The CISO View is a CyberArk-sponsored industry initiative that explores CISO perspectives on topics related to improving privileged access controls and shares their practical advice on security strategies. Insights and recommendations in the available report are based upon interviews with twelve Global 1000 CISOs.




Now Available: The Balancing Act: The CISO View on Improving Privileged Access Controls

Cyber-attacks have reached a level of sophistication that allows attackers to potentially evade existing security controls and access privileged credentials. To mitigate the risks, many organizations now proactively shore up privileged access controls. There is much to learn from these organizations.

Derived from interviews with an esteemed panel of Global 1000 CISOs, The CISO View provides practical guidance for CISOs on improving privileged access controls based on the first-hand knowledge of leading organizations. This first-hand knowledge is invaluable for CISOs and other senior security professionals who are also tackling improvements. The research uncovered a wealth of insights and nuanced recommendations for achieving the balance between enabling and restricting high-levels of access to information assets.

Click on the chapter titles to learn more

Chapter 1: Three Strategic Decisions

This chapter offers peer-to-peer guidance from our expert panel on making the core decisions that will power your strategy and address security versus business tradeoffs. It will help the CISO and security team decide:

1. What should we do when? With a large number of privileged accounts across an organization, how do you set priorities and timing?
2. What’s the best mix of controls? How do you combine preventive and detective controls to achieve your goals?
3. How much is enough?   Where is the fine line between “sufficiently secure” and “overly restrictive”?



  • • Techniques to prioritize accounts, considering the various risk factors associated with accounts used by IT administrators, privileged end users, applications/scripts, and third parties.
  • • Examples of ways to time security improvements with business initiatives and other opportunities.
  • • Approaches to layering preventive and detective controls, with a focus on securing the powerful credentials that are often embedded in applications.
  • • Insights into how controls on privileged access, if well-designed, can lead to more streamlined workflow and lower error rates, in addition to improving security.

Chapter 2: Four Pivotal Conversations

According to our panelists, stakeholder engagement is one of the most important success factors in an initiative to improve privileged access controls. This chapter offers insights on how to gain stakeholder cooperation and build lasting support for change. It guides the CISO and security team through the four key conversations they will need to drive:

1. Getting Executive Buy-In How do you get executive leadership to make it an organizational priority?
2. Working with Business Process Owners How do you effectively partner with process owners to design more advanced controls?
3. Engaging IT Admins and Other Privileged Users What does it take to win over critical user groups?
4. Asking Developers to Refactor Applications How can developers be persuaded to rework applications to improve the security of credentials?



  • • Recommendations on developing a business case for improved controls, using supporting data from media reports, internal testing, and external benchmarking
  • • Detailed guidance on dealing with the most challenging groups of stakeholders, including how to influence and negotiate with process owners, IT administrators, and developers, with specific communication strategies for each group
  • • Key components of a message platform, including ways to convince stakeholders that better privileged account security benefits them personally.
  • • Proven methods for getting people through the change curve, handling objections, and overcoming resistance.

Chapter 3: Five Essential Components

This chapter makes recommendations regarding the team, techniques, and tools that are needed for a privileged access initiative. It offers the CISO and security team advice on five key elements:

1. Realistic expectations What kind of effort is involved in implementing more advanced controls? When do you see benefits?
2. The right skillsets What skills are needed?
3. Metrics How do you measure success?
4. A plan with milestones How do you break up the initiative into manageable phases?
5. The right tools What technologies and features are most useful?



  • • A look at the typical timeframe for rolling out a comprehensive, initiative to improve privileged access controls.
  • • Recommended skillsets including technical/design, governance and risk, project management and soft skills.
  • • Examples of metrics for various purposes, such as testing the effectiveness of controls, and gauging the impact of controls on productivity, efficiency and system availability.
  • • Strategies to identify early goals, define project phases, track progress and keep momentum.
  • • An overview of technologies and features that panelists have found to be especially valuable, with recommendations on adopting processes to get the most out of tools.


A Panel of Top Information Security Executives from Global 1000 Enterprises

Rob Bening
Chief Information Security Officer, ING Bank

David Bruyea
Senior Vice President and Chief Information Security Officer, Enterprise Architecture and Information Security, CIBC

Jim Connelly
Vice President & Chief Information Security Officer, Lockheed Martin

Dave Estlick
Information Security Chief, Starbucks

Steve Glynn
Global Head of Information Security, ANZ

Mark Grant
Chief Information Security Officer, CSX Corporation

Gary Harbison
Chief Information Security Officer, Monsanto Company

Jim Motes
Vice President and Chief Information Security Officer, Rockwell Automation

Kathy Orner
Vice President & Chief Information Security Officer, Carlson Wagonlit Travel

John Schramm
Vice President Global Information Risk Management & Chief Information Risk Officer, Manulife

Munawar Valiji
Head of Information Security, News UK

Mike Wilson
Vice President & Chief Information Security Officer, McKesson


Sharing information on good security practices is more important than ever as organizations face increasingly sophisticated cyber threats. At CyberArk, we believe if security teams are armed with the leading wisdom of the CISO community, it will help strengthen security strategies and lead to better-protected organizations.

CyberArk has commissioned an independent research firm, Robinson Insight, to facilitate an industry initiative to explore CISO views on topics related to improving privileged access controls. The initiative brings together top CISOs who share their insights into critical issues facing practitioners today. By developing CISO reports, studies and roundtables, the initiative generates valuable peer-to-peer guidance and dialog.


What questions around privileged access controls are most pressing for you today? What issues would you like to see industry-leading CISOs explore?

Through our research, we facilitate practitioner-centered conversations which look at protecting privileged access controls from multiple angles. Although implementing better privileged account security at a small scale can be a relatively straightforward task, a comprehensive program at a large enterprise involves driving many aspects of people, process, and technology.

We invite CISOs and other senior security professionals to suggest topics for upcoming research and/or to nominate CISOs who can share their insights for an upcoming report, by sending an email to