The first 90 or 100 days on a new job is critical for the success or failure in your new position. The role of a chief information security officer (CISO) is one of the most difficult leadership roles to fulfill – and to stay in long term. With the average lifespan of a CISO at 26 months, a new CISO must move quickly and strategically to integrate into the organization and make an impact on security risk.
Whether you are a new CISO, or a seasoned pro just looking for some new ideas, you will be well served for future growth with these helpful tips.
History of the CISO
The CISO role dates back to 1995, when financial services company Citigroup (then Citicorp) set up a specialized cybersecurity office. He was tasked to prevent reputational damage and loss of major corporate clients after being hit with a series of cyberattacks from Russian hackers. Despite the hack, Citicorp did not lose a single customer.
While it is common for the most senior member of the IT team to be promoted, the role of the CISO is about mitigating business risk. Technology plays a part, but it is more about the business risk posed and the strategy to mitigate that risk. Getting business leaders on board with that strategy requires talking to them in terms they understand.
Over 25 years later, nearly every large U.S. company has a cybersecurity leader. And the role has evolved to not only include technical skills but also those as a leader, manager, and communicator.
The CISO role is a critical one for any business – and over the years, some companies have employed the services of a virtual CISO (vCISO, also called a Fractional CISO) when the organization is not large enough to support a full-time CISO.
The Role of CISO
Over the years, the role of a CISO has become exponentially more complex as the number of connected devices and cyber threats has increased all while workforces have become more distributed and skilled cybersecurity resources have become difficult to find. This senior level executive is responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are protected. The CISO also plays an important role in business growth and profit.
The CISO directs staff in identifying, developing appropriate processes and controls for managing security risk, and managing security technologies. The CISO is also responsible for protecting the sensitive information and assets of the company. And, the CISO is usually also responsible for ensuring information-related compliance with regulations like CMMC, PCI DSS, HIPAA, and others.
Goals for the First 90 Days
Once you have landed your role as a CISO, it is important to set the foundation over the next 90 to 100 days.
Build relationships with key players.
Ideally, you should meet with key stakeholders and colleagues including your boss, peers, and subordinates to start building collaborative relationships. This should also include sales, legal, PR, operations, and communications since it is important to understand risk at all levels.
Focus on listening and learning from all of these key individuals since they will play an important role in driving the buy-in and the success of your security program. Not only will you learn how they impact risk, it is important to learn their risk tolerance. You will also have the opportunity to highlight your best qualities and build a basic engagement plan for working together moving forward.
The CISO also needs to be able to speak to the board of directors. They will look to the CISO to identify the organization’s most critical assets and have a plan of action for protecting those assets. A CISO will also provide metrics regarding progress – in a way for board members to evaluate those metrics based on an industry standard.
Take stock before making changes.
The next step is to develop a baseline. As a new CISO, it is difficult to jump in and take action without gathering information on the status quo. You should focus on:
Take an inventory of the assets which are accessing your network and the risks that they pose to the organization. Get a more detailed understanding of your internal workforce as well as third parties and vendors that interconnect with the company. You cannot protect what you can’t see.
This is a good time to do a vulnerability assessment. Identify what assets are connecting to the network, the data that is being accessed, and the risks posed to the environment. This will help determine how critical are those risks to the overall business operation as well as to help prioritize remediation efforts.
Remediation Validation or Continuous Assessments would also allow you to identify trends and evaluate the overall effectiveness of the security controls and processes that are in place in reducing corporate risk.
- Staying focused on fundamentals.
Do you have a strong program for identifying and remediating vulnerabilities? Take stock of your security stack – what’s available and is it providing value? Is there an efficient process for patching software and implementing other security controls? Are security controls being validated to determine whether they are actually reducing threats – or are they just contributing to the complexity?
Security is a team effort and should be coordinated as such. A successful CISO is one that recognizes that information security is a continuous and ongoing business process that requires buy-in from individuals and teams across the company. Roles and responsibilities should be clear to avoid confusion or security lapses. This will minimize coverage gaps and duplication of work efforts already done by another individual or department.
- Assess technical maturity of your security program.
Security maturity matters. A typical organization will have a functioning security program, some security processes, and multiple security initiatives under development. It is important to identify any glaring gaps in what already exists before progressing to more advanced capabilities.
Evaluating your security maturity level helps to provide a basic roadmap for organizations that want to have a leadership that is invested in and interested in making security a core priority.
Develop a plan.
Once you have taken stock of your organization’s baseline security posture and mapped vulnerabilities to identify the highest risk issues, it’s time to develop your action plan for fixing these issues. Frameworks such as the NIST Cybersecurity Framework and CIS Controls can help guide you.
An action plan could look like:
- Addressing vulnerabilities – The vulnerabilities that were found during your fact finding mission should be your starting point. Those that could have a critical impact on your business operations should be tackled first.
- Sort out patching – Patching is a crucial component of maintaining a secure security posture.
- Securing endpoints – Put in place measures like 2FA and zero trust access which will help you mitigate future attacks.
- Fixing infrastructure risks – Address infrastructure issues like uninstalling or removing unused applications, services, and environments.
- Improving your threat response – Attacks are inevitable for even the most secure organizations and having a response plan in place will help reduce the level of impact to the organization.
As you act on your plan and have results in improving your security posture and reducing risk, share the results with your stakeholders. Early wins will help build your reputation as a CISO.
Strong communication channels between the CISO and the board are crucial for the success of the program. This will allow you to show how you are adding value to the business – and to also voice your challenges.
Produce evidence of your impact on the organization. By tracking the right metrics, you can monitor the effectiveness of your program, evaluate your team’s performance, and show a return on investment (ROI) for the company’s security spend. This will help you be better equipped to answer the questions from the board, identify and prioritize gaps, and build the budget needed to protect and enable the business.
Some metrics to consider include the percent coverage of company assets, remediation efficiency, risk exposure rates, and time to discover/contain/remediate.
How VULNERA Helps You
Understand your IT Environment
Continuous assessments provide real-time visibility of your attack surface.
Build a Robust Security Strategy
We help security teams create an effective detection – remediation loop.
We provide audit-ready executive, technical, and differential reports.
Validate Security Investments
We help justify your annual security spend by validating how effective security controls are reducing risk.
Prepares You for Growth
VULNERA’s solutions are easily scalable to grow with your company.
There are a lot of things to worry about as a new CISO. Knowing where to start will help you lay down a good foundational framework to build upon during your tenure.