Governance: What a CISO Needs to Succeed
Identifying and managing risk is fundamental to good governance, says Claus Norup, Managing Director and Group CISO, Euroclear, but that’s only part of the job. Success in a CISO role depends on leadership’s buy-in, the ability to translate information to its audience, and the degree to which the function is embedded in overall governance, among other factors. Still, Norup says that in the end, successful governance comes down to the person in the role.
Should you take the CISO job? If offered a role, judge the board and management’s commitment. You need their buy-in to succeed. If you do say yes, take some time and talk to your stakeholders, document governance policies, and get management’s sign-off. And work to embed governance in the funding processes. You can’t execute anything without money, and embedding governance makes information security part of the global governance of the institution.
Governance requires timing, transparency, and translation: Governance programs should be tied into the regular program reporting and built two or three years out, but CISOs must relate technical information in a cadence and language keyed to the stakeholder. Just don’t filter information. It confuses people and fosters distrust. “What is green in the board report is green to the regulator,” Norup says. “What is red in the board report is red to the regulator.”
Finding the balance: CISOs have to strike a difficult balance between satisfying regulators, the board, management, and security, and none think they get it right every day. Commitment from senior management and the board – and their well-understood role matrix – is crucial to that balance.
Where should you focus? Try to spend a third of your time on governance, a third on communication, and a third on “what you're actually hired to do to keep the place safe,” Norup says.
Team building: Leverage the second (and third and fourth) line -- they can offer input and reveal blind spots. Your team should be solid technologists and handle stakeholder management so you can concentrate on services, processes, controls, and reporting, not day-to-day operations.
Governance automation: Automation, such as risk register analysis, helps you better understand groups of risks. But communication and the translation of risk to the audience can’t be automated – ultimately, information security is driven by people. “At the end of the day, whether you're a good or a bad CISO depends on who are you as a person,” Norup says. “It's still a people business, I firmly believe.”
© 2025 FS-ISAC, Inc. All rights reserved.
