CISO 101: What the Terms Mean—and How to Use Them With the Business

Introduction

This article is a pocket glossary for CISOs—the executive responsible for a company’s cybersecurity strategy and program. It’s for CISOs and their deputies, CIOs/CTOs, business-unit leaders, product owners, and board members. The goal is simple: translate security into the language of executive decision-making—money, risk, SLAs, and impact on revenue and customers.

CISO Glossary (by theme)

1) Role & Governance

• CISO (Chief Information Security Officer) — Owns security strategy and the company’s security program: policy, budget, operations, and reporting to the CEO/board.
• BISO (Business ISO) — A “frontline” security leader embedded in a specific BU; lands the CISO’s strategy against business goals.
• Security Steering Committee — A cross-functional forum to prioritize security investments and risks.
• RACI — Role matrix: Responsible/Accountable/Consulted/Informed.
• Three Lines Model — 1st line (process owners), 2nd (risk/compliance), 3rd (audit).
• TOM (Target Operating Model) — The future-state operating model of the security function.

2) Risk & Strategy

• Risk Appetite / Tolerance — The level of risk leadership is willing to accept.
• Risk Register — A catalog of risks with owners and treatment plans.
• Inherent / Residual Risk — Risk before/after controls.
• FAIR (quantitative) — Money-based cyber risk analysis.
• Risk Treatment — Avoid/Transfer/Reduce/Accept.
• Risk Acceptance — Formal sign-off on residual risk with business justification.

3) Metrics & Reporting

• KPI / KRI — Performance indicators and risk indicators.
• MTTD / MTTR — Mean time to detect / to recover.
• Coverage — Percent of assets covered by required controls (e.g., critical vuln closure rate).
• Risk Reduction — Measurable risk delta after a control is implemented.
• Heat Map / Scorecard — Visualizations of risk and program health.

4) Policy & Compliance

• ISMS (ISO/IEC 27001/27002) — Security management system and control catalog.
• NIST CSF — Identify–Protect–Detect–Respond–Recover framework.
• SOC 2 — Reporting on Trust Services Criteria (Security/Availability/Confidentiality, etc.).
• PCI DSS — Requirements for handling payment card data.
• Privacy (GDPR/CPRA/HIPAA/GLBA) — Privacy regulations and sector standards.
• DPA / Contractual Controls — Contract-level obligations and additional vendor controls.

5) Identity & Access

• IAM — Roles, policies, federation; principle of least privilege.
• PAM — Privileged access governance and session oversight.
• MFA (phishing-resistant) — Strong factors (FIDO2/WebAuthn preferred).
• SSO / Federation — Single sign-on and cross-domain trust.
• JML (Joiner–Mover–Leaver) — Access lifecycle for hires/moves/departures.
• Zero Trust — Verify every session; never trust the network by default.

6) Architecture & Cloud

• Shared Responsibility — What the cloud provider vs. customer secures.
• Landing Zone — Reference cloud foundation (accounts, network, guardrails).
• Baseline / Guardrails — Mandatory policies/limits (e.g., no public S3 by default).
• CSPM / CIEM / CWPP — Config, identity, and workload security in cloud.
• KMS / BYOK / HYOK — Key ownership and placement models.
• IMDSv2 / Temporary Credentials — Safer metadata access and short-lived keys in EC2.

7) Software Development & Delivery

• Secure SDLC — Security at each stage; shift-left practices.
• Threat Modeling — Systematic analysis of attack paths for designs/features.
• SAST / DAST / IAST / SCA — Static/dynamic/interactive testing and software composition analysis.
• SBOM — Software bill of materials for supply-chain visibility.
• Secrets Management — Secure storage and rotation of credentials.
• DevSecOps / IaC Security — “Security as code” in CI/CD and infrastructure.

8) Operations & Detection

• Asset Inventory — Accurate asset register; no control works without it.
• EDR/XDR — Endpoint and extended detection & response.
• SIEM / SOAR — Event correlation and response automation.
• Detection Engineering — Building detections for your threat profile.
• Vulnerability Management — Prioritization (CVSS/EPSS), patch orchestration.
• Playbooks/Runbooks — Standardized incident response steps.
• Tabletop / Purple Team — Exercises and joint Blue+Red drills.
• CTI (Threat Intel) — Threat TTPs and actionable intelligence feeds.

9) Resilience & Crisis Management

• BCP/DRP — Business continuity and disaster recovery.
• RTO/RPO — Recovery time and recovery point objectives.
• Backups (immutable) — Tamper-proof backups and restore testing.
• SEV Levels / Escalation — Incident severity and escalation criteria.
• RCA / PIR — Root cause analysis and post-incident review with actions.

10) Vendors & Finance

• Third-Party Risk / TPRM — The full vendor-risk lifecycle.
• SLA/SLO/OLA — Availability and support objectives in contracts.
• TCO / ROI / Payback — Economics of controls and security investments.
• Cyber Insurance — Coverage scope and exclusions.
• Roadmap / Budgeting — Security program planning and funding.

11) People & Culture

• Security Awareness — Training that changes behavior measurably.
• Phishing Simulation — Testing resilience to credential theft/social engineering.
• Security Champions — Embedded advocates inside product teams.
• Insider Risk — Managing internal misuse or abuse of access.
• Hiring/Retention — Building and keeping critical security talent.

12) Executive Communication

• Board Reporting — Business-grade metrics and risk narratives.
• Risk Narrative — Scenario, likelihood, impact, and options—told clearly.
• Executive Summary — Two pages or less: decisions and effects.
• Metrics that Matter — Measures that affect customers/revenue/regulators.
• Stakeholder Map — Who cares about what—and how to keep them aligned.

Conclusion

A CISO’s job isn’t merely “fix vulns.” It’s to manage risk so the business runs more reliably and grows. The clearer you express the value of controls in business units—dollars, SLAs, reputation—the stronger the security function’s impact. Learn the terms, align on metrics, and speak the language of the business—that’s how you build a security program that truly works.