'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
The 7 Factors of CISO Impact
1. The 7 Factors of
CISO Impact
How does your information
security team measure up?
2. Gain Command of
the Facts
To build impact your team needs command of the facts: Which information
assets matter and how safe are they? To get those facts, build a robust
information security risk profile that assesses the state of the critical assets
you promised to safeguard. Make it dynamic to embrace new assets,
vulnerabilities, and technologies. Make the profile relevant with data from
real company experiences.
3. Get Business Leaders to Understand
They Own Risk
Business units own the customer, the data, and the related business risks. Information
security is essentially just another business risk. The CISO and team must engage with
business leaders to shift how they think and operate, putting information security in the
role of guiding the business to manage and mitigate those risks.
4. Every day your company deploys new software, commits to new vendors, launches new product
initiatives, and considers mergers and acquisitions. Where does information security figure in? CISOs and
their teams must get involved early to make a difference. Focus on embedding the right criteria and
considerations into the processes that matter.
5. Run InfoSec Like a Business
Develop strong project, financial, and resource management practices. Gain credibility and earn the
right to expanded budgets and resources with budgets that speak to business impact, highly
productive teams, and predictable and transparent project management.
6. Build a Technically Sound,
Business-Capable Team
CISOs can’t be everywhere at once. You need a team that has technical cred, the ability to hold
business-level conversations, and the interpersonal skills to handle challenging interactions. You
need to find and retain strong players for at least 3 to 5 years to have the impact you seek.
7. Articulate and Communicate the Value
Why would business leaders help you succeed? If they know ‘what’s in it for them’ -- if by helping
information security they get closer to meeting their own goals. How would they know what’s in it
for them? You tell them. The CISO and team must articulate and communicate the value they bring
to the business.
8. Organize for Success
While it can be a sensitive topic, CISOs must consider how reporting
relationships raise or lower their impact. Do they report to a risk function, at
least dotted line? Do business unit personnel report to the corporate CISO?
Where and when CISOs have the opportunity to set the table for maximum
impact, they must make the case.
9. Achieving Impact
Take the CISO Impact Diagnostic and find out
how you measure up, and how you can
improve.