Do not fill in this field

Enter no text in this field

Get Instant Access
to This Blueprint

Business Email

Full Name

Company

Phone

Job Title

It is difficult to find a “unicorn”: a candidate who is already fully developed in all areas.
The role of the CISO has changed so much in the past three years, it is unclear what competencies are most important.
Current CISOs need to scope out areas of future development.

Our Advice

Critical Insight

The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

Impact and Result

Clarify the competencies that are important to your organizational needs and use them to find a candidate with those specific strengths.
If you are a current CISO, complete a self-assessment and identify your high-priority competency gaps so you can actively work to develop those areas.
Create an actionable plan to develop the CISO’s capabilities and regularly reassess these items to ensure constant improvement.

Hire or Develop a World-Class CISO Research & Tools

1. Hire of Develop a World-Class CISO Deck – A step-by-step guide on finding or developing the CISO that best fits your organization.

Use this blueprint to hire or develop a world-class Chief Information Security Officer (CISO) with the competencies that suit your specific organizational needs. Once you have identified the right candidate, create a plan to develop your CISO.

2. CISO Core Competency Evaluation Tool – Determine which competencies your organization needs and which competencies your CISO needs to work on.

This tool will help you determine which competencies are a priority for your organizational needs and which competencies your CISO needs to develop.

3. CISO Stakeholder Power Map Template – Visualize stakeholder and CISO relationships.

Use this template to identify stakeholders who are key to your security initiatives and to understand your relationships with them.

4. CISO Stakeholder Management Strategy Template – Develop a strategy to improve stakeholder and CISO relationships.

Create a strategy to cultivate your stakeholder relationships and manage each relationship in the most effective way.

5. CISO Development Plan Template – Develop a plan to support a world-class CISO.

This tool will help you create and implement a plan to remediate competency gaps.

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

8.0/10

Overall Impact

$649

Average $ Saved

Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Testimonial

The Middlefield Banking Company

Guided Implementation

8/10

N/A

Good to have an external SME perspective.

Hire or Develop a World-Class CISO

Find a strategic and security-focused champion for your business.

Analyst Perspective

Create a plan to become the security leader of tomorrow

The days are gone when the security leader can stay at a desk and watch the perimeter. The rapidly increasing sophistication of technology, and of attackers, has changed the landscape so that a successful information security program must be elastic, nimble, and tailored to the organization’s specific needs.

The Chief Information Security Officer (CISO) is tasked with leading this modern security program, and this individual must truly be a Chief Officer, with a finger on the pulses of the business and security processes at the same time. The modern, strategic CISO must be a master of all trades.

A world-class CISO is a business enabler who finds creative ways for the business to take on innovative processes that provide a competitive advantage and, most importantly, to do so securely.

Cameron Smith, Research Lead, Security and Privacy

Cameron Smith
Research Lead, Security & Privacy
Info-Tech Research Group

Executive Summary

Your Challenge

CEOs/CXOs are looking to hire or develop a senior security leader and aren’t sure where to start.
Conversely, security practitioners are looking to upgrade their skill set and are equally stuck in terms of what an appropriate starting point is.
Organizations are looking to optimize their security plans and move from a tactical position to a more strategic one.

Common Obstacles

It is difficult to find a “unicorn”: a candidate who is already fully developed in all areas.
The role of the CISO has changed so much in the past three years, it is unclear what competencies are most important.
You are a current CISO and need to scope out your areas of future development.

Info-Tech’s Approach

Clarify the competencies that are important to your organizational needs and use them to find a candidate with those specific strengths.
If you are a current CISO, complete a self-assessment and identify your high-priority competency gaps so you can actively work to develop those areas.
Create an actionable plan to develop the CISO’s capabilities and regularly reassess these items to ensure constant improvement.

