Starting a new role is an exciting time where you can ease yourself into the job, take time to get to know your colleagues and work out the systems and processes, right? Well, it’s unlikely to be that easy if you are taking on the role of Chief Information Security Officer (CISO). With an average tenure of fewer than two years, there’s precious little time for a CISO to make an impact.
This is why it’s important to understand the type of environment you’re walking into as you take on the CISO mantle. It may be a cyber mature organisation with plenty of budget and resources. Or, you may be walking into a company that’s just had a major incident or is unknowingly heading for one. Either way, as the new CISO, you must get your head around the technical and the cultural challenges to ensure you’re suitably prepared.
With so much to do in the first weeks, it can be daunting just thinking about it. What should you prioritise? And how do you balance the listening and learning elements with acting and delivering change?
Prepare before you walk through the door
Every leader worth their salt will tell you the job starts when you accept the offer. That’s when you begin to learn about the company and can start mapping out key individuals and teams across the various priorities of the business.
You’ll also have a sense of your starting point. Is the focus of the job technical or transformative, and how does that align with your previous experience? What’s the organisation’s culture of cybersecurity? Does it even exist? What are the business’s top line goals, and how do they affect cybersecurity posture? Are there any frameworks or regulations you need to be aware of that will enable you to be on the front foot? Gaining a sense of the level of cyber maturity in the organisation will place you at a distinct advantage come day one.
Assessment and triage
Once you walk through the door, it’s then time for a more thorough assessment. A big part of this will be listening to, and learning from, your new colleagues across a raft of teams — be they IT, digital, or risk — as well discussing needs with the other business leaders. Cybersecurity is an all-encompassing job that requires the support of every facet of the organisation. Getting people onside and with a feeling they’re being listened to can be half the battle.
The first item on the list is an initial triage of the environment. Cyber health is the same as preventative health, so knowing what you are dealing with is vital. You need a true picture of assets, data, and controls to inform your plans, and that may require interrogating data from your SIEM platform or working with a partner to collect and make sense of security telemetry.
With a complete view of your organisation’s security posture and the gaps or vulnerabilities you encounter, you can begin working with your teams and C-suite peers, such as finance, procurement, and the CEO, to put plans in place.
Set short-term and long-term goals
The nature of your first 100 days will depend on the context. If you are the first security leader in the organisation, you may be reviewing and updating the company’s information security policy and ensuring necessary measures are in place to comply with regulations. On the other hand, if you are coming in after a major incident, you may be leading the review and remediation process.
Prioritising quick wins will show impact and get buy-in from stakeholders for future improvements. Working with SaaS providers with a breadth of capabilities is likely a critical component of those first few months. No one needs to be told about the dearth of skills and resources right now, which is why onboarding a trusted partner who understands your organisation delivers a raft of benefits. They’ll be able to deploy solutions at speed to improve security maturity and decrease risk. At the same time, you benefit from economies of scale, expertise, and knowledge they have of dealing with organisations in similar situations.
Meanwhile, with the basics and day-to-day security in hand, you’ll also be thinking further ahead. This is the time to set your vision for the organisation, with a roadmap for the next two years that includes longer-term projects and the operationalisation of security to generate even more value and efficiency.
Communicating up, down, and across
With the technical and operational components sorted, communication and interpersonal skills become just as vital to build trust and get the business to support your plans. New CISOs often make the jump, having worked primarily within a SOC or leading risk teams. As you venture into the new role, your team will be implementing the plans you create, so take the time to get to know them, listen to their experiences, and communicate your expectations and objectives clearly.
Likewise, your ability to engage upwards with senior leadership will play a big part in your future success, whether that’s securing budget for resources or effecting cultural change. Boards and company execs will want you to explain your proposals in the context of the company’s strategy. As the Harvard Business Review puts it, CISOs must be fluent in business strategy as well as technology.
Growing in stature
The CISO role is a tough one. It’s often likened to the challenges new CIOs faced when the role first evolved. Explaining and showing the benefits of technology to the business was hard as organisations sought to grapple with new ways of working in their quest for greater efficiency. It took some time for CIOs and their teams to find their feet and articulate that value. The same applies in many respects to the new generation of security leaders populating our major organisations. Yet it’s a fascinating period to be leading the charge in protecting your organisation from malicious threats and risk. And, as the function matures further, its stature will only increase and prove to be of immense benefit to businesses everywhere