From Groundwork to Metrics

Previously I talked about starting a new role as a CISO and getting the groundwork laid to set the security program up for success. This starts with learning about the organization and understanding its culture, strategic roadmaps, operational dynamics, and industry. This also means learning about the current team as well as the possible openings you may have to expand and build the team. Lastly, finding a mentor or a strong network of folks you can lean on and learn from will set you up for success.

Now it’s time to begin to implement your program.

Digging Under the Hood

Maybe you’re sitting in that nice chair in your office thinking that you finally made it! You have a security program, and a team of people ready to face the challenges of the time. But what are those challenges? You’re new to the organization and role, and what you’ve seen in the past may not be what you will see in the present or future. It’s time to dig under the hood a bit.

The first thing to look at is whether the organization has a BC/DR (business continuity and disaster recovery) plan in place. Without this, the organization can be caught flatfooted in the event of an incident such as natural disasters, cyberattacks, or equipment failures. These plans provide organizations with a blueprint for maintaining operations during disruptions and recovering from incidents. This operational resilience ensures critical functions can continue even in the face of unexpected events.

This is all part of the primary mission of a well-defined cybersecurity program: ensuring the organization can operate after a risk has been realized. As the newly minted CISO, you must thoroughly review these plans and ensure that they support risk mitigation by proactively outlining the safeguards, and defining the people, process, and tools that will be used to reduce the likelihood or impact of potential disruptions. However, this goes beyond just a cursory review. You should not only agree with the plan, but tailor it to meet the needs of the cybersecurity program strategy. For instance, the BC/DR plan might call for the ability to monitor and/or block malicious traffic. You will need to ensure that the current capabilities of the cybersecurity program can meet this requirement, and if not, you will need to devise a plan that will provide the needed control within the program.

Just as crucial as understanding the organization’s ability to address and recover from events, is the understanding of the organization's risk tolerance. The short story is that an organization’s risk tolerance reflects its willingness to accept certain levels of risk in alignment with its business objectives and operational realities. Determining this tolerance involves understanding the organization’s critical assets, the potential impact of threats, and the balance between protecting resources and achieving business goals. Put another way, it is the level of risk that the organization is willing to accept in pursuit of their goals.

This risk tolerance requires mapping of business-critical assets (whether they are data, systems, or physical infrastructure) and understanding their impact on the daily operations and overall business. By identifying these assets, you and your crack security team can prioritize where to focus your efforts and determine which risks may be acceptable based on the organization’s risk tolerance. For example, you might allocate significant resources to protect sensitive customer data, while accepting smaller risks associated with non-critical systems, balancing the cost of mitigation with the potential impact.

There are tools at your disposal to help you better understand how the security program addresses and works with the organization’s risk tolerance. Namely, by using a risk assessment. This is used to identify, analyze, and evaluate potential risks that could negatively impact an organization’s assets, operations, or objectives. You can then decide how to manage these risks within your program. You may decide to implement security controls, transfer risk through insurance, or assign an owner to accept the risk when mitigation costs outweigh the benefits.

Through this exercise, you now should understand the risk landscape of the organization and be able to tailor your security program accordingly. So now take a closer look at the parts that make up your overall program.

Program Evaluation

You should have already reviewed much of the documentation when you first came into the organization. Likely this would have been mostly organization documentation that is related to how the company does business and makes money. However, now is a great time to get intimate with the documentation that is specific to the security program.

You’ll want to dive into the policies, procedures, guidelines, and (similar in importance to the BC/DR plans) the incident response (IR) plan. This plan is a structured approach for handling and managing the aftermath of a security breach or cyberattack. The main goal of an IR plan is to manage the situation in a way that limits damage and reduces recovery time and costs. Most importantly, this should be well vetted and understood so that the first time you are looking at it is not during an incident.

As you’re peeling back the onion of the program, you should review your asset inventory. This provides a dashboard and insight into the various assets around the organization such as the hardware, software, and the network assets. It should detail the configuration, the access control data, and vulnerabilities at the least. Some asset inventory tools may offer more bells and whistles, however the meat of what you will be looking for in your role is the standard information. You can’t protect what you don’t know you have.

With the asset inventory in hand, it’s time to check your security controls and determine whether they are sufficient to mee the risk in the organization. While it’s easy to focus on the technical controls like firewalls, intrusion detection and prevention, and endpoint security software, other controls play just as vital of a role in securing the organization. Review the administrative controls such as the training and awareness program. The physical controls such as the camera system, fire suppression, and physical barriers around the locations under the organization’s control. Your operational controls need to sufficiently gate the change process for IT systems and configurations. But it’s more than a paper exercise. Be sure to verify and validate that the controls are indeed in place and operating as expected. This can be done through reviewing metrics and KPIs, audits, as well as incident response drills and simulations. Or you can simply ask your team for feedback and observations.

