The document discusses the challenges faced by CISOs and information security teams in engaging with organizations and stakeholders. It introduces the CISO Impact framework, which identifies seven factors that are important for CISOs to focus on in order to improve proactive organizational engagement. These factors are assessed through an online diagnostic tool that measures an information security team's strengths and weaknesses in engaging stakeholders. The document describes workshops that provide guidance to CISOs on improving specific factors, including communicating the value of information security and building support from a range of internal stakeholders.

1. CISOs and their teams operate against a backdrop of continuous change in the threat
landscape, information security technology, and business conditions. The mission to
protect critical assets across space and time is further complicated by a lack of direct
control over the people and processes that expose the organization to risk through day-
to-day operations.
In-depth research with hundreds of information security leaders revealed
a common thread among the top performers:
Technical skills, while essential, are not enough.
To deliver maximum impact, Information Security must
engage with the business and practice proactive
organizational engagement.

2. To drive insight and enable action
on these “soft skills,” IANS has
broken proactive organizational
engagement down into a set of
clearly defined, quantifiable
elements we call The 7 Factors
of CISO Impact.
Our CISO Impact framework provides a
structured, action-oriented approach that
allows you to baseline your performance
and measure progress down to the Factor
and sub-Factor levels as you work towards
b e t t e r p ro a c t i v e o rg a n i z a t i o n a l
engagement.

3. First step: take the Diagnostic.
The Diagnostic is an online self-
assessment that measures the current
state of your team’s organizational
engagement. Your personal report
provides you with insight into your team’s
strengths and weaknesses, and allows
you to compare the results to those of
your peers.
As you work to improve your skill sets in
each of the 7 Factors, your Diagnostic
results will reflect your progress.

4. Then, attend
a CISO Impact
Workshop.
The CISO Impact Workshop is a four-hour
deep dive into one of the 7 Factors of
CISO Impact.
IANS-proprietary worksheets will help you
break down your Factor-specific Diagnostic
results into concrete, step-by-step actions
for improvement.
You’ll experience a new way of thinking
about what you do, and walk away with
insights that will influence the way that you
execute your mission.

5. A CISO Impact Workshop is a collaborative
hands-on working session.
Wrap-Up
Review lessons
learned and
discuss of how
improvement
will drive
success.Introductions
Get to know your
fellow CISOs
Workshop Orientation
The IANS facilitator
describes the workshop
context, components and
flow for the day
Solo Work
Document your
team’s skills and
processes vs. the
workshop Factor.
Presentations &
Feedback
Present your
workbook
writings and
receive feedback
from your peers.
Research Overview
A discussion of the
research and structure of
the CISO Impact
framework
Diagnostic
An explanation of how
the CISO Impact self-
assessment tool works
What are the 7 Factors?
An overview of the individual
7 Factors of CISO Impact,
and a look at how they all
work together to drive
success.
Small Group
Discussion
Share ideas and
challenges with
your small group

6. Can you communicate the value of
information security in a compelling way?
To be effective, information security needs resources and
support from a range of stakeholders – but many security teams
aren’t prepared to state their case persuasively. Clear,
compelling communication is key to justifying budget requests
and paving the way towards working more collaboratively with
other business departments, but 62% of CISOs who completed
the CISO Impact Diagnostic are still in the early stages of
proactively engaging with key stakeholders to build a strong
value proposition. What steps can you take to move the needle?
At a recent Factor 6 Workshop, we posed the question:
Factor 6:
Communicate the Value
of Information Security

7. Participants discussed the challenges …
… and through that discussion, shared
thoughts on how to address the problem.
“Most of the organization
sees us the business
prevention team. They just
don’t get why we do what
we do. ”
“We’re organized in IT
so we don’t really have
the visibility into the
stakeholder challenges
and needs.”
“Our team is comfortable
answering questions and
providing options. Selling
our value is not a natural
thing for us to do.”

8. You’ll walk away with strategies for success
in real-world situations. For example,
you’ll learn how to:
• Build a strong, business-oriented value proposition that
explains how information security helps your company grow
and win.
• Engage deeply with key stakeholders – not just the ‘easy’
ones like Finance, Risk, Audit and Compliance but also the
business unit GMs – to understand what drives their business
decisions.
• Work with the Marketing department to develop assets that
communicate your value proposition.