As a new Chief Information Security Officer (CISO) on the job, there is a sense of immediate urgency to show value and make an impact. Maybe you’re joining an organization that had some major problems before you arrived – a public incident, a challenging personnel situation, an unsatisfactory audit, etc. All eyes are on you, or at least it feels that way.
Keep in mind that the impressions you developed of the situation during your recruitment and hiring process may not be the true picture of what you’re walking into when you actually start the job. Consider the following three areas of focus to help with a positive start.
1. Understand the Business and the Organizational Structures
Every organization is unique. You’ll need to demonstrate an open mind and mature approach to joining the team. Don’t hide in your office for 30 days but also don’t come in the door guns blazing. Focus on building initial relationships with people and gain understanding of the following:
- What needs to be protected?
- Who are the security champions?
- What information about security is useful to the business and what forums exist to get it in front of key decision makers?
- What organizations exist that security needs to integrate? (i.e. project management office, software development life cycle management, audit, compliance, enterprise risk management)
2. Carefully Review the History and Artifacts
Assuming previous work has been done, you’ll want to review the documentation and thoroughly understand what issue have already been identified. Focus on looking for artifacts and information sources that provide insight into the following:
- What incidents have occurred?
- What previous assessments have been performed?
- What process gaps exist?
- What unaddressed audit findings need attention?
- How were lessons learned applied?
- What are the perceived roadblocks to making improvements?
If you’re the first security leader in this organization there may not be any artifacts. Previous assessments may not have been performed. So, you’ll need to have an overall security program assessment performed early on to help create the baseline.
3. Use Caution When Approaching Funding Requests Early On
Do not start with funding requests for tools and technology purchases without a solid plan and understanding of the processes. It’s common for CISOs new to the job to fall into the trap of giving the impression that tools and technology are the salvation.
Be prepared with data and articulate the business benefits in non-technical terms. Have alternative options in mind if funding is not fully approved. You will be expected to understand and articulate the following:
- What is the budget planning cycle?
- What are the resource plans?
- What is measurable and unmeasurable?
- How will you answer questions about return on investment (ROI)?
- What control does the technology support?
- What threat does the tool help mitigate?
Summary
There can be a lot of pressure to demonstrate results quickly when you start a job as a new CISO. Some of this pressure is likely self-inflicted and can be alleviated by having a focused approach as suggested above. Build relationships and integration within the organization, understand what work has already been done and what gaps are already identified, and carefully construct your proposals that require funding to ensure you have ongoing support.