Key Steps to Ensuring CISO Effectiveness

Key Steps to Ensuring CISO Effectiveness
Author: Robin Lyons, Principal, IT Audit Professional Practices, ISACA
Date Published: 1 January 2020

In the classic movie “The Wizard of Oz,” protagonist Dorothy Gale leaves Kansas and enters a new world, the land of Oz. While Oz is unfamiliar and unlike anything Dorothy has encountered before, she is able to navigate fairly well because she has a roadmap – the Yellow Brick Road. CISOs are not as fortunate as Dorothy. For CISOs, the expectations may be clear (from operational oversight to organizational politics to managing talent), but a roadmap to being effective in meeting those expectations is notably absent.

Given the timeliness of the topic of CISO effectiveness, the Security Leaders’ Summit at the 2019 Infosecurity ISACA North America Expo and Conference delved into recommendations that may help CISOs navigate challenges they may experience along their career paths. In his presentation, "CISO Leadership: Navigating Cybersecurity Leadership Challenges," Todd Fitzgerald with CISO Spotlight, LLC shared tactical as well as strategic approaches that may help CISOs create a roadmap to effectiveness. Tactically, Fitzgerald recommends that CISOs:

  • Focus on where data is and how to protect it
  • Help the enterprise gain competitive advantage by using technology such as AI, machine learning and cybersecurity analytics.

Strategically, Fitzgerald shared that if an enterprise has the philosophy that cybersecurity is everyone’s responsibility, all departments should map their roles to cybersecurity. In return, CISOs can ask what they can do to help departments ensure cyber health for the enterprise. As CISOs partner across their enterprises to gain competitive advantage through technology, Prasant Vadlamudi, director, technology GRC, Adobe, advised CISOs to remain cognizant of stakeholders’ expectations regarding use of emerging technology, particularly when taxpayer funds are involved.

Continuing with the strategic approaches that CISOs may use to navigate a roadmap to effectiveness, in his presentation, “CISOs in the Boardroom,” Vivek Shivananda, president, CyberSecurity Solutions, Galvanize, offered the recommendation that CISOs remain mindful of the board’s concerns: business interruption, reputational damage and breach of customer information. He continued to share that two different dashboards can be useful for CISOs: an internal dashboard that is more technically focused and a second dashboard that is more focused on business impact. In looking at metrics, Shivananda recommended that CISOs acknowledge and address the challenges of identifying what metrics to focus on, deciding how to address the data needs of many stakeholders, and reconciling when data exists from multiple sources.

In looking at the challenges CISOs face as enterprises gauge the CISO’s effectiveness, data was a recurring topic covered during the summit. Recommendations for CISOs on how to address these data-related challenges included knowing where data is located in order to best protect the data, and leveraging the data as the basis of dashboards that meet internal needs as well as board expectations. Beyond data, strategic recommendations covered at the summit included positioning cybersecurity as everyone’s responsibility and remaining mindful of the board’s concerns. These recommendations are not the visible Yellow Brick Road that Dorothy Gale had to guide her journey in the Land of Oz, but they do provide a roadmap that CISOs can use to navigate a path to effectiveness.