Job of a Chief Information Security Officer (CISO) is complex. Many individuals outside the realm of cybersecurity often underestimate the intricacies involved in a security professional’s role. Since its inception in 2012, the CISO MindMap has served as a valuable educational resource, offering insights into CISO responsibilities and aiding security professionals in crafting and enhancing their security programs. Continuously adapting to reflect the evolving landscape of cybersecurity, the CISO MindMap has been updated to accommodate the latest developments in the field. Here is the most recent iteration of the CISO MindMap for 2025, featuring numerous enhancements and fresh recommendations for the next 12-18 months covering the year 2025-26.

Don’t forget to review recommendations for 2025-26 described below and to subscribe to my blog.

Download High Resolution PDF for Printing

Click here to download high resolution PDF version of the CISO MindMap 2025

Summary of Changes

With accelerating digitization of businesses, the responsibilities of security professionals are only increasing. Technology is changing fast, bringing new ways of doing business, continuous adoption of Cloud, and extremely fast evolving AI/GenAI technology. Not only the Infosec professionals are “expected” to deeply understand these technologies, they are also tasked with providing policies/guidance on how to secure them. For this reason, every year you find new items on the CISO MindMap. At the same time, some items are updated or removed from the CISO MindMap depending upon their relevance or obsolescence. In the latest CISO MindMap, modified and new items are marked in red color for your convenience.

Expiration Date – A common issue is that many professionals still have older CISO MindMap copies. Like last year, I added an “expiration date” to let people know when they should stop using a particular version. The expiration date for the 2025 CISO MindMap is the end of September 2026. The next version will be published before the current version expires.

CISO MindMap Update Methodology

Every update to the CISO MindMap undergoes thorough consideration, research, and attention to detail. In addition to my ongoing engagements with industry leaders, various methods are employed to ensure we capture the pulse of the cybersecurity landscape:

• Conducting interviews with experts.
• Distributing surveys to gather insights.
• Leveraging LinkedIn for targeted questions and discussions.
• Analyzing feedback and comments from previous versions of the CISO MindMap.
• Staying abreast of industry news and conducting in-depth analysis.
• Review of research reports published by reliable organizations.

Furthermore, I’d like to express my gratitude to the contributors whose valuable insights have enriched this endeavor. The ‘Acknowledgments‘ section of this blog post includes their names and LinkedIn profiles as a token of appreciation.

Are you Accountable for Everything included in the CISO MindMap?

Security is inherently a collaborative effort, and the role of the CISO entails providing consultative guidance in various areas outlined within the CISO MindMap. It’s crucial to discern between areas where direct ownership and accountability are necessary and those where consultation is the primary function. Within any organization, numerous stakeholders are involved, and a common pitfall is the lack of clearly defined boundaries for each role.

My recommendation is to establish a RACI (Responsible, Accountable, Consulted, Informed) matrix, which serves as a standardized methodology for delineating roles and responsibilities among stakeholders. By mapping out tasks and corresponding roles within this framework, clarity is achieved, ensuring that each stakeholder understands their level of involvement and contribution to the overall security landscape.

So yes, a CISO is probably not the only role to cover everything in this MindMap, hence, building alliances is important for success.

Focus Areas and Recommendations for 2025-2026

Each year, I offer my recommendations as a practitioner, drawing insights from discussions with information security leaders. My approach strives for objectivity, steering clear of hype and focusing solely on data-driven research. Though unintended biases may exist, the goal remains to propose actionable steps viable within a short to mid-range timeframe. These recommendations do not constitute future predictions; rather, they address the immediate needs for enhancing security programs.

Selecting a concise set of recommendations is always a challenge for me. While the list provided below may be longer than I’d prefer, I aim to offer a comprehensive array of considerations for your reflection. Followers of the MindMap will notice both recurring suggestions from previous years and new additions, providing a blend of continuity and fresh insights.

I’m genuinely interested in hearing your perspective on these recommendations and understanding whether they resonate with your experiences and insights. Your feedback, whether in agreement or disagreement, provides valuable insights that can help refine and improve our approach to addressing security challenges. So, please feel free to share your thoughts and insights on these recommendations—whether you support them or have reservations—so we can engage in a constructive dialogue to further enhance our security strategies.

