Russell Reynolds - Cyber Security: The CISO Assessment Level Model CALM

What level of CISO do you have?

The Cyber Level Model helps individuals and organizations work out where they currently are now and where they want to be in the future. This model uses the widely recognized NIST* framework to help evaluate the leadership of the cyber function.

Level 1.0

Most cyber functions operate at this level. Typically found in places where cyber is seen as an IT problem. Strong on access controls, less strong on detection and response. Knowledgeable about regulation. Less connected internally and externally. Rarely appears before the main board. Transactional. Suitable for organizations where the likelihood and impact of a cyber attack is low.​​

Level 2.0

Cyber seen more broadly than an IT problem. Innovates and transforms. Engages with other functions, e.g., HR. Protects, detects and responds to cyber issues. Weaker on recovery planning. Connected internally and externally. May appear before the main board. Relational and reactionary. Suitable for organizations where the likelihood of a cyber attack is high but the impact minor.

Level 3.0

As Level 2, stronger relational skills. Comfortable at main board level. Highly change oriented. Influential, innovative, uses data analytics. Shares information with industry peers. Anticipates. Suitable for organizations where the likelihood of a cyber attack is low but the impact severe.

Level 4.0

As Level 3, more strategic and innovative. Part of the DNA of an organization. Involved in all critical and highly confidential decisions, e.g., M&A. Manages new developments and changes. Suitable for organizations where the likelihood and impact of an attack is high.​

What level of CISO do you need?

To view the full article, visit http://www.russellreynolds.com/insights/thought-leadership/cyber-security-the-ciso-assessment-level-model-calm