Info-Tech Insight
The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

Your challenge

This Info-Tech blueprint will help you hire and develop a strategic CISO

Security without strategy is a hacker’s paradise.
The outdated model of information security is tactical, where security acts as a watchdog and responds.
The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

Around one in five organizations don’t have an individual with the sole responsibility for security¹

¹ Navisite

Info-Tech Insight
Assigning security responsibilities to departments other than security can lead to conflicts of interest.

Common obstacles

It can be difficult to find the right CISO for your organization

The smaller the organization, the less likely it will have a CISO or equivalent position.
Because there is a shortage of qualified candidates, qualified CISOs can demand high salaries and many CISO positions will go unfilled.
It is easier for larger companies to attract top CISO talent, as they generally have more resources available.

Source: Navisite

Only 36% of small businesses have a CISO (or equivalent position).

48% of mid-sized businesses have a CISO.

90% of large organizations have a CISO.

Source: Navisite

Strategic versus tactical

CISOs should provide leadership based on a strategic vision ¹

Strategic CISO	Tactical CISO
Proactive Focus is on protecting hyperdistributed business processes and data Elastic, flexible, and nimble Engaged in business design decisions Speaks the language of the audience (e.g. business, financial, technical)	Reactive Focus is on protecting current state Perimeter and IT-centric approach Communicates with technical jargon

Strategic CISO

Tactical CISO

Proactive

Focus is on protecting hyperdistributed business processes and data

Elastic, flexible, and nimble

Engaged in business design decisions

Speaks the language of the audience (e.g. business, financial, technical)

Reactive

Focus is on protecting current state

Perimeter and IT-centric approach

Communicates with technical jargon

¹ Journal of Computer Science and Information Technology

Info-Tech has identified three key behaviors of the world-class CISO

To determine what is required from tomorrow’s security leader, Info-Tech examined the core behaviors that make a world-class CISO. These are the three areas that a CISO engages with and excels in.

Later in this blueprint, we will review the competencies and skills that are required for your CISO to perform these behaviors at a high level.

Align

Aligning security enablement with business requirements

Enable

Enabling a culture of risk management

Manage

Managing talent and change

Info-Tech Insight
Through these three overarching behaviors, you can enable a security culture that is aligned to the business and make security elastic, flexible, and nimble to maintain the business processes.

Info-Tech’s approach

Info-Tech’s methodology to Develop or Hire a World-Class CISO

1. Launch 2. Assess 3. Plan 4. Execute

Phase Steps

Understand the core competencies

Measure security and business satisfaction and alignment

Assess stakeholder relationships

Assess core competencies

Identify resources to address your CISO’s competency gaps

Plan an approach to improve stakeholder relationships

Decide next actions and support your CISO moving forward

Regularly reassess to measure development and progress

Phase Outcomes
At the end of this phase, you will have:

Determined the current gaps in satisfaction and business alignment for your IT security program.

Identified the desired qualities in a security leader, specific to your current organizational needs.

At the end of this phase, you will have:

Used the core competencies to help identify the ideal candidate.

Identified areas for development in your new or existing CISO.

Determined stakeholder relationships to cultivate.

At the end of this phase, you will have:

Created a high-level plan to address any deficiencies.

Improved stakeholder relations.

At the end of this phase, you will have:

Created an action-based development plan, including relevant metrics, due dates, and identified stakeholders. This plan is the beginning, not the end. Continually reassessing your organizational needs and revisiting this blueprint’s method will ensure ongoing development.

