CISO Next

A CISO’s First 100 Days (Part 3): Learning is the Smartest Quick Win

Nick PuetzRon KuriscakJoseph Burkard
May 31, 2022
6 min read

One common theme among highly successful security executives is their disciplined approach to starting a new CISO role. By taking the right steps from the start, new CISOs can convey confidence, demonstrate capabilities and set themselves up for success. In this three-part series on how CISOs can maximize their impact during the first 100 days on the job, we have covered a significant amount of territory.

In our first post, we talked about building the relationships that contribute to a CISO’s effectiveness.

In our second post, we discussed why organizations replace their CISO – and how that reason helps a new CISO define priorities.

In this final post, we review the leadership skills needed to convey a new CISO’s capabilities to other leaders, peers and the cybersecurity team.

No matter how experienced the CISO, being new means an intense learning mode. New CISOs will want to spend their early days listening and learning. Here, we’ve sequenced subject areas, but in real life these activities progress in parallel. Meeting with new colleagues, business leaders and heads of key functions like finance and IT creates opportunities to learn and make an impression. This is how to establish relationships with key stakeholders – seek their feedback and input for future support.

New CISOs gain organizational knowledge and trust when they make an effort to meet key leaders, peers and team members early in their tenure to understand business expectations and gather feedback. Furthermore, these early days in your transition will be an opportunity to demonstrate your leadership and partnering style. It is important to focus on building trust, listening to feedback, developing perceptions and formulating strategies founded upon sound knowledge of the business, environment, and stakeholders.

Learn the business

All organizations are different, and even those in the same industry will have a different organizational culture. Success will hinge on understanding the organization’s business values, priorities, principles and challenges. Learn how the business generates revenue and returns value to shareholders, customers, partners and others. Determine who defines value and how it gets measured. Understand how the organization differentiates itself: proprietary processes, technologies or intellectual property that give the business its edge. Ask leaders how their department supports value creation and how cybersecurity can support their efforts, including their compliance obligations. One great tool to map out the business is a business model canvas. There are numerous resources and templates that are freely available on the Internet that can help create this view of the organization.

One of the most important considerations for a new CISO is to understand how their organization views risk. Risk appetite and tolerance are two perspectives that CISOs need to align with, and in some cases help organizations formally define. Understanding how to properly tune risk will ensure downstream decisions are in alignment with the business.

Learn the team: skills, culture and operating model

Understanding the cybersecurity team’s capabilities is so critical that we covered it earlier in this series. New CISOs will want to assess their team’s alignment, skill and structure against the functions needed to support business objectives, priorities, etc. We recommend studying the team’s present structure and understanding how its operation supports delivery of services:

  • Learn the team hierarchy, roles and responsibilities. If these aren’t documented, recording these details would be a helpful project for a strong lieutenant. If they are documented, note differences between what’s on paper and what’s in practice.
  • Has the former CISO maintained a catalog of capabilities and services? If not, that’s an additional early project and possible proving ground for a direct report.
  • What mechanisms are in place for program management? Check for mature budget forecasting, status tracking, project delivery and closeout processes.

Learn the program

A good place to begin a program review is with the last cybersecurity assessment, assuming one has been performed. Risk assessments and audit reports are excellent references for understanding program needs and overall business alignment and will also feed directly into the overall program strategy. If an assessment hasn’t been recently completed, frameworks like the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) provide a good basis for assessing cybersecurity program maturity. Compare the program to the chosen standard to identify shortfalls that may require attention. Understanding what issues have not been remediated or accepted will give an initial view of the landscape.

Program maturity should also encompass knowledge of the business and risks particular to the enterprise’s industry, location, regulatory profile and other characteristics. Combining program maturity with risk assessment helps new CISOs pinpoint priorities for near-term spending and ensure the future-state of the cyber program is properly aligned to the needs of the business. The risk assessment will model key threat event types in a business context to show how risk reductions would benefit the business.

A compromise assessment will provide further insight by uncovering adversarial activity under way. While no one wants to activate the incident response plan in early days, this action helps to ensure that the new CISO doesn’t assume a healthy situation on day one.

Finally, another reference is the cybersecurity budget, where the monies are allocated may be indicative of what the organization prioritizes. Reference current budget against industry benchmarks for cybersecurity spending, resourcing, etc. Determine whether protection, detection and response expenditures seem balanced. Identify redundant or underused capabilities within the function. Address these in the near term, while aligning spending with an updated cybersecurity strategy.

Drive cultural change

CISOs transition for a reason, and this is often indicative of a leader’s desire to change the organization’s cybersecurity culture. The new CISO will want to understand leaders’ views – is there support to change the culture to give greater emphasis to the importance of cybersecurity? Tone at the top is critical to fundamental change, and new CISOs need leadership support to make cultural change happen.

When cultural change is a priority for leaders, new CISOs can build a coalition with the help of business leaders and department heads from IT and other key functions. This coalition can develop a vision of change collaboratively, and work to promote it throughout the organization.

To learn more about our CISO Next program, contact us. 

Nick Puetz

Managing Director
Security and Privacy

View all posts

Ron Kuriscak

Managing Director
Security and Privacy

View all posts

Joseph Burkard

Director
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More