My Performance Review the CISO

​How to write performance management plan for my CISO?

The end of year is approaching and you that time of the year is around for you to evaluate your CISO. As this is an article for CSO magazine, this is probably an article that you have to decide for yourself is it one that you share with your boss.

This is always a conversation that you approach with a degree of confidence but also with a sense of uncertainty. What your boss rates you for your efforts over the last year may be aligned with your own thinking, but this is the only time that you find out.

For me, a performance review plan is a combination of “Hard Things and Soft Things”. These are “hard” tangible deliverables, which include team-based outcomes. Plus the “softer” aspects which includes how the CISO has driven a positive culture within the enterprise.

Hard Things

1. Accountable for Information Security Portfolio

The CISO is tasked primarily with delivering timely projects, increasing efficiency and (above all) reducing costs. Some CIOs like to take short cuts, and perhaps take on more risk than is prudent. The CISO can influence the CIO and help him realise that security wants to help him get to his objectives as quick as possible, while also maintaining management's preferred risk profile.

In this regards you are accountable for the whole portfolio, of delivering on efforts to improve the risk position of the enterprise. Being able to achieve, the deliverables while looking for synergies across these projects is the key.

What you need to do is to convince your boss that you have been a professional CISO is who is prepared to take information security risk management judgements on the basis of in-depth business and technology knowledge. Indeed you are managing business risks as a overall portfolio.

2. Responsibility for Enterprise Information Security

It is likely that despite whatever efforts you have made that there have been incidents and perhaps breaches. The CISO owns all the problems with the position.

You have to actively manage staff, external resources, culture and performance. Importantly, be held responsible for security incidents and all the fun challenges that arise. Invariably you the CISO would have been involved in responding to a major security incident, and then developing strategies and plans to minimise the risk of that type of incident from happening again.

How you have managed external bodies is critical and your diligence in closing external or internal audit issues relating to information security will be examined.

As the person ultimately responsible then you will also be judged as to how comphensive has the Enterprise Information Security Strategy been articulated and bought in by the Board. The key will be has this taken the enterprise beyond just compliance to establishing a security risk profile appropriate and aligned with the risk appetite of senior stakeholders.

3. Managing Information Security Budget

There are two parts, the first is the simpler aspect of meeting budget – despite all the challenges and unplanned crisis that occur. A greater degree of difficulty is that the CISO needs to be the advocate for the security strategy and get funding from the CFO and all stakeholders in the C-Suite, audit committee etc. This is never a easy task to gain funds, when there is only a negative ‘stick’ argument. As the CISO you will need to have an "elevator pitch" ready and tailored for each stakeholder, usually with a small select number of detailed funding proposals for each financial year.

Soft Things

In this regards your behaviour as a Leader and how you operate are in the broader context is what your boss will be looking to evaluate. Most critical is that at all times your integrity and ethics are unquestionable.

4. Managing Trust and Reputation

You are in the business of trust and reputation. This means that within the enterprise that you are seen and heard in that context, Furthermore that you are operating in the external domain in networking with others to further the cause of Information Security.

Having visibility and a good reputation within the information security community, also means that you are a thought leader who understands the latest trends and threats. Your boss wants a leader that has good self awareness and not a recluse.

5. Crisis (Noise) Management

While major visible security incidents don't happen that often, you will have a key role in managing these during and after the event. It is true that such incidents can cause major disruption, brand damage and financial loss, and likely all of the above.

Your role will be to ensure that there is good crisis communication to both internal and external parties. This is not an easy position and often the standby statements, will just not be sufficient.

6. Strategic Partnering

During the year it is likely that you are making key strategic corporate purchasing and partnering decisions. As the strength of your own security is greatly effected by these decisions then you should be demonstrating how this provides enhancement of the risk profile, while also showing that you are removing legacy solutions.

As the CISO, you will have made these decisions using a good transparent process and your friends in Procurement will be singing your praises.

Summary for the Year 2015

Now that wasn’t too hard was it? Good luck with your conversations.

It would be interesting to hear from you how many of these Hard and Soft measurements are actually in your Performance Review??

Join the CSO newsletter!

Error: Please check your email address.

Tags performance managementsecuritymanagmententerprise information securityCISODavid GeeCISO Leaders

More about CSOLeader

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Gee

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place