	1. Launch	2. Assess	3. Plan	4. Execute
Phase Steps	Understand the core competencies Measure security and business satisfaction and alignment	Assess stakeholder relationships Assess core competencies	Identify resources to address your CISO’s competency gaps Plan an approach to improve stakeholder relationships	Decide next actions and support your CISO moving forward Regularly reassess to measure development and progress
Phase Outcomes	At the end of this phase, you will have: Determined the current gaps in satisfaction and business alignment for your IT security program. Identified the desired qualities in a security leader, specific to your current organizational needs.	At the end of this phase, you will have: Used the core competencies to help identify the ideal candidate. Identified areas for development in your new or existing CISO. Determined stakeholder relationships to cultivate.	At the end of this phase, you will have: Created a high-level plan to address any deficiencies. Improved stakeholder relations.	At the end of this phase, you will have: Created an action-based development plan, including relevant metrics, due dates, and identified stakeholders. This plan is the beginning, not the end. Continually reassessing your organizational needs and revisiting this blueprint’s method will ensure ongoing development.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

CISO Core Competency Evaluation Tool

Assess the competency levels of a current or prospective CISO and identify areas for improvement.

Stakeholder Power Map Template

Visualize the importance of various stakeholders and their concerns.

Stakeholder Management Strategy Template

Document a plan to manage stakeholders and track actions.

Key deliverable:

CISO Development Plan Template

The CISO Development Plan Template is used to map specific activities and time frames for competency development to address gaps and achieve your goal.

Strategic competencies will benefit the organization and the CISO

Career development should not be seen as an individual effort. By understanding the personal core competencies that Info-Tech has identified, the individual wins by developing relevant new skills and the organization wins because the CISO provides increased value.

Organizational Benefits	Individual Benefits
Increased alignment between security and business objectives Development of information security that is elastic, nimble, and flexible for the business Reduction in wasted efforts and resources, and improvement in efficiency of security and the organization as a whole True synergy between security and business stakeholders, where the goals of both groups are being met	Increased opportunity as you become a trusted partner within your organization Improved relationships with peers and stakeholders Less resistance and more support for security initiatives More involvement and a stronger role for security at all levels of the organization

Measured value of a world-class CISO

Organizations with a CISO saw an average of $145,000 less in data breach costs.¹

However, we aren’t talking about hiring just any CISO. This blueprint seeks to develop your CISO’s competencies and reach a new level of effectiveness.

Organizations invest a median of around $375,000 annually in their CISO.² The CISO would have to be only 4% more effective to represent $15,000 more value from this position. This would offset the cost of an Info-Tech workshop, and this conservative estimate pales in comparison to the tangible and intangible savings as shown below.

Your specific benefits will depend on many factors, but the value of protecting your reputation, adopting new and secure revenue opportunities, and preventing breaches cannot be overstated. There is a reason that investment in information security is on the rise: Organizations are realizing that the payoff is immense and the effort is worthwhile.

Tangible cost savings from having a world-class CISO	Intangible cost savings from having a world-class CISO
Cost savings from incident reduction. Cost savings achieved through optimizing information security investments, resulting in savings from previously misdiagnosed issues. Cost savings from ensuring that dollars spent on security initiatives support business strategy. More opportunities to create new business processes through greater alignment between security and business.	Improved reputation and brand equity achieved through a proper evaluation of the organization’s security posture. Continuous improvement achieved through a good security assessment and measurement strategy. Ability to plan for the future since less security time will be spent firefighting and more time will be spent engaged with key stakeholders.

¹ IBM Security
² Heidrick & Struggles International, Inc.

Case Study

In the middle of difficulty lies opportunity

SOURCE
Kyle Kennedy
CISO, CyberSN.com

Challenge
The security program identified vulnerabilities at the database layer that needed to be addressed.

The decision was made to move to a new vendor. There were multiple options, but the best option in the CISO’s opinion was a substantially more expensive service that provided more robust protection and more control features.

The CISO faced the challenge of convincing the board to make a financial investment in his IT security initiative to implement this new software.

Solution
The CISO knew he needed to express this challenge (and his solution!) in a way that was meaningful for the executive stakeholders.

He identified that the business has $100 million in revenue that would move through this data stream. This new software would help to ensure the security of all these transactions, which they would lose in the event of a breach.

Furthermore, the CISO identified new business plans in the planning stage that could be protected under this initiative.

Results
The CISO was able to gain support for and implement the new database platform, which was able to protect current assets more securely than before. Also, the CISO allowed new revenue streams to be created securely.

