Light Dark
February 7, 2019 By Joan Goodchild 4 min read
CISO
Risk Management

Congrats! You’ve landed a new job as a chief information security officer (CISO). Now where do you start?

With some figures putting the typical CISO tenure at just around two years, it’s clear turnover in this role is high. According to a Ponemon Institute study sponsored by Opus, 44 percent of CISOs surveyed said they plan to make a lateral move in their organization outside of IT security, and 40 percent said they expect to change careers. All of this considered, the window of time to make a mark as an effective security leader is short — and, in turn, stressful.

What are some best practices for getting started on the path to success in a new security management position? What do you need to do, who do you need to talk to, and what are the first actions you need to take to make an immediate impact and set yourself up for future wins?

Here are six steps to help you get started in a new security executive role.

  1. Take Stock of Technology
  2. Assess Your Processes
  3. Build Out Your Team
  4. Talk to Key Internal Stakeholders
  5. Get to Know Customers
  6. Start Thinking About Your Budget

1. Take Stock of Technology

One of the most important steps you will take in the first few days is reviewing the IT infrastructure of your new company. How are firewalls and servers configured? How many different endpoints connect to the network? What other technology is in place?

According to CSO, you should start by taking stock of which incident prevention security controls are preventing and reporting on malicious activity. You should also determine which security control management consoles, security information and event management (SIEM) tools, and log management solutions are collecting logs and alerts.

Understanding your systems and defenses is priority No. 1 because knowing what your new organization has in place — and where you may need to make additions and changes — will inform the next steps in your first few months in the CISO role.

2. Assess Your Processes

After gaining a comprehensive view into the technology that is in place, it is time to review and evaluate the processes in place for security. Is there an incident response (IR) plan in place? For 77 percent of organizations, the answer is no. Is the IR plan written and tested? What about awareness training? Is it done monthly? Annually? This information will give you a clearer picture of how the company has prioritized security in the past — and an idea of where it needs to go in the future.

This is also the time to poke holes in policies and standards that do not have formal processes attached, and develop and define them to be more effective. Clear, well-defined processes minimize confusion and chaos, and ensure your organization can comply with the policies you want to enforce.

3. Build Out Your Team

Whether you are utilizing existing employees or hiring new team members, building your security team is an immediate priority for a new security leader, according to Dan Lohrmann, former CISO for the state of Michigan and current chief security officer and chief strategist at Security Mentor.

“Focus on talent and relationships,” Lohrmann wrote in an article for Government Technology. “Surround yourself with security pros that work well together and cover skill set weaknesses.”

Direct reports that you will be managing are the first employees you need to get to know. Have one-on-one meetings with each team member if time allows to understand their strengths, weaknesses and insights on where security strategy stands in the organization. These employees have the institutional knowledge you don’t yet have and have dealt with issues and problems already. This time can also be an opportunity to build a relationship of trust so that your direct reports know they can come to you with concerns and feedback going forward.

If you have the luxury of hiring, after getting to know the existing security team, now is the time to assess whether you are lacking certain skills and talent on your team and look to the external talent pool to add to your ranks. This may be easier said than done, since the cybersecurity skills gap has made hiring challenging in recent years.

4. Talk to Key Internal Stakeholders

You want to gain a deeper understanding of the business, its mission, its immediate priorities and its long-term goals as soon as you get in the door. The CISO role is about security and business enablement. You will be expected to protect the organization and contribute to strategic goals.

Start by meeting with executive management when possible, as well as heads of business units. Understand their goals, visions, pain points and objectives. Ask how security management can assist with all of these. Getting to know these stakeholders will be the start of what should be an ongoing relationship and conversation that will give security a strong voice in the organization.

5. Get to Know Customers

Equally important to understanding the executive vision of the company is having a solid comprehension of the people the company serves. Getting to know key customers and clients on the front lines will give you the advantage of grasping how the enterprise is viewed from the outside. The customer lens of the organization will be invaluable in positioning security as a business driver instead of a hindrance.

6. Start Thinking About Your Budget

Gartner predicted that companies would spend around $96 billion on security products and services in 2018. But how can CISOs prove their investments had a measurable impact on corporate risk? It is no longer enough to simply deliver security to an organization; CISOs are also expected to demonstrate return on investment (ROI) and find ways to deliver direct business benefits.

Collecting data, evidence and metrics to demonstrate the need for security investments, why they are necessary in the near future and the proof of corporate payoff is another essential step for new security management. Additionally, this needs to be positioned in a way that business leaders understand, which takes us back to the importance of the prior steps. Without investing time in getting to know executive management and understanding customers, you will be less equipped to make the case for budgetary dollars for security priorities down the road.

Start Your CISO Tenure Off on the Right Foot

Starting a new job in the CISO role can feel overwhelming. But the time for security to be seen as a key player — and to have a major business impact — has never been better. While there may be multiple challenges to address right out of the gate in a new organization, heed these suggestions to start making a positive impact on day one.

 |  |  |  |  |  |  |  |  |  |  |  |  |  | 
Joan Goodchild
Contributor

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature