Landing a dream job as a chief information security officer (CISO) is only part of the win.
No matter how attractive the position, the salary, the company, or the promises made, when a CISO walks through the door to a new job, the real work begins. Unless an organization is a brand-new startup, most CISOs are inheriting someone else’s security strategy, operations, team, and management history, for good or for bad. And typically, it’s a mix of both.
Those who are gung-ho to get started with their great plans might want to curb any impulse to go in and upend the existing security apparatus — and conversely, resist the temptation to let what appears to be a well-run shop keep on its present track without intervention. Instead, create a 30-60-90-day plan, a leadership tool that guides a new hire through the first 90 days on the job by laying out goals and strategies.
For new CISOs, such a plan can be particularly helpful because it encourages gaining a deeper understanding of an organization’s security culture and operations so they can “make their mark” based on facts and valuable assessments of what works and what doesn’t.
There’s no one-size-fits-all solution for security, but certain elements can make or break a new CISO’s strategy and effectiveness as a leader. Make sure that any 30-60-90-day plan includes the following steps:
Understand current security operations. CISOs shouldn’t come in believing that they know everything about security and that their expertise will apply evenly. Instead, unless a crisis is underway, a new CISO should implement a more measured approach, taking the time to understand how security is functioning at the organization — and why.
Become a student of history. In with the new, out with the old…not so fast. No matter how eager a new CISO is to get started and make their mark, it’s a mistake not to understand thoroughly what came before — both practically and in terms of management style. Look at the security landscape as a whole and evaluate what resonated with employees and the organization, as well as what worked and what didn’t. Then tread carefully — even a mediocre former CISO typically has a loyal contingent who needs to be convinced that the new kid isn’t bent on ripping up everything just because.
Listen to employees. Employees typically wait with some trepidation about what new leadership will look like and what changes are to come. It’s important for a new CISO to explain thoughts and perspectives, but it’s even more important to give workers the opportunity to weigh in. Otherwise, the new CISO may face a mass exodus, or at least substantial resistance. Of course, it’s important to let workers air grievances, but try to steer the conversations in a more positive direction and develop a concrete plan.
Gauge employee proficiency. As important as it is to listen to employees, it’s equally critical to understand how capable they are.Don’t just focus on their technical skills. Look closely at their softer skills and what roles they play on the security team, assessing whether they’re an asset or a challenge.
Solicit a third-party audit. An incoming CISO will not get a full, unvarnished, and accurate view of security at a new company by operating in an insular environment. Resist listening only to internal forces, which, while important, might also be myopic. Bringing in a third party as soon as possible can provide a valuable outside perspective from an expert and identify blind spots — as well as produce a score of some type that a CISO can take to the team, to senior leadership, and to the board to help all parties understand where the organization’s strengths lie and where security efforts fall short. As an added bonus, a third party frees up a CISO to do other tasks.
Sharpen business acumen. Don’t just focus on technology and security issues. A big part of the security conversation must center around business and management objectives. Setting up meetings with management and business leaders in the company — in addition to going before the board — can provide valuable insights that will help a CISO prioritize what’s important to the business and craft solid and doable security measures.
Follow the law. It’s a mistake to underestimate the role that regulations play in the security landscape. Even organizations in industries that are not heavily regulated must comply with certain requirements. It’s important for a CISO to understand from the jump which regulations are key, then to craft security measures that ensure compliance.
Set specific, practical goals. An amorphous, vague plan benefits no one. Once a CISO has become intimate with an organization’s security culture and day-to-day operations and has gathered all the information needed to envision a path forward, simply issuing a report isn’t going to cut it. This is the time for a new CISO to be bold and set goals — operationally and managerially — and clearly communicate them to the team and the organization as a whole, complete with a reasonable timeline.
Evangelize. Selling security from the bully pulpit may not come naturally for many CISOs, who think in bits and bytes and the practicalities of security. But no plan will succeed without support from senior management, everyday workers, and the board. An important, if uncomfortable, part of a CISO’s job is to get out and spread the word. Harness the passion for security, then figure out how to best communicate it to stakeholders. The end result will be the creation of a much-sought-after culture of security.
Monitor and report on progress. Once a plan is in motion, it might be tempting to sit back and let it spin out. But it’s important for the CISO to monitor the plan’s progress and deliver regular reports to all stakeholders. Not only does this keep the plan on track, but it will keep stakeholders invested.
Be flexible. While a 30-60-90-day plan can be crucial to the success of a new CISO’s tenure, CISOs shouldn’t be rigid in its adoption. After working so diligently on a plan, it’s tempting to single-mindedly push its merits. But force-fitting the goals of a plan onto a security team can ignore imminent security problems that crop up and can discourage the security team. Instead, try to stick to the plan where possible, and make adjustments to allow for the reality of an organization’s culture and the security threats that may crop up.
The old idiom about the fate of the best-laid plans most certainly holds true, particularly in security. Breaches, ransomware attacks, and other incidents stop for no one. And threat actors aren’t known for letting a CISO get comfortable in a position or get a plan in motion before launching an attack. Since new CISOs are developing their 30-60-90-day plans on the fly as they settle into unfamiliar surroundings, it’s important that they remain flexible — understanding that not every goal will be met without a hitch and adjusting their strategies where necessary.