The CISO Legacy
Building Your Security Legacy and Long-Term Success
If you like this content, please consider subscribing and sharing!
Also, you can find my book on building an application security program on Amazon or Manning
In my previous releases (here and here) I talked about how to get your CISO journey off the ground and running. In the last installment on this topic, I’ll cover some stretch goals, assignments, and thinking about your long-term goals and strategies. In other words, how are you going to put your imprint on a cybersecurity program and build your legacy as a great CISO?
You win some, you lose some
Your program is firing on all cylinders, and your team is gelling. You're able to take a few breaths and admire all the well-crafted reports, and metrics you receive showing how your security team is reducing risk and tightening the screws on the security program. Your BC/DR plans are polished and ready to go. The C-suite actually smiles when they see you coming. And you fear no auditor. You've even mastered the art of explaining zero-trust architecture without putting anyone to sleep! But then you remember: Today's victory lap is tomorrow's starting line. If you’ve learned nothing from your experience in cyber, you know that there's always another challenge just around the corner.
Limiting the impact of a surprise means that your program has to build and nurture that foundation for longer-term initiatives while your mindset pivots to targeted improvements that demonstrate immediate value. Simply put: establish quick wins with your program. This is where you need to know how to walk and chew gum at the same time. You do this by continuing to work with the relationships you have in the organization, including the business leaders and executives to understand their primary security concerns and pain points. This not only helps identify potential quick wins but also continues to foster those crucial relationships. Look for projects that sit at the intersection of high impact and low complexity as these make ideal candidates for early victories.
When locating those quick wins, you should focus on several key areas for immediate impact. Start by establishing basic security hygiene measures that can demonstrate clear risk reduction through measurable metrics. You can do this by creating a simple security dashboard that highlights the key metrics that executives are looking for. Two basic examples could be the return on investment (ROI) on the cybersecurity initiatives and investments that are being made as well as the overall cyber risk posture over time. As the CISO you should also be looking for opportunities to streamline existing security processes, particularly those that create friction in business operations. A prime example of this is anything that reduces clicks or time spent by users like implementing automated user access reviews to replace manual processes.
Take time to address simple but persistent security issues that may have been previously overlooked or deprioritized. It’s not that uncommon for organizations to accept risk or put off activities because of other priorities at the time. Revisiting those decisions, as the landscape has likely changed, can offer an opportunity to remove risk for the organization.
Lastly, while some of these suggestions may already be part (and probably should be part) of your running program, there are a few other ways to get quick wins. Look to deploy basic security awareness training to address common user errors. This doesn’t just raise awareness but can also be easily measured. Additionally, setting up vulnerability scanning for critical systems can show a proactive path to reducing the risks to the organization.
The key is to balance these quick wins with the groundwork you’ve been laying for a broader strategic vision. Each early success should align with your longer-term security roadmap while delivering immediate value that can be seen and understood in terms of business value. This builds trust and creates momentum for tackling larger security challenges ahead. And there will be some.
Join the culture club
A successful CISO understands that positioning security as an organizational enabler rather than an obstacle is what builds a resilient security culture. We’ve come a long way from the “department of no” as security has been often seen and are instead (in many successful organizations) seen as partners. Getting to that partnership begins by shifting the traditional narrative that places security solely as an IT domain to one that emphasizes a shared responsibility across the organization. The challenge lies in making security both relatable and accessible while maintaining its strategic importance.
To elevate the security culture, the CISO should look to secure leadership buy-in which forms the foundation of this cultural transformation. CISOs must invest time in building relationships with department heads through one-on-one meetings, understanding their unique security perspectives and challenges. This will help with answering the question “what’s in it for me” for the department heads and other senior leaders and will make your quick wins more valuable to them. It instills trust and comfort with your ability to get things done that are relevant.
The challenge lies in making security both relatable and accessible while maintaining its strategic importance.
While culture at the top is important, building culture throughout the grassroots of the organization is absolutely critical to the success of the security program. One other often overlooked method of growing this security culture and mindset is through the establishment of security champions who can demonstrate security practices in the organization. These visible role models are there to emphasize secure behavior and practices for employees to emulate. It’s also a great way to vocalize critical security initiatives in the organization that come from the security program.
Whether it’s the CISO themselves or the security champions, community engagement with the employees requires making security personally relevant to their daily lives. By drawing parallels between workplace security practices and personal digital safety, such as securing online banking, the security organization can help employees understand the broader implications of cybersecurity. And further build that muscle memory that will drive better security hygiene. It is also helpful to share both success stories and lessons learned from security incidents with the employees in the organization. This helps create a learning culture where mistakes become opportunities for improvement, and it has the added benefit of celebrating successes when applicable.
