CISOs face continuous changes in threats, security technologies, and business conditions that complicate their mission to protect organizational assets. Research shows top performers engage proactively with the business through soft skills rather than just technical skills. The CISO Impact framework defines seven factors of proactive organizational engagement that CISOs can measure themselves against, including embedding information security into key business processes. Workshops help CISOs assess strengths and weaknesses, develop action plans, and discuss challenges with peers.

1. CISOs and their teams operate against a backdrop of continuous change in the threat
landscape, information security technology, and business conditions. The mission to
protect critical assets across space and time is further complicated by a lack of direct
control over the people and processes that expose the organization to risk through day-
to-day operations.
In-depth research with hundreds of information security leaders revealed
a common thread among the top performers:
Technical skills, while essential, are not enough.
To deliver maximum impact, Information Security must
engage with the business and practice proactive
organizational engagement.

2. The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer,
and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
To drive insight and enable action
on these “soft skills,” IANS has
broken proactive organizational
engagement down into a set of
clearly defined, quantifiable
elements we call The 7 Factors
of CISO Impact.
Our CISO Impact framework provides a
structured, action-oriented approach that
allows you to baseline your performance
and measure progress down to the Factor
and sub-Factor levels as you work towards
b e t t e r p ro a c t i v e o rg a n i z a t i o n a l
engagement.

3. First step: take the Diagnostic.
The Diagnostic is an online self-
assessment that measures the current
state of your team’s organizational
engagement. Your personal report
provides you with insight into your team’s
strengths and weaknesses, and allows
you to compare the results to those of
your peers.
As you work to improve your skill sets in
each of the 7 Factors, your Diagnostic
results will reflect your progress.
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your
computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.

4. Then, attend
a CISO Impact
Workshop.
The CISO Impact Workshop is a four-hour
deep dive into one of the 7 Factors of
CISO Impact.
IANS-proprietary worksheets will help you
break down your Factor-specific Diagnostic
results into concrete, step-by-step actions
for improvement.
You’ll experience a new way of thinking
about what you do, and walk away with
insights that will influence the way that you
execute your mission.

5. A CISO Impact Workshop is a collaborative
hands-on working session.
Wrap-Up
Review lessons
learned and
discuss of how
improvement
will drive
success.Introductions
Get to know your
fellow CISOs
Workshop Orientation
The IANS facilitator
describes the workshop
context, components and
flow for the day
Solo Work
Document your
team’s skills and
processes vs. the
workshop Factor.
Presentations &
Feedback
Present your
workbook
writings and
receive feedback
from your peers.
Research Overview
A discussion of the
research and structure of
the CISO Impact
framework
Diagnostic
An explanation of how
the CISO Impact self-
assessment tool works
What are the 7 Factors?
An overview of the individual
7 Factors of CISO Impact,
and a look at how they all
work together to drive
success.
Small Group
Discussion
Share ideas and
challenges with
your small group

6. How can you embed information security
into key business processes?
Our research shows that 72% CISOs are still in the very
early stages of integrating information security criteria
into the day-to-day processes of their organization.
What steps can you take to weave information security
into the fabric of processes like software development
and vendor selection?
Factor 3:
Embed Information
Security into Key
Business Processes
At a recent Factor 3 Workshop, we posed the question:

7. Participants discussed the challenges …
… and through that discussion, shared
thoughts on how to address the problem.
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
“Goals mis-match is the biggest
obstacle. Our developers are measured
on timely delivery and we’re measured
on security defects. Besides, they think
they’ve got security covered.” “Good news: Awareness is
up and we’re invited to
assess more projects. Bad
news: Awareness is up and
we’re invited to assess more
projects.”
“We’re working to get the
risks of cloud under control
but any employee with a
credit card can spin up a
cloud deployment. “

8. You’ll walk away with strategies for success
in real-world situations. For example,
you’ll learn how to:
• Communicate the tangible input that security can have in
high-level business decisions like M&As
• Establish agreements with Finance and Legal that compel
assessment of new vendors before contracts are signed
• Learn how to win the agreement of key stakeholders - like the
VP of App Dev, for example - to weave information security
criteria and implement verification steps like code testing into
processes like the SDLC.