The end of year is approaching and you that time of the year is around for you to evaluate your CISO. As this is an article for CSO magazine, this is probably an article that you have to decide for yourself is it one that you share with your boss.
This is always a conversation that you approach with a degree of confidence but also with a sense of uncertainty. What your boss rates you for your efforts over the last year may be aligned with your own thinking, but this is the only time that you find out.
For me, a performance review plan is a combination of “Hard Things and Soft Things”. These are “hard” tangible deliverables, which include team-based outcomes. Plus the “softer” aspects which includes how the CISO has driven a positive culture within the enterprise.
1. Accountable for Information Security Portfolio
The CISO is tasked primarily with delivering timely projects, increasing efficiency and (above all) reducing costs. Some CIOs like to take short cuts, and perhaps take on more risk than is prudent. The CISO can influence the CIO and help him realise that security wants to help him get to his objectives as quick as possible, while also maintaining management's preferred risk profile.
In this regards you are accountable for the whole portfolio, of delivering on efforts to improve the risk position of the enterprise. Being able to achieve, the deliverables while looking for synergies across these projects is the key.
What you need to do is to convince your boss that you have been a professional CISO is who is prepared to take information security risk management judgements on the basis of in-depth business and technology knowledge. Indeed you are managing business risks as a overall portfolio.
2. Responsibility for Enterprise Information Security
It is likely that despite whatever efforts you have made that there have been incidents and perhaps breaches. The CISO owns all the problems with the position.
You have to actively manage staff, external resources, culture and performance. Importantly, be held responsible for security incidents and all the fun challenges that arise. Invariably you the CISO would have been involved in responding to a major security incident, and then developing strategies and plans to minimise the risk of that type of incident from happening again.
How you have managed external bodies is critical and your diligence in closing external or internal audit issues relating to information security will be examined.
As the person ultimately responsible then you will also be judged as to how comphensive has the Enterprise Information Security Strategy been articulated and bought in by the Board. The key will be has this taken the enterprise beyond just compliance to establishing a security risk profile appropriate and aligned with the risk appetite of senior stakeholders.
3. Managing Information Security Budget
There are two parts, the first is the simpler aspect of meeting budget – despite all the challenges and unplanned crisis that occur. A greater degree of difficulty is that the CISO needs to be the advocate for the security strategy and get funding from the CFO and all stakeholders in the C-Suite, audit committee etc. This is never a easy task to gain funds, when there is only a negative ‘stick’ argument. As the CISO you will need to have an "elevator pitch" ready and tailored for each stakeholder, usually with a small select number of detailed funding proposals for each financial year.
In this regards your behaviour as a Leader and how you operate are in the broader context is what your boss will be looking to evaluate. Most critical is that at all times your integrity and ethics are unquestionable.
4. Managing Trust and Reputation
You are in the business of trust and reputation. This means that within the enterprise that you are seen and heard in that context, Furthermore that you are operating in the external domain in networking with others to further the cause of Information Security.
Having visibility and a good reputation within the information security community, also means that you are a thought leader who understands the latest trends and threats. Your boss wants a leader that has good self awareness and not a recluse.
5. Crisis (Noise) Management
While major visible security incidents don't happen that often, you will have a key role in managing these during and after the event. It is true that such incidents can cause major disruption, brand damage and financial loss, and likely all of the above.
Your role will be to ensure that there is good crisis communication to both internal and external parties. This is not an easy position and often the standby statements, will just not be sufficient.
6. Strategic Partnering
During the year it is likely that you are making key strategic corporate purchasing and partnering decisions. As the strength of your own security is greatly effected by these decisions then you should be demonstrating how this provides enhancement of the risk profile, while also showing that you are removing legacy solutions.
As the CISO, you will have made these decisions using a good transparent process and your friends in Procurement will be singing your praises.
Summary for the Year 2015
Now that wasn’t too hard was it? Good luck with your conversations.
It would be interesting to hear from you how many of these Hard and Soft measurements are actually in your Performance Review??