By drawing parallels between workplace security practices and personal digital safety, such as securing online banking, the security organization can help employees understand the broader implications of cybersecurity.
Culture goes beyond education and simulations though. An environment where employees feel comfortable reporting concerns without fear of retribution can’t be overstated. We’re all probably familiar with the “See something, say something” signs that are often posted in public places. This same mantra should be clear to every employee that works in an organization without fear of the consequences. Additionally, clear and simple security guidelines that explain not just what to do but why it matters will help employees understand the reasoning behind security practices. This gives them a stake in helping to own the security of the organization. Some organizations may even go as far as public recognition of security-conscious behaviors which can reinforce positive actions and encourages others to follow suit. However, please take into consideration how you recognize people. Not everyone wants the “employee of the month” plaque hanging in the break room!
Integrating security naturally into daily operations rather than treating it as an additional burden can do wonders for lowering the overall risk you may face. And security awareness can help. A well-designed security awareness program keeps security at the forefront of employees' minds. Things like running regular phishing simulations with constructive feedback helps employees learn to identify and respond to threats.
Note: there is a fine line between promoting more secure behavior and punishing employees who fail phishing simulations. Be sure to know the difference.
Having regular lunch-and-learn sessions can provide informal opportunities to discuss emerging threats and best practices, while security newsletters keep the community informed of current threats and practical protection measures. Be sure to utilize the communication and collaboration channels available in your organization. Something as simple as a Slack channel (or similar) for employees to contact and engage with the security organization demystifies security.
Culture is about building a security consciousness into the broader organization and embracing the shared responsibility of security. It requires patience and persistence, and success isn't measured by the absence of security incidents but by the active participation of employees in security discussions and their willingness to raise concerns proactively leading to a culture where security becomes second nature rather than an afterthought.
It’s all about the money
All (or most) of your security program can’t happen without money. And managing an effective security program budget requires the strategic alignment between security investments and business risk reduction. Remember that risk reduction is the entire goal of the security program, and to be effective, you need to prove that the budget is going to that goal. You’ll need to move beyond simple technical requirements and instead frame security spending in terms of measurable risk mitigation and tangible business value. This framing will create a compelling narrative for executive stakeholders and move security away from a simple cost center.
A risk-based prioritization can serve as the foundation for security investment decisions. This begins with a mapping of the organization’s existing security controls to the known risks, allowing for the recognition of gaps in the security posture. By quantifying the potential financial impact this way, you can make data-driven decisions about resource allocation as well as project budget and prioritization. Throughout this process, carefully documenting assumptions and risk acceptance decisions creates transparency and accountability in the decision making process. And yes, you are likely to be asked by your peers and leaders to “show your work”.
With the right priorities in hand, you can begin to allocate resources with a balanced approach. Personnel investments, including internal teams, contractors, and managed services, form the backbone of the security team. Technology spending encompasses essential tools, platforms, hardware, and SaaS services that enable security functions. Operational costs cover ongoing needs like training, incident response, and compliance activities, while project spending supports initiatives and transformational efforts. This allocation must maintain flexibility for emerging threats all while maintaining funding for possible incident response scenarios.
Financial justification of security investments will require clear metrics on where the dollars are being spent. Regular check-ins with the finance department will help keep you on track to meet the goals. But you’ll also want a comprehensive ROI calculation that compares the costs of security controls against potential breach costs. Not to sugarcoat it, but this is basically a justification for your organization’s existence. One way to help with these calculations is to stand on the shoulder of giants and leverage industry benchmarks. These can provide valuable context for spending levels in alignment with your likely peers and the industry as a whole. This data driven approach helps build credibility with stakeholders and supports ongoing, and future, investments in security initiatives.
Bottom line, CISOs must maintain a clear connection between security investments and business outcomes, demonstrating how each dollar spent supports the broader organizational goals and protects revenue streams.
When presenting specific budget requests, such as new security tools or a new project, as the CISO you must provide a justifiable business case. This should detail the specific risks addressed, potential costs of incidents prevented, operational efficiency gains, compliance requirements that are satisfied, and both implementation and ongoing resource needs. In other words, what is the bang for the buck? This approach helps stakeholders understand both the immediate and long-term value of the proposed security investments. Bottom line, CISOs must maintain a clear connection between security investments and business outcomes, demonstrating how each dollar spent supports the broader organizational goals and protects revenue streams.
