<img alt="" src="https://secure.hiss3lark.com/187069.png" style="display:none;">

The CISO's Guide to Improving Security Program Effectiveness

Inside This Guide
  • CISO: A Challenging Position
  • Data is the Source of Authority
  • Forget About Fear, Uncertainty, and Doubt
  • A Better Way to Measure Security Performance
  • Using Security Ratings to Improve Security Program Effectiveness
  • Conclusion

CISO: A Challenging Position

Chief Information Security Officers (CISOs), as relatively new entrants to the C-suite, are under a unique kind of pressure.

Some CISOs — especially those in industries with mature cybersecurity, like financial services — have the authority to match their C-level title. Many, however, do not.

There are several reasons for this:

First, CISOs are often technical performers who have risen through the ranks, without the desired business education (such as an MBA) or soft skills expected of most C-level officers.

Second, in many cases, CISOs do not report directly to the CEO, forcing them to accommodate the priorities of whichever line of business (IT, operations, etc.) they’re organized under.

Who do CISOs report to?


Source: Deloitte 2019 Future of Cyber Survey

Finally, Cybersecurity is often viewed as a cost center and a hindrance to innovation. Without executive buy-in, cybersecurity leaders are often perceived as naysayers who shoot down new ideas in the name of cybersecurity.

These factors combine to produce a landscape in which many CISOs lack authority within the C-suite and influence over other teams and business units. This is bad news for CISOs and worse news for their organizations. Without a strong executive leading cybersecurity initiatives, increased cyber risk is inevitable.

Considering all of these challenges, how can CISOs gain authority among their peers and influence over other business units and departments?


CISO- A Challenging Position

Data is the Source of Authority

Almost every unit within a business uses data to back up their budget proposals, prove ROI of certain initiatives, and demonstrate success. Sales teams, for example, have a deep well of metrics to draw from, like conversion rates and profit margins.

Despite being laden with technical metrics, CISOs have struggled to identify similar KPIs for their cybersecurity programs.

Good KPIs are easy-to-understand, continuous, and include context. However, existing measurements coming out of the cybersecurity program are often either overly technical (e.g. number of incidents blocked) or overly operational (e.g. total spend). As KPIs, these are imperfect, providing a very narrow view without real risk insight.

Lacking good performance indicators, many CISOs rely on gut instincts and past experience to guide their decision-making process.


How do CISOs make decisions?

50% of C-level executives use quantitative tools to measure risk, while the other 50% rely on experience or periodic assessments.

Source: Deloitte Future of Cyber Survey 2019

Forget About Fear, Uncertainty, and Doubt

Owing to a lack of digestible KPIs, many CISOs have relied on fear, uncertainty, and doubt (FUD) to justify investment in their department.

However, a reliance on FUD is a double-edged sword. CEOs and Boards are often highly reactive, and prone to making hasty decisions based on recent attacks and major headlines. When the CISO stokes a fear of “the big one,” rather than focusing on incremental risk mitigation, it can compound this reactive attitude.

The result is an allocation of cybersecurity resources that has become common in many industries: major investment in perimeter defense and other solutions designed to protect the business from the scariest threats, like big-name malware, with only marginal investment in initiatives that carry just as much risk but with less of a fear factor, such as user awareness and third-party risk management.

Scariest doesn’t always mean riskiest.

Causes of data breaches in 2018:



Artboard 2


A Better Way to Measure Security Performance

Many CISOs, having searched for years for a cybersecurity KPI that’s easy-to-understand, continuous, and includes context, have found their answer in security ratings.

Security ratings are a data-driven, dynamic measurement of 
an organization’s cybersecurity performance. Ratings are 
derived from objective, verifiable information and created by independent organizations.


Security Ratings Explained

Read Now

Unlike point-in-time internal or third-party assessments, security ratings are continuous. They provide an up-to-date picture of the organization’s cyber risk profile, refreshing data daily instead of quarterly or annually.

For CISOs, having access to a security rating is like having a third-party auditor constantly validating (or invalidating) assumptions about security performance, and providing insight into what needs to change.

