What defines success for the modern CISO

This is the second article of five on the changing role of the modern CISO, I have the honor of working with Mr. Matt Stamper and Mr. Gary Hayslip on this project, Gary published the first article in the series.

In the previous article in this series discussing the new role for the CISO, Gary Hayslip talks about how the CISO’s role is evolving and that helping the enterprise become “operationally resilient” is a significant new responsibility for the modern CISO. He also mentions working with a group of strategic business partners, and building human networks and cross-organizational relationships. In this article we’re going to discuss how to define success for the modern CISO.

It is common for CISOs to measure controls and coverage along with the change in maturity and breadth of coverage over time. A typical approach might be to measure the enterprise adoption and performance of the SANS Critical 20. Many organizations also measured themselves according to compliance outcomes – successful audits, types and severity of findings, and change in numbers of findings over time. Dashboards showing how quickly the security team and their partners address vulnerabilities, how fast critical technologies are being deployed, the percentage of coverage for end-point protection and the maturity of access controls, for example, are important measures of preventative controls.

Given the CISOs new mandate to help the enterprise achieve operational resilience, we might now also echo within the CISO organization how we traditionally measure successful business continuity plans, namely: securing true executive sponsorship. This implies tone at the top, strategic input and responsibility at the board or executive committee level, sufficient funding, and appropriate focus on the most critical business functions. These objectives help in preventing or limiting the scope of breaches and recovering from the significant breaches that still might occur. If the CISO is a key partner to the CIO, the GMs, the functional SVPs, line-of-business colleagues, and the CEO, he or she will have both a voice in setting direction and identifying and articulating the risk that comes with the various strategies the enterprise might adopt, and have a keen sense of the most critical assets to the business. The successful, modern CISO has a seat at the table with executive leadership within the enterprise. The executive team recognizes that the CISO brings a perspective on risk management that is required for organizational governance and without this insight, the organization may face risk that could be existential.

In addition to enabling or enhancing operational resilience, the modern CISO is often the executive with the most experience in assessing and articulating business risk. Developing business acumen will help the CISO identify the most pertinent risks and articulate those risks in a way the executive team can best consume and act upon. How effectively the CISO articulates these risks and how readily the enterprise incorporates that input into strategic planning will be key measures of the ultimate success of the CISO. This business acumen will also help the modern CISO effectively marry their security vision with the strategic vision of the enterprise.

The modern CISO still needs to be a subject matter expert to help the CIO & CTO set technical direction for the enterprise, deal with the ever expanding compliance and regulatory environment and rapidly assess the impact of adopting new technologies or delivery platforms such as cloud computing, mobile and BYOD. However, the modern CISO will also need to be able to build a highly effective human network. This human network will need to include the internal security team, cross-functional teams within the organization, and a sufficiently extensive external network of peers, subject matter experts, law enforcement, vendors and partners. The successful modern CISO will have regular contact with effective leaders internal and external to the organization that will help him or her understand the internal landscape, identify new threat vectors as they become relevant, and rapidly implement contingency plans as needed to overcome outages.

The final measure of success is the strategic focus of the CISO. Recognizing the high percentage of successful attacks that start by compromising legitimate credentials of employees, the primary focus over the near future for the successful CISO should be on empowering the enterprise. After they have assured themselves that they have the control coverage and technology footprint required, that their business processes are well documented, that operational resiliency and risk management are important value add contributions to the enterprise, successful CISOs will be improving employee education and enhancing their communications and collaboration capabilities so that they can drive systemic change in the enterprise.

Actions you can take to be more successful: automate where possible so you can spend more time innovating, invest more of your budget on reducing future risks, align your initiatives to the enterprises strategic priorities, build your human network, improve your education and communications capabilities, and use data and analytics to identify ways to improve.