Over the horizon
A long-term security strategy should be a clear 3-5 year vision that aligns security initiatives with business growth. This vision should include several critical elements: the organization's desired security maturity state, defined risk tolerance levels, technology modernization goals, compliance and regulatory requirements, and the evolution of security team structure and capabilities. This foundational vision provides the framework upon which all other strategic elements are built. Creating that vision clearly requires some data mixed with imagination on where you believe security will be in the near-to-mid future. Ask any CISO back in 2021-2022 if they saw the AI craze coming. You’ll likely not find many that had that on their roadmap.
The implementation of the strategic plan must break down the long-term vision into manageable phases that can be properly managed. For instance, year one could focus on foundation building, establishing critical controls, developing team structure, and implementing basic metrics to measure progress. Years two and three emphasize maturity improvement, process automation, advanced capability development, and metrics refinement. The final phase, spanning years four and five, concentrates on innovation integration, developing predictive security capabilities, establishing centers of excellence, and achieving industry leadership in security practices. Mileage will vary per organization and, of course, as realities change and new technologies are introduced.
How do you make sure this long-term strategy succeeds? The most important goal is to maintain flexibility while staying focused on strategic objectives. Regular reviews of the plan serve as opportunities to assess progress and ensure the strategy remains aligned with evolving business needs and emerging threats. If you’re familiar with investing, this would be the equivalent to rebalancing your investments. Take your wins and losses, and review whether you are still on track for your goals. This balanced approach allows the CISO to adapt to the uncertainties while maintaining momentum toward their security goals.
Share the growth
As the CISO you are likely to regularly report to the senior executives on the progress of the program and the overall management of organizational risk. A successful executive presentation requires careful structuring to effectively communicate both challenges and opportunities to this forum. As an example, let’s say you report monthly to a senior executive meeting, and you have roughly 25-30 minutes to present the state of the security program. The opening five minutes should set the tone by highlighting the most significant findings that directly impact business objectives. This introduction must provide a clear executive summary supported by the key metrics and framing the security status in terms that resonate with business leaders. Read: focusing on risks and opportunities that affect the bottom line.
Take the next ten minutes to layout the current state assessment. This should be the “meat” of the presentation. Keep in mind that a balanced presentation of both strengths and areas needing improvement demonstrates objectivity and lends more confidence to the presentation. In the current state section, you should highlight the critical security metrics using clear business language that executives can readily understand. Everyone likes a picture or a graph, so it’s time to showcase any possible visual representations of the concepts. This will help maintain engagement and ensure clear communication of key points. Bonus if you can compare the organization's security posture against industry benchmarks and competitors.
In the current state section, you should highlight the critical security metrics using clear business language that executives can readily understand.
The last part of the presentation should be a recommendations segment which focuses on actionable insights and future direction. This section should present carefully prioritized action items that directly tie to business goals, while highlighting quick wins already achieved to demonstrate effective execution. Resource needs must be presented with clear business justification, supported by ROI calculations for major investments. For instance, when discussing detection capabilities, frame the conversation in terms of business impact: "Our cloud security controls currently cover only 35% of our critical workloads, well below the industry benchmark of 85%. Through our recent cloud security pilot, we achieved 90% coverage for participating applications while reducing cloud costs by 20% through better resource optimization. Expanding this program would protect all critical workloads while delivering $2.5M in annual cloud savings."
The overall presentation should rely heavily on effective communication techniques. This means that you should be using business metrics rather than technical jargon to ensure message clarity.
Note: technical details should be relegated to the appendix for potential follow-up discussions.
Presenting this way highlights the risks in terms of business impact and helps executives understand the stakes involved. You should include specific examples of prevented incidents as this will provide concrete evidence of the security program value and ROI. Especially if you are asking for additional resources in terms of people or funding. In the end, your presentation should have a clear call to action and next steps, ensuring that the executives understand their role in advancing the security program. Be prepared for detailed questions. This is a good rule to live by regardless of whether you’re a CISO or not, and regardless of who you’re presenting to. Know your material well enough that you can speak with confidence and can anticipate incoming questions.
Remember that the CISO journey is more like long distance running, and less like a sprint. While quick wins are important, your legacy will likely be measured on how you responded to critical events, and how your program fairs against the headwinds and challenges that every organization faces. Keep in mind that your program won’t be built in a day and will require constant revisits and updates. Your program will rely on the culture you cultivated, the trust you built, and the business you helped secure and grow. As you navigate the metrics, budgets, and board presentations, remember that today's security win is tomorrow's baseline. And we know that the security landscapes change at a rapid pace.
Stay Tuned
If you found this valuable, please consider subscribing or sharing.