In addition to an overall rating, many security ratings services (SRS) allow users to drill down into specific risk categories, like malware and cybersecurity diligence.

Some providers’ ratings are actually proven to correlate with data breach risk. As validated by AIR Worldwide, companies with a BitSight Security Rating of 500 or lower are almost five times more likely to have a breach than those with a rating of 700 or more.

For many organizations, security ratings act as the “profit margin” of cybersecurity, giving CISOs the KPIs they need to gain authority and influence and acting as a common language for both technical and non-technical individuals.

Using Security Ratings to Improve Security Program Effectiveness

Finally equipped with solid data, CISOs can gain the authority and influence necessary to increase the effectiveness of cybersecurity initiatives and decrease risk. Here are five ways CISOs are shaping the future of their organizations using security ratings:

Setting Goals

With overall measurements of cybersecurity performance, CISOs can finally set reasonable goals for their departments based on context from peers, competitors, and the industry as a whole. 

Some SRS providers (like BitSight) give CISOs access to a ratings database, where they can compare their organization’s ratings to thousands of others, as well as the organization’s historical performance.

Tracking Progress

Trust, but verify. Even if CISOs are confident in their cybersecurity teams, it’s imperative to have systems in place to verify that work is having the desired effect. 

Security ratings enable this kind of verification by quickly measuring actual improvements in certain risk areas, such as open ports, malware servers, or email security. 

This is especially important for CISOs who are responsible for managing teams not within their direct purview, such as those within subsidiary organizations, or those whose cybersecurity program is heavily outsourced.

How common are outsourced security teams?

81% of CISOs report that full-time employees make up less than 20% of their cybersecurity teams. 

Source: Deloitte Future of Cyber Survey 2019

Calculating ROI

Because cybersecurity is often about proving a negative — how many attacks didn’t occur — it’s difficult to know if money is being put to good use.

Security ratings help solve this problem. With security ratings, CISOs can track which initiatives improve performance, and by how much. 

For example, if a new malware detection solution is implemented and no subsequent improvement occurs in the organization’s malware rating, it might not be delivering on its promises. Similarly, if diligence ratings improve in the months following security awareness training, this can be used to encourage further investment.

Allocating Resources Strategically

Rather than relying solely on gut instinct and past experience, CISOs can use security ratings to allocate resources based on real risk. CISOs can use certain SRS platforms to understand which areas are having the most impact on overall risk, and decide where their efforts will be most useful.

Rather than relying solely on gut instinct and past experience, CISOs can use security ratings to allocate resources based on real risk. CISOs can use certain SRS platforms to understand which areas are having the most impact on overall risk, and decide where their efforts will be most useful.

In this way, security ratings allow users to target low-hanging fruit that they might have missed before, so they can quickly solve problems with simple, inexpensive solutions before moving on to more complex issues.

As Good as a Crystal Ball for Cyber Risk

With the BitSight Forecasting tool, CISOs can input expected changes in a specific risk vector due to new initiatives, and predict the impact on the overall rating over time. This can be used to encourage investment (or prevent divestment) from the Board or CEO.


Reporting to the C-suite and Board

Many executives and Board members have limited technical understanding, so it can be challenging to make an impact with complex cybersecurity data. If leadership doesn’t understand your department’s reports, how can they make informed decisions?

Security ratings are easy to understand and give high-level leadership the big picture. Because security ratings are validated external measurements, they can be used by CISOs to gain authority with the C-suite and Board.



A Practical Guide to Risk-Based Cybersecurity Reporting

Read Now


When it comes to gaining the necessary authority and influence to improve security program effectiveness, measurement is just one piece of the puzzle. Once a CISO has reliable, insightful data to draw from, it needs to be effectively communicated up and down the chain.

Quantifiable metrics like security ratings give CISOs the tools to maintain buy-in and transform their cybersecurity programs into effective ones. It’s up the CISO to use these tools to make a difference in their organization.

Read this study to learn more about Forrester's key recommendations to build a strong security performance management program.

Download Study

Unlock Guide

Submit your info below to access the rest of our guide.