Evaluating a Security Leader’s Performance and Becoming a Better CISO Officer

The scope of a CISO’s responsibilities can vary greatly across organizations. In some companies, they may focus on basic infrastructure, like setting up firewalls, while in others, they oversee large teams and comprehensive security programs. Differences in budgets, team sizes, and available resources further complicate the task of developing a standardized method for measuring a CISO’s effectiveness.

Daniel Lohrmann, an internationally recognized cybersecurity leader and technologist, sparked an important conversation in his 2018 article Evaluating Technology and Security Leaders. Drawing from my own experience as a CISO and mentor to other security and risk professionals, I’ve adapted Lohrmann’s insights. In this article, I explore two practical methods to assess a CISO’s performance, emphasizing the importance of building strong relationships with five key stakeholder groups—outlined in a specific, strategic order.

Lohrmann’s CISO Grading Tool

In his 2018 article, Daniel Lohrmann introduced a practical framework for evaluating a CISO’s effectiveness based on their relationships with five key stakeholder groups. These relationships reflect critical factors such as trust, respect, communication skills, project outcomes, and the CISO’s ability to engage and lead. This approach emphasizes that successful CISOs not only deliver results but also inspire and foster strong connections across all areas of their organization.

The Five Key Stakeholder Groups:

Lohrmann advocates for a straightforward evaluation process. To assess a CISO’s effectiveness, answer these questions for each stakeholder group:

• Does the CISO have a “good” (or even “very good” or better yet “great”) relationship with this particular group?
• Does this group respect and trust the CISO as their security adviser?

Interpreting the Results

CISO has trust from:

• 1 group – The CISO is at risk. Unless their boss strongly supports and protects them, their position is unstable.
• 2 groups – The CISO demonstrates basic competence but remains average overall.
• 3 groups – The CISO is performing well but has room for further growth.
• 4 groups – This reflects above-average performance and broad organizational impact.
• 5 groups – The CISO is an exceptional leader, capable of navigating both cyber successes and crises with widespread support.

A Practical Guide to Becoming a Five-Star CISO

Dan Lohrmann’s CISO grading framework is valuable for CISOs trying to improve their effectiveness. I’ve been applying it for several years — both to assess my performance as a CISO and also to guide others as a mentor and supervisor. In the process, I’ve made a few refinements to Lohrmann’s approach, introducing additional details and adjusting the priorities based on my experience.

Like Lohrmann, I assess five key areas, ranked from most to least critical. Each is evaluated using a star-based system, from one to five stars. Given the complexity of a CISO’s responsibilities, it’s unrealistic to focus on more than two or three high-priority areas simultaneously. To ensure meaningful progress, I require my mentees to earn at least three stars in one area before moving on to the next. In certain cases, there are foundational elements that must be addressed before a high score—or advancement—is even possible.

Area 1. Your Security Team

Your relationship with your internal security team is your foundation—and it should be your top priority. Your responsibilities as a CISO extend far beyond technical oversight. You also take part in your company’s cultural transformation, compensation decisions, conflict resolution, and strategic planning. These responsibilities demand trust, mutual respect, and open communication with your team.

If your team values your opinion and feels respected and supported, you’re on the right track. This level of trust not only contributes to team cohesion but significantly increases your impact across the organization.

A critical component of this relationship is your ability to delegate effectively. Strong delegation prevents bottlenecks and enables your team to grow in competence and confidence. Micromanagement has no place in the CISO role. Without solid delegation skills, it’s impossible to achieve a high rating in this category. True leadership lies in empowering your team to succeed—even when you’re not in the room.

Area 2. Internal Organizational Peers

Strong collaboration with internal departments is vital to the success of any CISO. This area focuses on building productive working relationships with other teams across the organization.

As a CISO Officer, I work closely with several departments, including:

• InfoSec Board
• Tech Support
• Compliance Department
• HR Department
• Legal Team
• Accounting Department
• PR Team

Of these, the InfoSec Board, Service Center, Compliance, Legal, and HR teams are essential stakeholders. These groups are directly involved in shaping and supporting the organization’s security posture. Regular communication and strategic alignment with them are critical for smooth operations and effective risk management.

While collaboration with teams like Accounting and PR is valuable—especially for budgeting, communications, or incident response planning—it’s not absolutely necessary to build deep partnerships there to succeed as a CISO. Still, fostering positive relationships across departments creates a more cohesive security culture and can unlock unexpected support when you need it.

Area 3. Security programs and projects

Though not covered in Lohrmann’s original grading framework, I consider this area fundamental to a CISO’s success. A CISO is not only a strategic advisor but also an active driver of transformation through targeted programs and initiatives.

These might include:

• Zero Trust Architecture implementation
• Migration to cloud or hybrid infrastructure
• Deployment of EDR (Endpoint Detection and Response) and MDM (Mobile Device Management) solutions
• Strengthening of vulnerability and patch management
• Company-wide security awareness programs
• Enhancing application security

Delivering these initiatives successfully depends heavily on strong internal relationships—with both your own team and other departments. That’s why I recommend advancing to this area only after earning at least three stars in the first two.

One example worth highlighting is our Zero Trust initiative. In a post-COVID world, where employees access company resources from anywhere, Zero Trust has become foundational to modern enterprise architecture. For our team in Ukraine, this strategy proved critical during the full-scale Russian invasion in 2022, helping us maintain secure operations under highly adverse conditions.

Area 4. Management

This category includes:

• Your direct manager
• Founders or the Board of Directors
• Responsibility for the information security budget

Budget control is a defining aspect of the CISO role. Without it, your ability to execute strategic plans and lead your team effectively is compromised. Therefore, ownership of the security budget is a non-negotiable component in achieving a high rating in this area. Additionally, building trust with senior leadership ensures that cybersecurity priorities are supported at the highest levels of the organization.

Area 5. Vendors

The final area focuses on your external partnerships, which include:

• Technology vendors and service providers
• Customer/vendor security assessments and due diligence processes

Managing these relationships effectively is more than just choosing the right tools or services. It involves aligning vendor capabilities with your organization’s security goals, ensuring compliance, and maintaining operational resilience. In many cases, these partnerships are essential to expanding your team’s capabilities, gaining access to specialized knowledge, and accelerating project delivery.

Using this Guide

When onboarding a new CISO, begin with the first area: relationships with the internal security team. This foundational step sets the tone for everything that follows. Evaluate the CISO’s progress using a star rating system from 1 to 5 stars, where 1 represents early-stage development and 5 indicates strong, trust-based, and highly effective team dynamics. Once the CISO achieves at least 3 stars in this area—demonstrating the ability to earn respect, build trust, delegate effectively, and handle internal matters with confidence—they can move on to the next group of stakeholders.

This practical, milestone-driven approach ensures that the CISO develops strong, sustainable competencies without being overwhelmed by simultaneous priorities. Each level builds on the last, creating a solid foundation for handling more complex responsibilities, such as leading major security initiatives or managing board-level interactions.

The same framework can and should be used to assess the performance of an existing CISO. It offers a structured, transparent method for identifying strengths and areas for improvement, making it easier to set development goals, track progress over time, and ultimately raise the overall effectiveness of the security leadership. Whether you’re onboarding a new leader or coaching a seasoned one, this method helps ensure that progress is consistent, measurable, and aligned with organizational priorities.

• #Dev Centers & Teams
• #Information Security