It’s our good fortune to have an abundance of information security expertise at Protiviti, and it’s even better when we assemble these experts to share their experiences. In this first of a three-blog series, we discuss the early days for the CISO’s transition into a new leadership role which include:
- Establishing crucial relationships with the business, IT and security and privacy teams. the relationships that are crucial to the new CISO’s success and describe approaches for building those relationships.
- The drivers for CISOs establishing meaningful organizational relationships and exploring major influencing factors affecting the new CISO’s actions.
- Lastly, we’ll describe the activities that will make CISOs effective early on, enabling the quick wins that convey competence and confidence.
For security leaders, trust is paramount
Trusting relationships bring influence, credibility, political capital — and the information CISOs need to be effective. These are the means via which CISOs gain support from subordinates, peers and superiors. They help CISOs master the inside story: organizational politics, history – and what’s driven the organization’s success to date.
Building relationships requires preparation and calls for particular skills, tactics and patience. It can start with getting to know colleagues and team before even meeting them. Research their professional experience and get to know their affiliations and interests. Once on the job, ask questions shaped by these learnings. Then, really listen to their answers to uncover individual concerns, temperaments, peeves and ambitions. Identify the commonalities that strengthen partnerships. This approach works for all the connections made in these important early days.
Building a solid information security team
It’s critical to begin by assessing capability and delivery strengths and weaknesses, which includes identifying candidate processes needing improvement. Doing this while prioritizing initial objectives and defining the role can ultimately enable the CISO to create a highly skilled team that is responsive to the organization’s needs.
With a leadership change, some employees may consider resigning, especially those with close and trusted relationships with their predecessor. Conversely, there may be situations where employees did not have a trusted relationship with their predecessor, or perhaps were not motivated to perform at the top of their game. These situations may require candidate discussions and early attention. Beyond knowing staff members’ attitudes and performance, learning about opinions and desires of all security employees is a necessary and healthy process, representing the best initial steps for a new CISO to understand the drivers for the new organization.
Get to know the team as a group. Observe how they relate together and note where the alliances and rivalries are. It’s equally important to know team members individually; typically, one-on-one conversations uncover information people won’t voice in a group. Take care of the team and make sure they know their success is supported. Be honest and transparent when providing feedback; strive for an objective perspective while managing performance. Listen to what they say and seek opportunities to communicate frequently. The timing of these conversations is very important as leadership changes can be dramatic for employees, so move quickly to ensure the best and brightest feel they are being heard and know they are essential to the future of the program. In a similar light, be quick to identify employees that could culturally detract from the team.
The Chief Information Officer
The CISO’s responsibilities are complementary to those of the CIO. While the CIO seeks to keep technology up and running, remotely accessible and aligned with the business’ rapidly changing needs, the CISO secures the technology, protects sensitive assets and manages risk in an ever-changing threat landscape. The CIO will likely have established many of the same relationships needed for the CISO to succeed, so this individual can facilitate those relationships and help navigate the organization.
The relationship with the CIO is crucial whether or not the CISO reports to this individual. Take time early on to build the relationship in a thoughtful way. Encourage the CIO to share their take on people and situations but develop relationships independently.
Boards differ from one organization to another in how they relate to the CISO. Some boards don’t interact with a new CISO until there’s a security event in progress. At some point, however, board interaction will happen, especially if the previous CISO interacted with board members regularly.
Take full advantage of the time before meeting the board to develop a clear understanding of the organization, develop its risk profile and perform an assessment. Meet with other board-facing executives who can help with developing an understanding of board personalities, style and expectations, and help define what works and what to avoid with the board. This is a more favorable circumstance than meeting the board during a security incident when the emphasis is on describing the event and what’s being done while also likely asking for resources. It’s a tough sell to an unfamiliar board. It’s better to build trust first.
If possible, get acquainted with individual board members by meeting one-on-one. Assess their familiarity with the current information security and risk landscape; discover what expertise and perspectives they might bring to incident planning.
The business leaders
To align the information security program with the business, first understand the business. It’s important to engage business leaders early on to learn an organization’s priorities. Identify key drivers and key business processes, along with a go-to-market strategy and how the business unit generates value and what that value may be (revenue, shareholder value, etc.). Use this information to articulate how to protect key business assets and processes against cyber threats; this is how CISOs gain influence and justify investments in security programs.
The Chief Financial Officer
The CFO likely knows breaches will result in significant financial loss and reputational damage and should influence the sponsorship of information security programs. Investing in this relationship will earn support to help shape business cases for security initiatives. Finance staff can help quantify security benefits in financial terms, like minimizing losses and supporting business strategies.
The internal audit team
Auditors understand business process and risk, organizational culture and dynamics. This expertise alone makes them key allies for the CISO. This team will have a significant influence on the CISO team’s activities as they perform their internal audits. It is important to develop strong relationships in order to work through any differences that may arise. Moreover, they interact with the board as participants in the audit committee, so they can provide coaching on effective approaches to board updates.
The General Counsel
The general counsel often takes point in breach response and investigation and will handle any litigation arising from a breach. They’re participants in compliance programs, and they guide public disclosure communications as well. Therefore, they can provide guidance to the CISO and take a significant role in defending the organization against threats. For all of these reasons, they’re powerful allies for a new CISO.
The Chief Risk Officer
The CRO’s role is synergistic to the CISO’s because they both participate in managing risk across the organization. CROs typically select cyber insurance for the organization, and this choice constrains third-party incident response team selection. Prioritize this partnership before any adverse incident or threat becomes its proving ground.
Getting ahead early on
Trusting relationships are important to a CISO’s influence and credibility and provide the organizational knowledge for new CISOs to prove themselves fast. Before, during and after any security incident, new CISOs will need these allies for support, information and resources. Getting to know the concerns, personalities and drivers of stakeholders and partners, then listening and responding to their needs are proven ways to build the trust that helps CISOs get ahead — ahead of time.
In our next post, we’ll explore how a predecessor’s reason for leaving the organization can help establish priorities for a CISO’s first days. We’ll follow that up with our third and final post on a CISO’s early days: describing actions that secure quick wins.