We spend a lot of time thinking about how CISOs can prioritize their earliest actions and advising clients who happen to be new in their CISO roles. By taking the right steps early, new CISOs can convey confidence, demonstrate their capabilities and set themselves up for success.
- In our first post, we talked about cultivating relationships that contribute to a CISO’s effectiveness.
- Today, we’re discussing all the reasons an organization might replace their CISO – and how those reasons can help a new CISO shape early priorities.
- The last post in this series will describe the quick-win activities that convey a new CISO’s competence and confidence.
Why they hired you
The average lifespan of a typical CISO lasts less than three years, so time is of the essence. This statistic includes leaving for better opportunities, but it certainly can also include CISOs who are terminated for cause. The CISO role is not only exacting in its responsibilities, but also in its skill requirements. CISOs must be politically astute to manage successful programs and remain currently informed of new technologies to address cyberthreats.
- Technical expertise alone won’t secure resources and support for security programs.
- Political and leadership skills won’t result in effective programs without operational expertise and technical insight.
The reason an organization replaced a predecessor can reveal security event history, cultural circumstances and political conditions in your new environment. Learning why the predecessor left helps determine the best investments of time in the crucial early months.
When assuming the new role, events from the past may not be obvious. The best first action is to build trusted relationships within teams, leaders and peers, as we described in our first post.
Hired after a security incident
There is nothing like a security incident to expose an organization’s challenges with cybersecurity and risk management. Entering these situations, it’s important to know the status of any post-mortem activity. If the organization has formally conducted response and investigation activities, what were the lessons learned and next steps? Study post-mortem documentation to ensure it is thorough. Identify contributing factors and prioritize follow-through for any corrective actions. If a post-mortem has not been done, conduct one. It’s a diligent step that doubles as a crash course in the business, technical and cultural factors that contributed to the cyber incident.
New CISOs who enter post-incident may not have the luxury of cultivating board relationships before being called upon to explain events. They’ll likely be striving to gain the trust of senior leaders even as they describe damage and corrective actions — while asking for resources and engaging with partners to resolve problems. A CISO’s responsibilities will also include responding to queries from law enforcement and auditing agencies. Newcomers may not have all the information they are asked to supply. For boards, auditors, and law enforcement both, plainly stating “I don’t know” can build credibility – but it is imperative to follow that statement with a commitment to take responsibility for finding out what they want to know. Guessing can be legally treated as perjury.
Incidents are a stressful way to start in a role, but these situations could be a proving ground. Study known facts and response actions to date. Ensure they meet a high standard. Stay cool in tough situations and rapidly master new information.
Hired after your predecessor was fired (non-indecent related)
A new CISO may never know the specifics around his or her predecessor’s departure. Outside of HR-related departures, there are usually a few common themes that emerge from these situations. The first, and potentially most challenging, is a lack of organizational culture related to cybersecurity. New CISOs need to be ready to educate leadership and peers about the importance of cybersecurity as it aligns to their business. This is typically an ongoing and evolving dialog, but it is important to start these discussions as early as possible as these will directly impact how to build cyber champions, establish key internal relationships and ultimately get the budgetary support needed to be successful.
Another common theme we see is a need to improve cyber program communication. Many CISOs have failed simply because they missed the mark when it comes to building relationships with the right people and creating transparency around their programs. This includes all avenues of visibility and communication; one-on-ones with key stakeholders and executives (technical and business), building or plugging into decision-making committees, and simply marketing the security program throughout the organization.
Finally, we often see CISOs dismissed because their program was focused on the wrong things. With a focus on transparency, the organization’s cyber expectations and risk profile will become clearer. There will always be a basic layer of cyber capabilities that need to be present in every organization and building a business-aligned program beyond that baseline can be a challenge. Understand what regulatory commitments need to be met, what business processes need to be (directly or indirectly) enabled and ultimately how to view the business through risk-based eyes.
Hired after a voluntary parting of ways
Happily, many CISOs move on to better opportunities – some even retire. Even if a predecessor departed on good terms, it is possible to learn a lot by researching their strengths and weaknesses.
A new CISO should bring their own ideas and expectations into the job and apply personal standards to the department. Compare the current operation to past experience and personal standards to determine areas where improvement can happen.
The prior CISO may have been valued for particular strengths – building effective programs, developing security awareness and technical knowledge, or keeping abreast of emerging trends in cybercrime. Stakeholders may have been happy with those strengths while perhaps tolerating weaknesses. Understanding your predecessor’s performance will help identify strengths to replicate while knowing the predecessor’s weaknesses will help avoid pitfalls – and help stakeholders see that they’ve traded up after all.
Getting ahead, early on
Learning the reason a predecessor departed is critical information. This knowledge exposes organizational sensitivities to prior shortcomings and highlights early opportunities to exceed expectations.
Uncovering recent security event history will provide volumes of information about the new cultural and political environment. This information can shape priorities in the earliest days and create opportunities to prove a CISO’s worth and value.
Check out our first post regarding how new CISOs can cultivate crucial relationships early on. In our final post still to come, we’ll describe the actions that secure quick wins for a new CISO.