CALM MODEL BACKGROUND
In carrying out cyber search assignments for clients we realized that while there had been considerable progress on defining standards and approaches for dealing with Cyber Security, including the widely adopted NIST cyber framework, there was little clarity on understanding what good looked like in the leadership of the cyber function itself. We therefore set ourselves the task of seeing whether we could define a maturity model for CISOs that also included the NIST cyber framework. We tested the first version of this at the RSA conference in San Francisco in February 2016, and received good feedback but there was plenty missing. Over the next several months we had numerous conversations with CISOs, CIOs, consultancies (including the Big 4), main board members and individuals in the international intelligence community. With their feedback we iterated the model and improved it. We used the model in workshops where we got CISOs to evaluate themselves against it, and we presented it to numerous clients to help define what they were looking for in the leadership of the cyber function. We are now actively using the model to assess how good cyber leaders really are, and where they sit on a scale. We are also using this to help define development and retention plans for key individuals in the cyber functions.
CALM MODEL OVERVIEW
The model shows four levels of Chief Information Security Officer (CISO): Level 1 (the lowest level) represents about 60% of the market and Level 4 represents less than 100 people worldwide, most of whom are in the US. Level 1’s are mostly existing heads of IT security and are largely focused on governance and controls. Level 4’s are deeply intimate with their businesses; they are involved in the background in senior hirings and firings, M&A, divestments, supply chain, IP protection and anything shareholder sensitive. They also have regular sessions with the chairman of the main board and train non executives and their families.
HOW TO USE THE CALM MODEL
Start with the question, “What level of CISO do you have?” and ask yourself what is the current organizational attitude towards cyber. Follow some of the observations we have made, and work out where you think the organization is at the moment: is it a Level 1 place or is it more than that? Then ask yourself where the organization wants to get to, and over what period does it want to get there?
Then go to page one and examine the bottom table and work out what approach is currently taken to cyber risk management in the organization. You now have a good view on how sophisticated the organization currently is in its think and approach to cyber security.
Lastly, look at the table that focuses on what a CISO does. Work your way down the table through some of the observations and see if you can figure out either what the current capability of the CISO function is, or what the future requirement will be of the cyber function.
You now have a more refined view of what level of CISO is most likely to succeed in the organization going forward.
What level of CISO do you have?
The Cyber Level Model helps individuals and organizations work out where they currently are now and where they want to be in the future. This model uses the widely recognized NIST* framework to help evaluate the leadership of the cyber function.
What level of CISO do you need?