Recommendation 1: It is Time for Securing GenAI

A lot has happened since last year when I made a recommendation to “adopt a cautious approach towards GenAI”. We have seen many GenAI players releasing more advanced LLMs while new players enter the market. Now LLMs can do better reasoning, are faster, and need less time/resources to train and operate. New entrants such as Deepseek have made ripples causing swings in stock markets. The new hype seems to have shifted from chatbots to AI agents. GenAI is proving to be useful in areas such as code assistants/code generation, marketing and publications. However, my own research indicates that people are still not very comfortable letting AI agents make autonomous crucial decisions without human oversight. Use of GenAI as assistance is getting traction, but autonomy still seems far in future. At the same time, governments around the globe are setting up standards and regulations for responsible use of AI. 

On the security front, organizations like OWASP, NIST and others have published recommendations for protecting AI from attacks such as supply chain, prompt injection, data poisoning and others [1].

What does this mean for CISO and security leaders? Following are some recommended actions.

• Setup standards and governance for GenAI.
• Research, validate, and approve LLMs (and other AI models) for use within organizations.
• Define what it means to have a responsible use of AI within an organization.
• Create a process to review use cases to ensure standards are adhered to.
• Update vulnerability management and AI application penetration testing processes to cater new needs for GenAI.
• Train security professionals on how GenAI, LLMs, RAG and Agents actually work.
• Establish a training and awareness program for IT staff.
• Explore open source options for GenAI (which are already providing viable solutions).

I have published a few blog posts about understanding GenAI threat and risk categories [2]. In addition to securing GenAI, it is also a good time to start looking into how to take advantage of GenAI in Cybersecurity operations through plausible use cases [3].

Recommendation 2: Consolidate and Rationalize Security Tools

This is a continuation of a recommendation made last year as the situation in this particular area has not changed much. An average organization is using a large number of security tools, by some estimates as high as 47, according to a Ponemon survey. Yet many security leaders don’t know if Cybersecurity tools are working. Accumulating more security tools doesn’t necessarily lower risk; rather, it amplifies the necessity for maintaining expertise within security teams. Misconfigured security tools may become a liability in themselves. There is a need for consolidation and rationalization of security tools by deeply exploring Return on Investment (ROI) of these tools. You may be surprised by the amount of shelfware within security programs. In some cases open source tools may work just fine as well and could be a good replacement for commercial tools.

When it comes to security tools, many organizations are adopting one of the two most popular strategies.

1. Ecosystem approach – A single vendor with an ecosystem of tightly integrated security tools. This approach provides, at least in theory, a single view of risk. Vendor lock-in is a major concern, however. There is also a risk associated with security breaches and vulnerabilities that could impact the whole ecosystem.
2. Best of the breed approach – In this approach an organization uses the best available security tool for a certain purpose. This approach brings its own pitfalls of creating silos and problems in building an organization wide view of risk.

If you go with the “best of the breed approach”, my strong recommendation is to opt for the tools that have strong API capabilities so that you can build an internal “glue application” to integrate data available from these tools.

The guiding principle is that no tool should be worth more than the value they bring and the risk they reduce.

Recommendation 3: Identify and Manage Security Debt

There is no secret that businesses are becoming more digital, new software applications are being built and are becoming more interconnected and complex. Security teams find a higher rate of software flaws, infrastructure vulnerabilities, and architectural issues than they are able to fix. At the same time, development teams are under pressure to churn out new features and new applications with less attention on fixing old and existing issues. The result: organizations are building security debt at a faster pace than ever.

My recommendation for CISOs and other security leaders is to initiate a program to identify and measure the security debt, and estimate time/money it will take to close it, or at least not pile up more. I would also suggest making the security debt (in terms of dollars) part or a reporting metric for boards to raise awareness.