This approach is the opposite of the cautionary tales that make news headlines, where new revenue streams are created before systems are put in place to secure them.

This proactive approach is the core of the world-class CISO.

Info-Tech offers various levels of support to best suit your needs

Guided Implementation

What does a typical GI on this topic look like?

Launch	Assess	Plan	Execute
Call #1: Review and discuss CISO core competencies. Call #2: Discuss Security Business Satisfaction and Alignment diagnostic results.	Call #3: Discuss the CISO Stakeholder Power Map Template and the importance of relationships. Call #4: Discuss the CISO Core Competency Evaluation Tool.	Call #5: Discuss results of the CISO Core Competency Evaluation and identify resources to close gaps. Call #6: Review organizational structure and key stakeholder relationships.	Call #7: Discuss and create your CISO development plan and track your development

Launch

Assess

Plan

Execute

Call #1: Review and discuss CISO core competencies.

Call #2: Discuss Security Business Satisfaction and Alignment diagnostic results.

Call #3: Discuss the CISO Stakeholder Power Map Template and the importance of relationships.

Call #4: Discuss the CISO Core Competency Evaluation Tool.

Call #5: Discuss results of the CISO Core Competency Evaluation and identify resources to close gaps.

Call #6: Review organizational structure and key stakeholder relationships.

Call #7: Discuss and create your CISO development plan and track your development

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 6 to 10 calls over the course of 3 to 6 months.

Phase 1

Launch

Phase 1
1.1 Understand Core Competencies
1.2 Measure Security and Business Satisfaction and Alignment

Phase 2
2.1 Assess Stakeholder Relationships
2.2 Assess the Core Competencies

Phase 3
3.1 Identify Resources to Address Competency Gaps
3.2 Plan Approach to Improve Stakeholder Relationships

Phase 4
4.1 Decide Next Actions and Support Your CISO Moving Forward
4.2 Regularly Reassess to Measure Development and Progress

This phase will walk you through the following activities:

Review and understand the core competencies of a world-class CISO.
Launch your diagnostic survey.
Evaluate current business satisfaction with IT security.
Determine the competencies that are valuable to your IT security program’s needs.

Hire or Develop a World-Class CISO

Case study

Mark Lester
InfoSec Manager, SC Ports Authority

An organization hires a new Information Security Manager into a static and well-established IT department.

Situation: The organization acknowledges the need for improved information security, but there is no framework for the Security Manager to make successful changes.

Challenges	Next Steps
The Security Manager is an outsider in a company with well-established habits and protocols. He is tasked with revamping the security strategy to create unified threat management. Initial proposals for information security improvements are rejected by executives. It is a challenge to implement changes or gain support for new initiatives.	The Security Manager will engage with individuals in the organization to learn about the culture and what is important to them. He will assess existing misalignments in the business so that he can target problems causing real pains to individuals.

Follow this case study throughout the deck to see this organization’s results

Step 1.1

Understand the Core Competencies of a World-Class CISO

Activities

Review core competencies the security leader must develop to become a strategic business partner

This step involves the following participants:

CEO or other executive seeking to hire/develop a CISO

Current CISO seeking to upgrade capabilities

Outcomes of this step
Analysis and understanding of the eight strategic CISO competencies required to become a business partner

Launch

Core competencies

Info-Tech has identified eight core competencies affecting the CISO’s progression to becoming a strategic business partner.

Business Acumen
A CISO must focus primarily on the needs of the business.

Leadership
A CISO must be a security leader and not simply a practitioner.

Communication
A CISO must have executive communication skills

Technical Knowledge
A CISO must have a broad technical understanding.

Innovative Problem Solving
A good CISO doesn’t just say “no,” but rather finds creative ways to say “yes.”

Vendor Management
Vendor and financial management skills are critical to becoming a strategic CISO.

