Congrats! You’ve landed a new job as a chief information security officer (CISO). Now where do you start?
With some figures putting the typical CISO tenure at just around two years, it’s clear turnover in this role is high. According to a Ponemon Institute study sponsored by Opus, 44 percent of CISOs surveyed said they plan to make a lateral move in their organization outside of IT security, and 40 percent said they expect to change careers. All of this considered, the window of time to make a mark as an effective security leader is short — and, in turn, stressful.
What are some best practices for getting started on the path to success in a new security management position? What do you need to do, who do you need to talk to, and what are the first actions you need to take to make an immediate impact and set yourself up for future wins?
Here are six steps to help you get started in a new security executive role.
1. Take Stock of Technology
One of the most important steps you will take in the first few days is reviewing the IT infrastructure of your new company. How are firewalls and servers configured? How many different endpoints connect to the network? What other technology is in place?
According to CSO, you should start by taking stock of which incident prevention security controls are preventing and reporting on malicious activity. You should also determine which security control management consoles, security information and event management (SIEM) tools, and log management solutions are collecting logs and alerts.
Understanding your systems and defenses is priority No. 1 because knowing what your new organization has in place — and where you may need to make additions and changes — will inform the next steps in your first few months in the CISO role.
2. Assess Your Processes
After gaining a comprehensive view into the technology that is in place, it is time to review and evaluate the processes in place for security. Is there an incident response (IR) plan in place? For 77 percent of organizations, the answer is no. Is the IR plan written and tested? What about awareness training? Is it done monthly? Annually? This information will give you a clearer picture of how the company has prioritized security in the past — and an idea of where it needs to go in the future.
This is also the time to poke holes in policies and standards that do not have formal processes attached, and develop and define them to be more effective. Clear, well-defined processes minimize confusion and chaos, and ensure your organization can comply with the policies you want to enforce.
3. Build Out Your Team
Whether you are utilizing existing employees or hiring new team members, building your security team is an immediate priority for a new security leader, according to Dan Lohrmann, former CISO for the state of Michigan and current chief security officer and chief strategist at Security Mentor.
“Focus on talent and relationships,” Lohrmann wrote in an article for Government Technology. “Surround yourself with security pros that work well together and cover skill set weaknesses.”
Direct reports that you will be managing are the first employees you need to get to know. Have one-on-one meetings with each team member if time allows to understand their strengths, weaknesses and insights on where security strategy stands in the organization. These employees have the institutional knowledge you don’t yet have and have dealt with issues and problems already. This time can also be an opportunity to build a relationship of trust so that your direct reports know they can come to you with concerns and feedback going forward.
If you have the luxury of hiring, after getting to know the existing security team, now is the time to assess whether you are lacking certain skills and talent on your team and look to the external talent pool to add to your ranks. This may be easier said than done, since the cybersecurity skills gap has made hiring challenging in recent years.
4. Talk to Key Internal Stakeholders
You want to gain a deeper understanding of the business, its mission, its immediate priorities and its long-term goals as soon as you get in the door. The CISO role is about security and business enablement. You will be expected to protect the organization and contribute to strategic goals.
Start by meeting with executive management when possible, as well as heads of business units. Understand their goals, visions, pain points and objectives. Ask how security management can assist with all of these. Getting to know these stakeholders will be the start of what should be an ongoing relationship and conversation that will give security a strong voice in the organization.
5. Get to Know Customers
Equally important to understanding the executive vision of the company is having a solid comprehension of the people the company serves. Getting to know key customers and clients on the front lines will give you the advantage of grasping how the enterprise is viewed from the outside. The customer lens of the organization will be invaluable in positioning security as a business driver instead of a hindrance.
6. Start Thinking About Your Budget
Gartner predicted that companies would spend around $96 billion on security products and services in 2018. But how can CISOs prove their investments had a measurable impact on corporate risk? It is no longer enough to simply deliver security to an organization; CISOs are also expected to demonstrate return on investment (ROI) and find ways to deliver direct business benefits.
Collecting data, evidence and metrics to demonstrate the need for security investments, why they are necessary in the near future and the proof of corporate payoff is another essential step for new security management. Additionally, this needs to be positioned in a way that business leaders understand, which takes us back to the importance of the prior steps. Without investing time in getting to know executive management and understanding customers, you will be less equipped to make the case for budgetary dollars for security priorities down the road.
Start Your CISO Tenure Off on the Right Foot
Starting a new job in the CISO role can feel overwhelming. But the time for security to be seen as a key player — and to have a major business impact — has never been better. While there may be multiple challenges to address right out of the gate in a new organization, heed these suggestions to start making a positive impact on day one.