Recommendation 4: Ransomware and Cyber Resilience

Ransomware continues to be a major problem for security professionals and, at the same time, a very profitable business for bad actors. This problem is especially huge for industries that provide crucial human services such as hospitals, and for critical infrastructure organizations. The mindset of “it is other people’s problem” still exists and much more is needed to prepare for effectively responding to ransomware attacks. Thankfully, the awareness has increased over time, which is a progress in itself.

To prepare for and respond to ransomware attacks, here are some very foundational recommendations. These recommendations are just a starting point and a continuous review of defences is needed to properly safeguard against ransomware attacks.

• Conduct a business impact analysis.
• Conduct exercises to thoroughly test backups that can be restored in a reasonable time. Note that backups could also be attacked/ ransomed.
• Purchase cyber insurance and make sure ransomware is included in the coverage.
• Focus on resilience and ability to restore operations. Take a systems thinking approach.

Recommendation 5: Create Meaningful Metrics

The CISO MindMap includes areas such as metrics and reporting. Traditionally a major focus has been on operational metrics such as number of system patched, number of vulnerabilities fixed, number of events blocked, etc. The recommendation for this year is to turn this focus on more meaningful metrics that actually show progress towards managing risk to an appropriate  and acceptable level.

While the concept of “meaningful” may slightly vary from organization to organizations, our friend Wade Baker has made few suggestions about meaningful metrics like the following:

• Control effectiveness
• Risk reduction
• Overall program performance

I will also recommend that automation of a metric is as crucial as the metric itself.

Recommendation 6: Improve Cyber Hygiene

While many are busy in GenAI related initiatives, we must not forget the basics. Many security professionals are painfully aware of the fact that, more often than not, security incidents and data breaches are a result of missing basic cyber hygiene. Please continue work on these basics such as:

• Enhance visibility into digital footprint with a target of obtaining full visibility.
• Shrink the attack surface for your organization as much as possible.
• Enhance API security. APIs are fueling growth of complex systems and are becoming an even bigger part of the overall infrastructure.
• Manage and reduce complexity. Remember complexity is the enemy of security.
• As an industry we are not very good at Third Party risk management. Keep finding better ways of doing so.

Others Recommendations

While the above six are the “official” recommendations for CISO MindMap 2025, I just want to acknowledge suggestions, insights and initiatives from the contributors as listed below.

• Privacy by design.
• Understanding and dealing with AI powered threats.
• Quantum strategy and planning.
• Demonstrating and assessing assurance over AI models; upskilling the security team to be successful in the age of AI; building business-centric processes and operating models to deliver business value.
• Proactively assess the value of each control and develop plans to sunset at least 5% of controls within 24 months.
• Current approach to third party risk management delivers very little value. Automation in Third Party Risk Assessments and explore use of AI for assistance.
• Changing security culture towards a service oriented approach. “Shake up the game” and impact behavior change.
• Effective board presentations.
• A systems approach to Cyber risk taking into account geopolitical challenges, economy, potential recession, and layoffs.
• Learning from Cyber incidents.
• A realistic, balanced, and practical approach towards DLP.
• Real time pro active cyber risk monitoring via singular CISO Dashboard (Like Salesforce for CFOs and Hubspot for CMOs).

How to Use CISO MindMap?

Have you ever been asked to explain what you do as a security professional? The CISO MindMap originates as an effort to answer this question and has evolved since then. It is a good tool for addressing this question and clarifying the intricacies of the role. Many professionals have attested to its efficacy in elucidating the complexities of the CISO position, particularly when communicating with a business audience.

Here are some ways in which the CISO MindMap proves to be immensely valuable:

• Facilitating conversations with fellow technology professionals.
• Instrumental in the design and refinement of security programs.
• Adopted by certain security vendors for raising awareness.
• Employed in CISO group discussions and community meetings.
• Aiding aspiring security professionals in understanding the industry landscape and charting their career paths.
• Serving as an educational and awareness-raising tool.

Obviously there is a lot on this MindMap. The stress on people who have these responsibilities is real. If nothing else, this MindMap should help leaders recognize that stress and do something about it. I covered this topic (stress) in my latest book Cybersecurity Arm Wrestling: Winning the perpetual fight against crime by building a modern Security Operations Center (SOC) as well.

