The 7 Factors of CISO Impact How does your information security team measure up?

Gain Command of the Facts To build impact your team needs command of the facts: Which information

assets matter and how safe are they? To get those facts, build a robust

information security risk profile that assesses the state of the critical assets

you promised to safeguard. Make it dynamic to embrace new assets,

vulnerabilities, and technologies. Make the profile relevant with data from

real company experiences.

Get Business Leaders to Understand They Own Risk Business units own the customer, the data, and the related business risks. Information

security is essentially just another business risk. The CISO and team must engage with

business leaders to shift how they think and operate, putting information security in the

role of guiding the business to manage and mitigate those risks.

Every day your company deploys new software, commits to new vendors, launches new product

initiatives, and considers mergers and acquisitions. Where does information security figure in? CISOs and

their teams must get involved early to make a difference. Focus on embedding the right criteria and

considerations into the processes that matter.

Run InfoSec Like a Business

Develop strong project, financial, and resource management practices. Gain credibility and earn the

right to expanded budgets and resources with budgets that speak to business impact, highly

productive teams, and predictable and transparent project management.

Build a Technically Sound, Business-Capable Team CISOs can’t be everywhere at once. You need a team that has technical cred, the ability to hold

business-level conversations, and the interpersonal skills to handle challenging interactions. You

need to find and retain strong players for at least 3 to 5 years to have the impact you seek.

Articulate and Communicate the Value Why would business leaders help you succeed? If they know ‘what’s in it for them’ -- if by helping

information security they get closer to meeting their own goals. How would they know what’s in it

for them? You tell them. The CISO and team must articulate and communicate the value they bring

to the business.

Organize for Success While it can be a sensitive topic, CISOs must consider how reporting

relationships raise or lower their impact. Do they report to a risk function, at

least dotted line? Do business unit personnel report to the corporate CISO?

Where and when CISOs have the opportunity to set the table for maximum

impact, they must make the case.

Achieving Impact Take the CISO Impact Diagnostic and find out how you measure up, and how you can improve.