARIC | Africa | Cyber Program
2 å¹´Great article. I was researching this topic and came your SANS training on Youtube, which then took me to your page. Great content. my head was going in multiple direction on how to go about designing a risk based approached cybersecurity program, and you nailed it.
Cybersecurity Consultant @ Nuformat Inc. | Managed Detection and Response | 24/7 MDR services | Helping your business reduce risk from cyber threats and attacks | vCISO for your business
3 å¹´Brandon Krieger
System And Infrastructure Engineer at alBaraka Bank Algeria
7 å¹´B. Abdelfetah
Head of Security Business Engagement | Security Strategy, Cybersecurity
7 å¹´Good stuff. This is very close to what CSF advises in its introduction, it also goes on to say communicate amongst internal and external stakeholders about Cybersecurity risk. However, it is very light on risk management and governance in general, which is a major concern as it is becoming the de facto standard amongst CISOs, without fully explaining the ramifications. Imagine the situation where you are talking an exec through your current security requirements using CSF as a template and they say “go ahead, make it happen, when will it be complete?â€. Only by understanding your priorities and who will own controls and risks, whether you are core y resourced, etc. are you able to give a confident response. Proceed with caution and do not confuse CSF with a risk management, controls or policy framework.
Enterprise Account Executive
7 å¹´Greg Charman