In 2015, KPMG released a glossy, but informative 9 page pamphlet entitled, ” Positioning the Chief Information Security Officer (CISO) for Success.”  KPMG starts off with answering two common questions on the first page:

1. Where should a CISO start?
2. What should a CISO do to assure that his/her security program is a success?

The answers are interrelated. In fact, #1 is the overarching answer (and The Takeaway) are:

1. Understand the business strategy. The IT Sec program needs to align with business needs and strategy. This makes it easier (and possible) to obtain the necessary executive sponsorship and support.
2. Transform IT Sec capabilities.  A CISO needs move the “organizations’s capabilities [see #1] and effectively manage resources to successfully deliver programs and services that improve security posture.”
3. Navigate change (i.e., help, facilitate and lead). IT Security needs to respond to the needs of the business strategically (see #1 above) during fundamental change (e.g. M&A, deregulation, changes in sourcing models).
4. Deliver value with confidence.  CISO’s need to reduce risk by leveraging technology (along with education, procedures, standards, etc.). IT Security needs to enable key elements of the business strategy (ummm…see #1 above). IT Security’s services and capabilities need to be delivered with the right balance of cost and performance.

KPMG also raise two valid points about how to achieve these objectives:

1. Prioritize efforts
2. Moving swiftly to execute your agenda