Change Management
A CISO improves security processes by being an agent of change for the organization.

Collaboration
A CISO must be able to use alliances and partnerships strategically.

1.1 Understand the core competencies a CISO must focus on to become a strategic business partner

< 1 hour

Over the next few slides, review each world-class CISO core competency. In Step 1.2, you will determine which competencies are a priority for your organization.

CISO Competencies	Description
Business Acumen	A CISO must focus primarily on the needs of the business and how the business works, then determine how to align IT security initiatives to support business initiatives. This includes: Contributing to business growth with an understanding of the industry, core functions, products, services, customers, and competitors. Understanding the business’ strategic direction and allowing it to securely capitalize on opportunities. Understanding the key drivers of business performance and the use of sound business practice.
Leadership	A CISO must be a security leader, and not simply a practitioner. This requires: Developing a holistic view of security, risk, and compliance for the organization. Fostering a culture of risk management. Choosing a strong team. Having innovative and reliable employees who do quality work is a critical component of an effective department. This aspect involves identifying talent, engaging your staff, and managing their time and abilities.

CISO Competencies

Description

Business Acumen

A CISO must focus primarily on the needs of the business and how the business works, then determine how to align IT security initiatives to support business initiatives. This includes:

Contributing to business growth with an understanding of the industry, core functions, products, services, customers, and competitors.
Understanding the business’ strategic direction and allowing it to securely capitalize on opportunities.
Understanding the key drivers of business performance and the use of sound business practice.

Leadership

A CISO must be a security leader, and not simply a practitioner. This requires:

Developing a holistic view of security, risk, and compliance for the organization.
Fostering a culture of risk management.
Choosing a strong team. Having innovative and reliable employees who do quality work is a critical component of an effective department.
- This aspect involves identifying talent, engaging your staff, and managing their time and abilities.

Hire or Develop a World-Class CISO visualization

Find a strategic and security-focused champion for your business.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Table of Contents

Need Extra Help?
Speak With An Analyst

Get the help you need in this 4-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Launch

Call 1: Review and discuss CISO core competencies.
Call 2: Discuss Security Business Satisfaction and Alignment diagnostic results.

Guided Implementation 2: Assess

Call 1: Discuss the CISO Stakeholder Power Map Template and the importance of relationships.
Call 2: Discuss the CISO Core Competency Evaluation Tool.

Guided Implementation 3: Plan

Call 1: Discuss results of the CISO Core Competency Evaluation and identify resources to close gaps.
Call 2: Review organizational structure and key stakeholder relationships.

Guided Implementation 4: Execute & maintain

Call 1: Discuss and create your CISO development plan and track your development

Authors

Ahmad Jowhar

Cameron Smith

Bob Wilson

Contributors

Mark Lester, Information Security Manager, South Carolina State Ports Authority
Kyle Kennedy, CISO, CyberSN.com
James Miller, Information Security Director, Xavier University
Elliot Lewis, Vice President Security & Risk, Info-Tech Research Group
Andrew Maroun, Enterprise Security Lead, State of California
Brian Bobo, VP Enterprise Security, Schneider National
Candy Alexander, GRC Security Consultant, Towerall Inc.
Chad Fulgham, Chairman, PerCredo
Ian Parker, Head of Corporate Systems Information Security Risk and Compliance, Fujitsu EMEIA
Diane Kelly, Information Security Manager, Colorado State Judicial Branch
Jeffrey Gardiner, CISO, Western University
Joey LaCour, VP & Chief Security, Colonial Savings
Karla Thomas, Director IT Global Security, Tower Automotive
Kevin Warner, Security and Compliance Officer, Bridge Healthcare Providers
Lisa Davis, CEO, Vicinage
Luis Brown, Information Security & Compliance Officer, Central New Mexico Community College
Peter Clay, CISO, Qlik
Robert Banniza, Senior Director IT Center Security, AMSURG
Tim Tyndall, Systems Architect, Oregon State