Depending on the industry and even the location your organization is in, you will likely have to adhere to various compliance requirements. These can be related to the industry standards, regulations, and internal policies. And the inability to follow these compliance requirements can lead to severe penalties impacting the organization’s bottom line. You should have at least a high-level understanding of the compliance requirements impacting the organization prior to taking the role. In other words, if you are stepping into a role in healthcare, you will need to at least be familiar with HIPAA and HITECH as well as any state and local regulations. Once in the role, you will need to increase your knowledge in this space as regulations are changing all the time.

A true evaluation of your program (outside of a cybersecurity incident) is through assessments or audits. These activities will provide you with insight into how well your program is operating and puts another set of eyes on what you have already reviewed. Formal audits from a third-party provider will give you a neutral observers point of view on the health of your program as it is stated in the policies, procedures, and controls. An internal audit can provide similar information while balancing the knowledge that comes from an internal team versus knowledge of the compliance and regulatory environment that the organization operates in. Lastly, getting someone to kick the tires a bit on your controls goes a long way. Penetration testing, threat hunting, and red teaming can give you a close-to-real-world example of how your controls are working.

Cozying Up

To be successful in a CISO role, it’s critical to have a good working relationship with the folks that you will be assuring your program is properly managing the organizations risks. Your primary relationships will be with the C-Suite such as the CEO, CFO, CTO, and CIO. If you’re one of the few CISOs that report to the CEO, these relationships will be easier to build and maintain. Having this visibility at the highest level allows you to build the trust and relationships that will be needed when you are faced with a crisis, or even simple routine help with ongoing projects.

While many of your interactions will be in a reporting of metrics capacity during executive meetings, there will be times where you will need to extend beyond simple reporting and need to engage directly with leadership to solve a problem. There are a few ways to accomplish the alignment you need to be successful. Schedule shadowing days to gain practical insights into daily operations, uncover hidden risks, and develop security strategies that are grounded in operational realities. This will demonstrate an understanding of the business beyond security and help build trust while reinforcing the value of your role.

Each executive will likely have different goals and ways of working with the security program. When engaging with the CEO, you want to understand their perception of the security function. Do they see it as a business enabler or a cost center? Are you addressing the gaps in reporting and communication to showcase how security supports the broader organizational goals? Highlight areas of concern, listen to their expectations, and illustrate how your program can drive business outcomes.

The CFO can be an ally of a different kind. They should share a focus on managing risks and protecting the bottom line and you should be able to show how your program is meeting that goal. Your goal is to emphasize how cybersecurity investments mitigate potential financial and reputational damages and align these efforts with the CFO’s financial priorities. Afterall, they are the ones who will help you succeed in securing necessary budget approvals.

When collaborating with the CTO you’ll need to demonstrate how security measures can support the development and deployment of new technologies without slowing progress. Nothing will put the brakes on a security initiative quicker than more friction in the development process.

Lastly. as CISO, you’re likely to have a close relationship with the CIO. You may even find yourself reporting to the CIO directly which is likely to help you align security goals with IT objectives, allowing you to champion initiatives that complement the CIO’s vision for technology and operations.

While the relationship with the executive leadership is important, the work will be done below that level. A good CISO will have relationships with department heads across IT, HR, Marketing, R&D, Product Management, Operations, Sales, and other key business areas. This will help the security program align with business needs. Regular interactions with this group can provide you with insights into each department's goals, challenges, and operations allowing you to design security initiatives that support the business. By understanding pain points and priorities early, your program can proactively address them and demonstrate the value of security measures while highlighting how security can be a business enabler, not a barrier.

Reporting Value

So, your program is humming along and you’re building those relationships. You’re even invited to some of the key strategy sessions with the executive leadership! While you may know that your program is effective, how do you prove that to the organization? Reporting metrics to the organization provides measurable insights into how the security program is reducing risk while meeting the needs of the business. Key Performance Indicators (KPIs), tailored to the security program, allows the organization to track progress over time, evaluate the effectiveness of initiatives, and make informed, data-driven decisions. For example, metrics such as the reduction in incident response time, compliance levels, and vulnerability remediation rates help you identify what is working, what needs improvement, and where adjustments should be made. This continuous evaluation ensures that you have what you need to evolve the security program to meet challenges and align with business goals.

Reporting metrics also serve to demonstrate the value of your security initiatives to stakeholders. Regular reporting not only highlights successes but also provides transparency into areas requiring additional resources or adjustments. This visibility will raise trust and allow you to align with executive and business leadership by showing how security efforts are supporting organizational objectives. Metrics enable you to justify budget requests, advocate for investments in critical security technologies, and ensure that security remains a strategic priority. Furthermore, aligning KPIs with the organization’s broader goals ensures that security is viewed as a business enabler, directly contributing to operational resilience, risk management, and long-term success.