Security Strategy, Plan, Budget

What to know about each stage of the CISO maturation cycle

CISO maturation levels

The role of the CISO has become more important every day.

Businesses are growing increasingly complex. Attacks are never-ending. The fallout from breaches grows more toxic. And even though companies continue to invest heavily in defensive tools, many still struggle to protect against even common tactics like email phishing. Meanwhile, AI promises to embolden an already determined global community of hackers. That’s making a dangerous threat landscape even more treacherous.

Many businesses look to the CISO to manage these challenges. But the level of authority they give the role varies wildly. Every business ultimately needs to defend, detect, and recover from an attack. But the CISO's role in executing on those priorities differs greatly among businesses. And often, it depends on where the organization stands on its growth curve.

The CISOs responsibilities and authority must align with the company's overall business priorities. That includes the value placed on data resources, as well as the risk levels companies are willing to bear when an attack eventually happens. Any mismatch could make the organization less secure.

That’s why close coordination between the CISO and the CIO has become so vital. CIOs are often higher up in the organization – though that’s not always the case. Regardless, they must still understand their organization's cybersecurity maturity level. Only then can the CIO empower the CISO to take the necessary steps to fulfill their core duties.

Here’s what business leaders need to know about the role of cybersecurity in their organizations – and the type of person they need to lead these security teams as the company evolves.

Maturity Level 1:

In the least mature organizations, security teams are simply order takers. They can't independently set policy across the enterprise. And often, an IT team handes many of the daily responsibilities required to keep the tech environment running.

At this stage, businesses typically don’t even have a dedicated CISO. Instead, the “cybersecurity” department is a few technical workers who can, for example, configure a server. And they often report to a mid-level IT manager, maybe even the CIO.

In such organizations, cybersecurity becomes very much a “check the box” effort. Typically, the businesses are smaller, with a more concentrated IT footprint. They also tend to be private companies. Unlike public companies, they’re not accountable to shareholders, who are increasingly putting a premium on cybersecurity. Nor are private companies as worried about the need to audit their systems in response to regulatory demands.

Instead, other goals, like rapidly growing their sales, often take priority. In fact, cybersecurity measures that put burdens on end users are often an impediment to that goal. For example, some organizations may forgo multi-factor authentication because of the added burden it puts on users.

Maturity Level 2:

As the business evolves, so must the IT environment. There are more employees, more workflows and more touchpoints with customers and suppliers. The potential attack surface for hackers expands.

Suddenly, cybersecurity becomes more important. Many businesses at this stage will appoint their first CISO. But at this level, the role often doesn’t include the authority to devise and execute strategy. Instead, CISOs are usually technical experts. They might even spend some time coding alongside their employees.

At this stage, the company also starts to bring in compliance expertise. And they may put in initial monitoring and auditing capabilities. As the security team grows, the gap with the IT department begins to close. The two are working together now to identify areas where they aren’t meeting security objectives. Now, the CISO and the CIO are interacting more often. 

Maturity Level 3:

Eventually, the CISO needs the authority and autonomy to implement security controls across the organization. At this stage, the CISO owns more of the technology functions. They’re in charge of defending, detecting, and recovering from attacks. CISOs might bring in specialists in areas, like cloud security. Or they might introduce new capabilities like identity and access management.

At this level, the CISO still isn’t making unilateral decisions. Other executives push back on measures they think will impact productivity or disrupt workflows. While cybersecurity has become important, the business leadership still controls the security team.  

Meanwhile, IT has become now a separate team tasked with overseeing the core infrastructure. They’re more worried about standing up servers, deploying new development environments, and managing the lifecycle of all the different components involved in that.

In the best cases, though, the CIO starts to view the CISO as a more important counterpart. They’re now beginning to work in unison to ensure IT and security goals are aligned.

Maturity Level 4:

Here’s where the CISO becomes empowered. The CISO has direct access to top executives and often participates in strategic meetings with the board of directors, advising on cybersecurity risks and the integration of security practices into overall business strategies.

Now, the CISO focuses more on risk management. They’re working with the leadership team to determine the company’s tolerance for risk. And then they're building the appropriate enterprisewide policies and procedures to reflect that.

For example, many CISOs at this maturity stage are talking to the board about how the business can begin to take advantage of AI technology — and defend against the new threats it introduces.

Maturity Level 5:

Within enterprises that have reached this ultimate stage, security and the rest of the business operate in harmony. They likely follow secure-by-design principles, where cybersecurity gets built into the foundation of everything the business does.

Vital systems are continually tested to ensure the team can recover them in the event of an incident. And employees all generally follow well-established data security principles like multi-factor authentication. 

Applying these principles

When CISOs understand how their roles and responsibilities reflect the cyber maturity of the organization, they can better prepare for what’s next. And as the CISO’s own skills evolve, it will push the company to more seriously consider its digital defenses.

When it comes to cybersecurity, no two companies are the same. Each business has a different technology stack and different priorities. Public companies will have much different needs than private ones. Smaller businesses have different limitations than large enterprises.

As a result, CISOs must stay flexible and adapt. Companies must weigh the unique risks and rewards at each phase of the maturity growth curve. By understanding the characteristics of each stage, CIOs and other business leaders can appropriately empower the CISO to succeed.

Javier Dominguez, chief information security officer, Commvault

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.