One common theme among highly successful security executives is their disciplined approach to starting a new CISO role. By taking the right steps from the start, new CISOs can convey confidence, demonstrate capabilities and set themselves up for success. In this three-part series on how CISOs can maximize their impact during the first 100 days on the job, we have covered a significant amount of territory.
In our first post, we talked about building the relationships that contribute to a CISO’s effectiveness.
In our second post, we discussed why organizations replace their CISO – and how that reason helps a new CISO define priorities.
In this final post, we review the leadership skills needed to convey a new CISO’s capabilities to other leaders, peers and the cybersecurity team.
No matter how experienced the CISO, being new means an intense learning mode. New CISOs will want to spend their early days listening and learning. Here, we’ve sequenced subject areas, but in real life these activities progress in parallel. Meeting with new colleagues, business leaders and heads of key functions like finance and IT creates opportunities to learn and make an impression. This is how to establish relationships with key stakeholders – seek their feedback and input for future support.
New CISOs gain organizational knowledge and trust when they make an effort to meet key leaders, peers and team members early in their tenure to understand business expectations and gather feedback. Furthermore, these early days in your transition will be an opportunity to demonstrate your leadership and partnering style. It is important to focus on building trust, listening to feedback, developing perceptions and formulating strategies founded upon sound knowledge of the business, environment, and stakeholders.
Learn the business
All organizations are different, and even those in the same industry will have a different organizational culture. Success will hinge on understanding the organization’s business values, priorities, principles and challenges. Learn how the business generates revenue and returns value to shareholders, customers, partners and others. Determine who defines value and how it gets measured. Understand how the organization differentiates itself: proprietary processes, technologies or intellectual property that give the business its edge. Ask leaders how their department supports value creation and how cybersecurity can support their efforts, including their compliance obligations. One great tool to map out the business is a business model canvas. There are numerous resources and templates that are freely available on the Internet that can help create this view of the organization.
One of the most important considerations for a new CISO is to understand how their organization views risk. Risk appetite and tolerance are two perspectives that CISOs need to align with, and in some cases help organizations formally define. Understanding how to properly tune risk will ensure downstream decisions are in alignment with the business.
Learn the team: skills, culture and operating model
Understanding the cybersecurity team’s capabilities is so critical that we covered it earlier in this series. New CISOs will want to assess their team’s alignment, skill and structure against the functions needed to support business objectives, priorities, etc. We recommend studying the team’s present structure and understanding how its operation supports delivery of services:
- Learn the team hierarchy, roles and responsibilities. If these aren’t documented, recording these details would be a helpful project for a strong lieutenant. If they are documented, note differences between what’s on paper and what’s in practice.
- Has the former CISO maintained a catalog of capabilities and services? If not, that’s an additional early project and possible proving ground for a direct report.
- What mechanisms are in place for program management? Check for mature budget forecasting, status tracking, project delivery and closeout processes.
Learn the program
A good place to begin a program review is with the last cybersecurity assessment, assuming one has been performed. Risk assessments and audit reports are excellent references for understanding program needs and overall business alignment and will also feed directly into the overall program strategy. If an assessment hasn’t been recently completed, frameworks like the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) provide a good basis for assessing cybersecurity program maturity. Compare the program to the chosen standard to identify shortfalls that may require attention. Understanding what issues have not been remediated or accepted will give an initial view of the landscape.
Program maturity should also encompass knowledge of the business and risks particular to the enterprise’s industry, location, regulatory profile and other characteristics. Combining program maturity with risk assessment helps new CISOs pinpoint priorities for near-term spending and ensure the future-state of the cyber program is properly aligned to the needs of the business. The risk assessment will model key threat event types in a business context to show how risk reductions would benefit the business.
A compromise assessment will provide further insight by uncovering adversarial activity under way. While no one wants to activate the incident response plan in early days, this action helps to ensure that the new CISO doesn’t assume a healthy situation on day one.
Finally, another reference is the cybersecurity budget, where the monies are allocated may be indicative of what the organization prioritizes. Reference current budget against industry benchmarks for cybersecurity spending, resourcing, etc. Determine whether protection, detection and response expenditures seem balanced. Identify redundant or underused capabilities within the function. Address these in the near term, while aligning spending with an updated cybersecurity strategy.
Drive cultural change
CISOs transition for a reason, and this is often indicative of a leader’s desire to change the organization’s cybersecurity culture. The new CISO will want to understand leaders’ views – is there support to change the culture to give greater emphasis to the importance of cybersecurity? Tone at the top is critical to fundamental change, and new CISOs need leadership support to make cultural change happen.
When cultural change is a priority for leaders, new CISOs can build a coalition with the help of business leaders and department heads from IT and other key functions. This coalition can develop a vision of change collaboratively, and work to promote it throughout the organization.