The CISO role has evolved dramatically in recent years. Today, CISOs are integral executive team members, shaping strategy, translating tech issues for different stakeholders, and managing budgets. This requires more than just cybersecurity and technical knowledge — it calls for strong skills in budgeting, communication, and leadership.
Moreover, CISOs operate under vastly different conditions across organizations. In some places, they might just be setting up a firewall, while in others, they might lead a team of 100 or more people. Budgets, domains, team sizes, and resources can also vary widely, making it difficult to develop a universal metric for evaluating a CISO’s performance.
Daniel Lohrmann’s 2018 article sparked an important conversation about how to assess CISOs in this broader role. Drawing on years of experience as a CISO and mentor for other security and risk leaders, I’ve slightly adapted Lohrmann’s ideas. In this article, I reflect on five key groups with whom CISOs should build relationships, presented in a specific order.
Lohrmann’s CISO Grading Tool
In his article, Lohrmann proposed evaluating CISO effectiveness through relationships with five groups of stakeholders. These relationship areas reflect factors such as trust, respect, project results, communication skills, and overall competence in engaging with the various groups that CISOs generally interact with regularly. They also highlight a CISO’s ability to lead and inspire greatness in others.
- Internal Security Team: Relationships with your internal security team, including staff who report directly to you.
- Internal Organizational Peers: Relationships with business and technology professionals at a similar level across your organization. This includes internal customers you work with and protect.
- Management: Relationships with your boss(es) and other senior executives, including your boss’s peers and those at higher levels.
- Vendors: How effectively you work with security providers, including managing contracts, acquiring contract staff, engaging with technology providers, and assessing new technology acquisitions.
- External customers: Relationships with broader organizational clients, including individuals who use your business partner’s products and services.
As Lohrmann suggests, grading should be as simple as possible. To evaluate a security leader, he proposes to answer this question: Does the CISO have a “good” (or even “very good” or better yet “great”) relationship with this particular group? Does this group respect and trust the CISO as their security adviser?
- If only one group trusts and respects the CISO: The CISO is unlikely to last long unless their boss strongly supports and protects them. Essentially, the CISO is in trouble.
- If two groups show trust, support, and respect: This reflects basic competence, but the CISO is average at best.
- If three groups trust the CISO: The CISO is doing well but should continue striving for improvement.
- If four groups trust and respect the CISO: This signifies an above-average performance.
- If all five groups trust, respect, and follow the CISO: they will support the CISO through both cyber successes and challenges. This is the mark of a truly exceptional security leader.
How to Become a Five-Star CISO: A Step-by-Step Guide
I’ve been using Lohrmann’s grading tool for a few years now — first, as a CISO to evaluate my own effectiveness and later as a mentor and supervisor to transfer knowledge to other CISOs. Over time, I’ve slightly adjusted Lohrmann’s approach, adding some important details and slightly changing the priorities.
Similar to Lohrmann, I’m evaluating five main areas. They go from the most important one to the least important. For each area, I’m using a star-based rating system, ranging from one star to five. As a CISO, it’s challenging to stay focused on more than two or three complex tasks at a time. To ensure sustained progress, I don’t allow my mentees to move on to the next area until they’ve earned at least three stars in the current one. In some areas, there are essential components that must be addressed before achieving a high rating or advancing to the next stage.
- Relationships with your internal security team
Building and evaluating relationships within your team should be your top priority. As a CISO, you participate in discussions and make decisions about complex technical issues, lead company cultural transformation, make decisions about team members’ salaries, resolve conflicts, and address their various concerns. If your team respects you and values your opinion, you can rate yourself highly in this area. Mutual trust between you and your team is essential, and achieving it will enable you to accomplish far more. Establishing this trust is essential — it must be prioritized above all else.
Delegation skills are an essential component that should be evaluated separately in this area. Effective delegation is essential to prevent becoming a bottleneck, as micromanagement is unsuitable for the CISO role. Delegating complex tasks not only lightens your load but also helps foster the team’s overall competence. Without strong delegation skills, CISOs cannot rate themselves highly in their relationship with the internal security team.
- Relationships with internal organizational peers
This area focuses on your relationships with other departments and their managers within your company. For example, in our organization, I collaborate with the following teams:
- InfoSec Board
- Service Center (IT Department)
- Compliance team
- HR Team
- Legal Team
- Accounting
- PR Team
The relationships with the first five stakeholders (InfoSec Board, Service Center, Compliance Team, Legal Team, and HR Team) are essential, as the CISO regularly interacts with them on various matters. While relationships with other teams, such as Accounting and PR, are beneficial, they are not as critical. It’s ideal to establish connections with these teams, but failing to do so is not a significant setback.
- Security programs and projects
This area is not addressed in Lohrmann’s article, but I consider it to be one of the most important. A CISO is hired to lead, manage, and support specific projects or programs such as migrating to a cloud or hybrid infrastructure, implementing zero-trust principles, launching security awareness initiatives, or assessing risks and creating a roadmap for post-quantum cryptography implementation. The success of these initiatives ultimately falls under the CISO’s responsibility.
To execute these programs effectively, the CISO relies heavily on its team and internal organizational peers. As such, building strong relationships with both is essential for successfully delivering projects. Below are examples of projects and programs a CISO may undertake after excelling in the first two areas:
- Zero Trust Initiatives
- Migration to cloud or hybrid infrastructure
- Configuration and roll-out of EDR (Endpoint Detection and Response) and MDM (Mobile Device Management) tools
- Improvement of the Vulnerability and Patch Management program
- Security Awareness Program
- Enhancement of Application Security Program
- and more
The Zero Trust approach has become indispensable for all modern enterprise architecture, especially after the COVID-19 pandemic, when employees began connecting to company infrastructure and internal services literally from everywhere, not just offices. This approach proved highly effective for us in Ukraine during the full-scale russian invasion in 2022, ensuring security and resilience under extreme circumstances.
- Relationships with your management
This area encompasses the following relationships:
- Linear Manager
- Board of Directors/Founders
- Ownership over the Security Budget
A CISO must have responsibility for the information security budget, which includes funding for the team, tools, and services. Without direct control over the budget, it becomes challenging to rate the relationship with management highly, as budget ownership is a critical aspect of the CISO’s role.
- Vendor Relationships
This area encompasses the following relationships:
- Vendors/Suppliers
- Customer/Vendor questionnaires.
How to implement this method
When onboarding a new CISO, begin with the first area: relationships with the internal security team. Evaluate their progress using a star rating system from 1 to 5 stars. Once they achieve at least 3 stars, they can move on to the next group of stakeholders. This approach can also be applied to assess the performance of an existing CISO.
About the Author
Dmytro Tereshchenko is Chief Information Security Officer at Sigma Software Group, a global tech company, and lecturer at Sigma Software University and SET University.
With over 21 years of comprehensive IT experience, including a decade specialising in cybersecurity, Dmytro brings extensive expertise in risk and incident management, secure SDLC, and regulatory compliance. Leveraging his profound software development background and cybersecurity expertise, Dmytro is a crucial member of Sigma Software Group’s application security consulting service. In this role, Dmytro and his team help companies assess, develop, and implement tailored application security management systems to maintain and improve the security level of their online services portfolio.
Dmytro can be reached online at mailto:[email protected] and at our company website Sigma Software Group.
