Cyber Security

Cyber Security: The CISO Assessment Level Model CALM



In carrying out cyber search assignments for clients we realized that while there had been considerable progress on defining standards and approaches for dealing with Cyber Security, including the widely adopted NIST cyber framework, there was little clarity on understanding what good looked like in the leadership of the cyber function itself. We therefore set ourselves the task of seeing whether we could define a maturity model for CISOs that also included the NIST cyber framework. We tested the first version of this at the RSA conference in San Francisco in February 2016, and received good feedback but there was plenty missing. Over the next several months we had numerous conversations with CISOs, CIOs, consultancies (including the Big 4), main board members and individuals in the international intelligence community. With their feedback we iterated the model and improved it. We used the model in workshops where we got CISOs to evaluate themselves against it, and we presented it to numerous clients to help define what they were looking for in the leadership of the cyber function. We are now actively using the model to assess how good cyber leaders really are, and where they sit on a scale. We are also using this to help define development and retention plans for key individuals in the cyber functions.


The model shows four levels of Chief Information Security Officer (CISO): Level 1 (the lowest level) represents about 60% of the market and Level 4 represents less than 100 people worldwide, most of whom are in the US.  Level 1’s are mostly existing heads of IT security and are largely focused on governance and controls. Level 4’s are deeply intimate with their businesses; they are involved in the background in senior hirings and firings, M&A, divestments, supply chain, IP protection and anything shareholder sensitive. They also have regular sessions with the chairman of the main board and train non executives and their families.


Start with the question, “What level of CISO do you have?” and ask yourself what is the current organizational attitude towards cyber. Follow some of the observations we have made, and work out where you think the organization is at the moment: is it a Level 1 place or is it more than that? Then ask yourself where the organization wants to get to, and over what period does it want to get there?

Then go to page one and examine the bottom table and work out what approach is currently taken to cyber risk management in  the organization. You now have a good view on how sophisticated the organization currently is in its think and approach to cyber security.

Lastly, look at the table that focuses on what a CISO does. Work your way down the table through some of the observations and see if you can figure out either what the current capability of the CISO function is, or what the future requirement will be of the cyber function.

You now have a more refined view of what level of CISO is most likely to succeed in the organization going forward.


What level of CISO do you have?

The Cyber Level Model helps individuals and organizations work out where they currently are now and where they want to be in the future. This model uses the widely recognized NIST* framework to help evaluate the leadership of the cyber function.

Most cyber functions operate at this level. Typically found in places where cyber is seen as an IT problem. Strong on access controls, less strong on detection and response. Knowledgeable about regulation. Less connected internally and externally. Rarely appears before the main board. Transactional. Suitable for organizations where the likelihood and impact of a cyber attack is low.​​

Cyber seen more broadly than an IT problem. Innovates and transforms. Engages with other functions, e.g., HR. Protects, detects and responds to cyber issues. Weaker on recovery planning. Connected internally and externally. May appear before the main board. Relational and reactionary. Suitable for organizations where the likelihood of a cyber attack is high but the impact minor.

As Level 2, stronger relational skills. Comfortable at main board level. Highly change oriented. Influential, innovative, uses data analytics. Shares information with industry peers. Anticipates. Suitable for organizations where the likelihood of a cyber attack is low but the impact severe.

As Level 3, more strategic and innovative. Part of the DNA of an organization. Involved in all critical and highly confidential decisions, e.g., M&A. Manages new developments and changes. Suitable for organizations where the likelihood and impact of an attack is high.


What level of CISO do you need?


​​Russell Reynolds Associates is a global leader in assessment, recruitment and succession planning for boards of directors, chief executive officers and key roles within the C-suite. With more than 370 consultants in 46 offices around the world, we work closely with public, private and nonprofit organizations across all industries and regions. We help our clients build teams of transformational leaders who can meet today’s challenges and anticipate the digital, economic, environmental and political trends that are reshaping the global business environment. Find out more at Follow us on Twitter: @RRAonLeadership​

Sign up for our newsletter

Get the newsletter that prepares you for what's next with valuable insights across industries and geographies.

Featured Insight

Sign up for our newsletter

Get the newsletter that prepares you for what's next with valuable insights across industries and geographies.
Cyber Security: The CISO Assessment Level Model CALM