Not so long ago, the role of information security manager was a purely technical position designed to help an organization overcome cybersecurity challenges. Today, however, the role of CISO has evolved, increasing in both responsibility and stature within a company. The CISO is now a critical member of the leadership team, responsible for linking not only cybersecurity, but also overall risk management, to business strategy and company operations.
The modern CISO is involved in strategic decision-making, for example, ensuring the business safely embraces digital transformation while assuring the board, customers, and investors that cyber capabilities and defenses are active and evolving with current threats. And they are responsible for leveraging people, processes and technology to enable their organization to safely achieve its overall business goals.
Given this shift in responsibilities, a CISO’s first 90 days on the job should be very different today than they were a few years ago.
The first 90 days
While many CISOs want to demonstrate their value immediately by getting involved with big ideas and projects from day one, they will be able to have a much bigger impact in the long run if they take the first step. time to understand the company’s mission, values and activities. Goals. They should also keep abreast of core businesses, products, services, research and development, intellectual property, and merger and acquisition plans. And they should understand any potential issues, previous violations, regulatory or external obligations, and existing technical debt.
With that in mind, here are some recommendations for what a CISO’s goal should be during their first 90 days on the job.
Gain an understanding of the larger mission and culture of the organization
From day one, begin to deploy a set of interviewing and questioning techniques with the goal of understanding the business, its goals, and its priorities. Survey your employees, mid-level business leaders, and customers to get an idea of all key stakeholders, initial pain points, and the maturity of the cybersecurity culture within the organization. Finally, gently ask your partners, suppliers, and vendors to determine who is just selling and who is a trusted advisor. Going through this process will open lines of communication, uncover challenges, and help develop a 90-day action plan and roadmap.
Identify the Crown Jewels
Determine what data and systems underpin the company’s strategic mission and core competencies, represent intellectual property, differentiate the company from competitors, or support key customer segments or revenue lines. These crown jewels are the digital assets most likely to be targeted by threat actors, and therefore need to see their cyber hygiene efforts accelerated. If the C-suite and the board understand these critical areas, they can tell you their risk appetite and you can implement security strategies accordingly.
Develop a plan based on the company’s current IT and business landscape
Once assets have been identified and prioritized, develop a written risk management plan with checklists for deliverables, structure, and communication between key internal and external stakeholders. On this last point, the CISO must always act as an information broker and as a partner of all the key decision-makers in the organization. An effective way to achieve this is to establish formal and informal communication with these roles, so that the organization can move forward strategically.
Master the basics
There are many technologies needed to secure the modern enterprise, but there are a few must-haves that should be implemented immediately, if they aren’t already. These are basic controls, including vulnerability management and anti-malware defenses for the endpoint, and non-negotiable controls, including multi-factor authentication, encryption of sensitive data, application whitelisting, monitoring 24/7 security, file integrity monitoring, privileged access management, network segmentation. , data loss prevention, and a rigorous assessment and audit function tied to vulnerability and remediation strategies.
Prove the value of security plans, processes, and technologies to the C-suite, business unit leaders, and board by implementing benchmarks and maturity assessments that show how the business stacks up against competitors, how security policies compare to industry best practices; and how security initiatives enable the business to conduct secure operations.
Always treat security as a business issue
Security incidents can lead to a myriad of business consequences and, conversely, strong security can help the business succeed in a secure manner. That’s why it’s so important that IT and security teams always stay integrated with the business side of the organization. As part of this, ensure ongoing communication and collaboration between executives, the board, and security leaders. When management understands the business risks posed by cybersecurity threats, they will be more likely to pay attention and participate in security efforts.
At the end of the first 90 days, a CISO should be able to answer questions such as: How well protected is the organization? How mature are our capabilities compared to industry standard frameworks? What are our most critical vulnerabilities and cyber risk scenarios? What is the most important data for the organization? Which data risks could have the biggest negative impact on the organization? And what will it take to improve the organization’s security posture, and do we have a roadmap?
While it may seem like a lot to do in three months, following these six steps will prepare your business for both short- and long-term security and business success.