information security governance

Advice for New CISOs: How to Get a Head Start on Information Security Governance

A new Chief Information Security Officer (CISO) starting the first day on the job has many challenges to juggle – navigating infrastructure complexity, keeping up with ever-changing compliance and regulatory requirements, working through team skills shortages, and overcoming inadequate funding.

In April, the Ponemon Institute surveyed more than 500 CISOs to assess their level of preparedness for a data breach. According to the results, 67 percent stated their company was more likely to suffer a data breach or cyber attack in 2018. More than half of CISOs pointed to an inability to protect sensitive data from unauthorized access, keep up with the sophistication of hackers, and failure to control third parties’ use of sensitive data as potential reasons for more data breaches.

It’s no wonder that 66 percent of CISOs expected their jobs to become more stressful through 2018. As Ed Powers, Principal at Deloitte & Touche LLP and U.S. leader of cyber risk services, explained, “One of the early expectations of a new CISO is that somehow you are going to step back and see the forest through the trees and be able to tell what you are going to do to make this security program take off.”

As a former CISO with more than 18 years of experience, I’ve been there before and understand the ongoing hurdles that you need to navigate to mature your information security program. Here are some recommendations you can put into practice immediately to stay on top of information security governance demands.

Choose a Framework

As a new CISO getting up to speed with your organization’s information security programs – or lack thereof, you need to select a framework – whether it’s ISO or COBIT or NIST. Having a framework in place gives you a template of sorts to work from and cuts down on the scattershot approach to implement information security processes and procedures across the organization.

My personal preference is the ISO framework, because it’s internationally accepted. ISO 27001 provides the control expectations for information security program certification, while ISO 27002 provides more descriptive detail on the 27001 requirements. All the ISO 27xxx family are related to different aspects of information security, so you can gain insight into different elements of a program to meet your current and future needs.

Determine the State of Your Security Implementation

It’s important to take a close look at the IT infrastructure, specifically how your firewalls and servers are configured. Review your firewall rule sets and server configurations. If you don’t have a process in place to review these critical devices, make that a priority. You also need to set up a process for establishing vulnerability scans and penetration testing on your network. Vulnerability scans and penetration tests are the starting point of any deep dive inspection or investigation of your technology.

On the non-technical side, creating policies is essential. A policy is critical to guide employees and staff on compliance requirements, whether that’s password management or access management, or whatever else the business requires. Without a set of policies, as a CISO, it’s harder to ensure everyone understands security requirements and working controls necessary to protect the company’s information assets adequately.

When it comes to policy creation, it’s also important to not get so detailed that you turn your policy into procedures. You want to separate policies from procedures because procedures are changed more frequently. A policy should never be as prescriptive. Instead, it should tell you why the organization requires certain actions to maintain compliance.

Establish Information Security Program Governance   

Once you’ve developed your policies, what do you do with them? Policies should also go through a thorough review process by key stakeholders – not just IT staff.

Bring a governance committee together for information security that includes representatives from Legal, Audit, different business units, and the C-suite. It’s important to form a committee that can look at policies from different (non-IT) perspectives. The governance committee provides final approval of all policies which then form the roadmap for information security program management and training.

Develop Training Content for Specific Audiences

I’m a firm believer that most employees want to do the right thing. If they’re told what they need to do, they’ll generally comply. You just need to clearly establish the business processes and expectations up front.

Audience-based security awareness training can go from top to bottom and left to right. You must tailor the content to different audiences. For example, if you’re speaking to an IT audience who are extremely technical, you need to explain the security policies that are applicable when they’re standing up servers or routers. For the non-technical audience, you may need to cover password length and complexity, or how to identify phishing attempts and social engineering.

As the CISO, you need to make sure that information security training and awareness is part of the onboarding agenda for new hires. Ask for 15-20 minutes of their time to explain what the organization expects of them when it comes to protecting proprietary information. It’s easier to work that training in with new employees since they are coming with a blank slate.

Gain Immediate Buy-in from the C-Suite

As a CISO who comes onboard or is promoted to the position, you should attempt to identify how the C-level makes their decisions and what risks keep them awake at night. As a former CISO, this would be one of the first moves I made. I needed to become familiar with how they communicated, what management and business priorities were so I could use the right language and corporate attitude when approaching them for support of the Information Security Program initiatives.

Remember, every corporation has its own culture. A new CISO really must show progress right away while under intense scrutiny. The best way to show progress is to gain immediate support from those C-level decision-makers. Using a control framework (e.g., ISO 27xxx) as your premise, you need to show the decision-makers that you are organized, reasonable, and have mission-critical initiatives for enterprise risk management from an IT and information security perspective.


Juggling challenges right from your very first day is daunting. The company didn’t get to this point in six months and won’t fix everything in six months. As the CISO, you are effectively a change agent. You need to adopt the change-agent mentality to educate your organization, top-down and bottom-up.

Although there are an innumerable challenges that every CISO faces, these recommendations should help you get a firm footing on the information security priorities of your company.

To learn how your organization can face a breach event by bringing together incident response and business continuity teams, check out our eGuide, “Best Practices for Integrating Incident Response and Business Continuity Programs.”