What are They Saying?

Following is a sample of comments on CISO MindMap post from 2024.

• Jack Jones wrote – “Really great piece of work, Rafeeq!”
• Jerich Beason CISO wrote – “This mind map has helped many CISOs explain the depth and breadth of their roles to so many executives…Thank you for allowing me to play a small role in this latest evolution.”
• Gary Hayslip CISO Softbank wrote – “thank you, my friend, for giving me the opportunity to participate in this year’s mindmap; I really like how the GenAI section came together. As always, thank you for continuing to develop this amazing resource and providing it to our #community”
• Omar Khawaja CISO wrote – “What a comprehensive list!”
• Atif Yusuf wrote – “Great job. Once again ! I especially like inclusion of “Business Resilience” and “Building a brand“
• Ross McNaughton CISO at Gulf Bank wrote – “As always, a great resource showcasing our field. Appreciated for all your efforts in maintaining and enhancing it constantly”

Following are some comments on CISO MindMap LinkedIn post from 2023.

• Michael Restivo – “One of the most valuable documents around. Love this Rafeeq.”
• Chris Novak – “Always a great asset! Thanks for all that you do for the cybersecurity community!”
• Muath AlHomoud – “Great insight Rafeeq Rehman always inspiring”
• Christophe Foulon – “Insightful as always, Rafeeq Rehman”
• Matthew P. – “Thanks for updating this. I think this makes a really useful tool when talking to the next generation about careers in security being able to demonstrate the breadth of what we can get involved in is quite eye opening”
• David Elfering – “Thank you! I review security programs as part of my work; your outline is fantastic. As a CISO, I regularly reviewed it, and as a consultant/advisor, I can see even more clearly how others would benefit.”
• Alan Ng – “Thanks for all the heart and sweat poured into this awesome mindmap and recommendations! It is a great resource!”
• Stefan Jäschke – “Terrific work Rafeeq Rehman – thanks for giving back to the community consistently over the years in so many ways.”
• Arvind Javali – “I listened to your podcast interview on CISO mindmap, very insightful, thanks for sharing”
• Ashoka Reddy – “Thank you, Rafeeq Rehman, for the knowledge, insight, time, and effort you have put into creating and sharing the #CISOMindMap. For #InformationSecurityManagers this is a gold standard that is priceless. It’s a little overwhelming to the point of being funny, but you’ve mapped my professional brain pretty nicely. For #BusinessLeaders this gives oversight to how we protect organizations, revealing our value and responsibilities.“
• Jas Puar – “Great timing. I’ve been looking at the 2022 version recently for some inspiration. Glad the 2023 version is available. The role is becoming bigger (cutting deeper across the entire business) and therefore more critical every year. More needs to be done to educate and raise awareness to change the direction of travel, otherwise an already thankless role, will very soon become an impossible one. Keep up the great work!”
• Steve Lodin – “Thanks again for your continued work here. I look at and keep a copy of every version you release!”
• Fernando Montenegro – “Really nice work, forwarded it to others. I really enjoy the “expiration date” aspect.”
• Georgeo X. Pulikkathara – “Rafeeq Rehman, good work on the CISO MindMap. My assessment is that this is a good framework for CISOs to approach all the areas we need to consider.”
• Rob Mukherjee – “This is brilliant, thanks Rafeeq. And couldn’t agree more with your comment in the first focus area. “Understand that merely having a backup is not enough. Ability to rebuild impacted systems and restore backups in a timely manner is crucial.” Spot on!! Think “restore”, not just backup!”

Acknowledgments

In addition to numerous infosec leaders who provide their input, we have a LinkedIn Group to gather suggestions and comments from the community. While many provided feedback, the following is a list of people and organizations who provided “specific suggestions” for improvements (in no particular order). If I missed anyone, please send me a message to make corrections.

