Although the role of CISO is more important, prestigious and lucrative than ever, it is also highly publicized and potentially high risk. Recently, for example, a jury convicted the former Uber CSO of mishandling cyberattacks at the company, with up to eight years in prison on the table. Although this is an extreme case, the role of CISO should be taken seriously.
Given the critical nature and high stakes of the position, first impressions are everything. Approach the first 100 days in a new CISO position as a key period to accomplish the following:
It is essential to immediately establish a tone that balances transparency with high standards, accountability with understanding, and competence with humility and a willingness to learn.
Roadmap to CISO success
As a new CISO, successfully navigating the first 100 days of work begins long before your first day in the office. After landing a new role, immediately start sketching out a working list of immediate, medium, and long-term goals, which you will keep updating in the days, weeks, and months to come.
Before the first day: get ready
First, do your homework. Learn all you can about the following:
- Company. Research your organization thoroughly, even if the new CISO position is a promotion and you’ve been with the company for years. Study its overall mission and high-level goals, and assess how security fits into the larger business context. Consume news articles, interviews, and other available content about the organization, paying particular attention to security incidents and business issues that may affect cybersecurity.
- Outbound CISO. Find out everything possible about the outgoing CISO – his strengths and weaknesses. Don’t assume the worst, because your predecessor may have done some good things in the safety program and left on good terms. Either way, it’s helpful to understand as much as possible of your predecessor’s tenure and departure, whether seeking a CISO role at a larger company or following a serious incident. of security.
- Your mandate. Review notes from the interview process to assess your tenure – what the company specifically wants you to do and any ongoing safety issues on management’s radar. At the end of your first 100 days as a CISO, you and management stakeholders should share a clear and detailed understanding of your role, responsibilities, and goals as a security manager.
- Technology. Learn all you can about the tools, systems, and services that you already know are in place in the organization.
- Stakeholders. Take the time to find out what you can about key stakeholders, including your boss, management, key business unit leaders, and security team members. The more you know in advance about these people’s backgrounds, strengths and shortcomings, the better.
- Talking points. Write a short professional bio that you can rely on when introducing yourself to new colleagues and prepare some basic questions to help you understand the terrain.
First week: people
In your first days officially on the job, watch, watch and listen. Do not act.
Although some problems may become immediately apparent, resist the temptation to make changes in the first week or two. Instead, take the time to observe and understand the current security landscape as fully as possible.
First and foremost, learn about people. Meet the security staff and ask questions about their roles and responsibilities and how they do their jobs. Listen carefully as you get to know the personalities and dynamics of the team. Consider the following:
- how they coordinate and hold meetings;
- how they discover and manage security issues;
- how security works with IT operations; and
- how security interfaces with risk management and lines of business, where applicable.
Also hold introductory meetings with other key stakeholders, such as executives, business unit managers, and other relevant personnel.
First month: Process and technology
Once you understand the human element, start methodically evaluating existing security processes. This review should include the following:
- Security architecture and strategy. First, determine if there is formal documentation of the security architecture and policy. If so, compare it to business objectives and the organization’s risk appetite, and note any obvious gaps or misalignments. If the documentation does not exist, make its development and the formalization of the security strategy a priority.
- Internal incident response, disaster recovery and business continuity plans. Assess whether existing incident response, disaster recovery, and business continuity plans follow best practices in situations such as ransomware attacks.
Next, ask how often the security team and the wider organization historically have held training exercises to put those plans into practice. Often companies tick the proverbial box with annual reviews, but best practice dictates quarterly exercises.
If at least six months have passed since the last review, consider conducting a tabletop exercise to see how well security personnel, IT personnel, and other relevant stakeholders respond to a security incident. You may find that processes in existing plans need to be adjusted, contact information needs to be updated, etc.
- Security tools and technology. Finally, make a comprehensive list of tools and technologies currently in place and note how the security team uses them. Review corporate security requirements and assess the following:
- whether the tools in place are suitable for their respective tasks;
- if several tools meet the same requirements;
- whether staff have received adequate training to use the tools and technology in the environment; and
- whether additional tools and technologies are needed to meet key security requirements.
Inevitably, you will find some shortcomings, whether in tooling, training, or integrations.
First trimester: establish your vision and act on it
Once you’ve fully assessed your company’s security program, including its people, processes, and technology, consider its weaknesses. Draft a list of strategic priorities that address existing security gaps, consistent with the enterprise’s risk appetite and high-level business objectives, and group them into one of the following buckets:
- Short term: easy and inexpensive. Identify immediate actions your team can take to improve security without investing a lot of time or money – the payoff at hand. Examples include eliminating redundant tools and making minor changes to the incident response plan, such as updating key contact information. Quickly secure those easy wins to build security and build credibility early in your tenure.
- Medium term: significant and relatively affordable. Identify critical security vulnerabilities that you can fix relatively quickly and inexpensively. These can include organizational realignments, training of security personnel, substantial changes to the incident response plan, and integration of tools.
- Long term: important but costly. Finally, identify important issues that need to be resolved but require more time and resources to do so. Examples include addressing staffing shortages and addressing key tooling and service gaps that the current budget does not account for.