Congrats! You’ve landed a new job as a chief information security officer (CISO). Now where do you start?

With some figures putting the typical CISO tenure at just around two years, it’s clear turnover in this role is high. According to a Ponemon Institute study sponsored by Opus, 44 percent of CISOs surveyed said they plan to make a lateral move in their organization outside of IT security, and 40 percent said they expect to change careers. All of this considered, the window of time to make a mark as an effective security leader is short — and, in turn, stressful.

What are some best practices for getting started on the path to success in a new security management position? What do you need to do, who do you need to talk to, and what are the first actions you need to take to make an immediate impact and set yourself up for future wins?

Here are six steps to help you get started in a new security executive role.

1. Take Stock of Technology

One of the most important steps you will take in the first few days is reviewing the IT infrastructure of your new company. How are firewalls and servers configured? How many different endpoints connect to the network? What other technology is in place?

According to CSO, you should start by taking stock of which incident prevention security controls are preventing and reporting on malicious activity. You should also determine which security control management consoles, security information and event management (SIEM) tools, and log management solutions are collecting logs and alerts.

Understanding your systems and defenses is priority No. 1 because knowing what your new organization has in place — and where you may need to make additions and changes — will inform the next steps in your first few months in the CISO role.

2. Assess Your Processes

After gaining a comprehensive view into the technology that is in place, it is time to review and evaluate the processes in place for security. Is there an incident response (IR) plan in place? For 77 percent of organizations, the answer is no. Is the IR plan written and tested? What about awareness training? Is it done monthly? Annually? This information will give you a clearer picture of how the company has prioritized security in the past — and an idea of where it needs to go in the future.

This is also the time to poke holes in policies and standards that do not have formal processes attached, and develop and define them to be more effective. Clear, well-defined processes minimize confusion and chaos, and ensure your organization can comply with the policies you want to enforce.

3. Build Out Your Team

Whether you are utilizing existing employees or hiring new team members, building your security team is an immediate priority for a new security leader, according to Dan Lohrmann, former CISO for the state of Michigan and current chief security officer and chief strategist at Security Mentor.

“Focus on talent and relationships,” Lohrmann wrote in an article for Government Technology. “Surround yourself with security pros that work well together and cover skill set weaknesses.”

Direct reports that you will be managing are the first employees you need to get to know. Have one-on-one meetings with each team member if time allows to understand their strengths, weaknesses and insights on where security strategy stands in the organization. These employees have the institutional knowledge you don’t yet have and have dealt with issues and problems already. This time can also be an opportunity to build a relationship of trust so that your direct reports know they can come to you with concerns and feedback going forward.

If you have the luxury of hiring, after getting to know the existing security team, now is the time to assess whether you are lacking certain skills and talent on your team and look to the external talent pool to add to your ranks. This may be easier said than done, since the cybersecurity skills gap has made hiring challenging in recent years.

4. Talk to Key Internal Stakeholders

You want to gain a deeper understanding of the business, its mission, its immediate priorities and its long-term goals as soon as you get in the door. The CISO role is about security and business enablement. You will be expected to protect the organization and contribute to strategic goals.

Start by meeting with executive management when possible, as well as heads of business units. Understand their goals, visions, pain points and objectives. Ask how security management can assist with all of these. Getting to know these stakeholders will be the start of what should be an ongoing relationship and conversation that will give security a strong voice in the organization.

5. Get to Know Customers

Equally important to understanding the executive vision of the company is having a solid comprehension of the people the company serves. Getting to know key customers and clients on the front lines will give you the advantage of grasping how the enterprise is viewed from the outside. The customer lens of the organization will be invaluable in positioning security as a business driver instead of a hindrance.

6. Start Thinking About Your Budget

Gartner predicted that companies would spend around $96 billion on security products and services in 2018. But how can CISOs prove their investments had a measurable impact on corporate risk? It is no longer enough to simply deliver security to an organization; CISOs are also expected to demonstrate return on investment (ROI) and find ways to deliver direct business benefits.

Collecting data, evidence and metrics to demonstrate the need for security investments, why they are necessary in the near future and the proof of corporate payoff is another essential step for new security management. Additionally, this needs to be positioned in a way that business leaders understand, which takes us back to the importance of the prior steps. Without investing time in getting to know executive management and understanding customers, you will be less equipped to make the case for budgetary dollars for security priorities down the road.

Start Your CISO Tenure Off on the Right Foot

Starting a new job in the CISO role can feel overwhelming. But the time for security to be seen as a key player — and to have a major business impact — has never been better. While there may be multiple challenges to address right out of the gate in a new organization, heed these suggestions to start making a positive impact on day one.

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…