1. Marc Vael, Esko Chief Digital Trust Officer
2. Tammy Moskites, CEO & Founder, CISO
3. Michael Restivo, Vice President | Cybersecurity Executive
4. Wade Baker Ph.D. Cybersecurity Researcher, Entrepreneur, Professor
5. Erik Wille, SVP & Chief Information Security Officer Cabinetworks Group 
6. Kristin Lowery – Vice President, Chief Security Officer at American Electric Power
7. Omar Khawaja – CISO Databricks
8. Ross McNaughton, Chief Information Security Officer at Gulf Bank
9. Rahul Tyagi, Co-founder Safe Security
10. Andi Baritchi, Vice President, Global Security Assurance, Compliance, Kyndryl
11. Andres Ricardo Almanza Junco, Cybersecurity Strategist & vBISO | Founder of CISOS.CLUB
12. Rodrigo Carvalho, Cybersecurity Service Manager, Brazil
13. Peter Holcomb, ​​CISO | Security Strategist & Advisor
14. Muath AlHomoud, Director of Cybersecurity, D360 Bank 
15. Tony DeAngelo, VP, CISO at Encova Insurance
16. James Azar, Global CISO | Founder X2
17. Ahmed Kamel, Security ,Risk & Compliance at Nestlé
18. Ty LeSane, Director of IT Security
19. Walter Heffel, CISO at ENERSA
20. Dominik Bredel, Director, Cyber Security bei PwC Deutschland
21. Darren Kearl, Security Professional @ Siemens Healthineers
22. Dr. Toh Shang Yee, Head of Information Security at MCIS Insurance Berhad

Following is a list of those (in no particular order) who have contributed to CISO MindMap development in the past.

1. Jack Jones 
2. Gary Hayslip
3. Michael Restivo
4. Wes Sobbott
5. Muath AlHomoud  
6. Ross Young
7. Ross McNaughton 
8. Gerard Onorato 
9. Tony DeAngelo  
10. James J Azar  
11. Chris Hughes 
12. Izhar Mujaddidi
13. Nadeem Iftikhar 
14. Ismail Cattaneo  
15. Andres Ricardo Almanza Junco  
16. Jack Jones 
17. Chad Sturgill  
18. Omar Khawaja  
19. Rodolphe Simonetti 
20. Scott Hawk  
21. Hisham Zahid 
22. Jerich Beason  
23. M Kashif Bukhari  
24. Chris Castaldo
25. Atif Yusuf
26. Jon Rogers  
27. Andi Baritchi 
28. Ricky Mehra
29. Ahmed Kamel
30. Tobias Ander
31. Indy Dhami
32. Matthew Thompson
33. Marc Vael
34. Christophe Foulon

Your input is highly appreciated!

Older Versions of CISO MindMap

• CISO MindMap 2024
• CISO MindMap 2023
• CISO MindMap 2022
• CISO MindMap 2021
• CISO MindMap 2020
• CISO MindMap 2019
• CISO MindMap 2018
• CISO MindMap 2017
• CISO MindMap 2016
• CISO MindMap 2015
• CISO MindMap 2014

Help Needed

I have heard many recommendations from our community but unfortunately I don’t have enough time to act on these. If you can help in any of the following areas, please reach out.

1. A dynamic and responsive CISO MinMap page that users can interact with such as clicking on each item and provide further context to become a Wiki page.
2. Split it out one for a large shop mentality and one for smaller shops.
3. Add regulatory requirements for different regions.
4. Translate CISO MindMap into other languages.
5. An option where one can order a large printed poster.

References

[1] OWASP GenAI Security Project –  OWASP Top for GenAI and LLM

[2] Blog Post – GenAI Risk Categories

[3] Blog Post – How to use GenAI in Cybersecurity Operations

Copyright © note

This MindMap is copyrighted material. However it is absolutely free to all (like water and air) with no strings attached, as long as it is not altered and not used to make money. When using this MindMap, please cite the source properly so that recipients can receive future updates.

Subscribe to Blog

To keep yourself updates and receive email notifications of new posts, use the following link to subscribe to my blog.

Recent Posts

• CISO MindMap 2025: What do InfoSec Professionals Really Do?
• How to Use GenAI in Cybersecurity Operations
• GenAI Risk Categories
• Ten Best Practices for Cybersecurity Risk Management
• Run LLM Models on Macbook – Part II