Developing a Security Function During a CISO’s First 100 Days

These turbulent times of evolving threats and rising personal responsibility considerations for cybersecurity leaders make the CISO role a challenging but rewarding position. The CISO must contend with an increasing sophistication of attacks, potential geopolitical adversaries and the material impact cybersecurity can have on organizational value. Whether it’s a new CISO or a seasoned cybersecurity executive, the first 100 days of a CISO’s tenure are critically important to setting up their role for success.

In planning for the first day in this new role, take the time to grasp the company culture, values and initiatives. Understand how the company operates and what distinguishes them from their peers. These important inputs help to ensure security is appropriately aligned to best support and enable the business’s goals and objectives.

Meet the team

CISO’s must prioritize meeting with key leadership and business stakeholders early on to understand their perspectives on how well security is addressing the business challenges they face. Questions to ask during these discussions should include:

  • What key factors does the business rely on to generate value for customers and shareholders?
  • What are the key business priorities over the next three to five years?
  • How well has security been historically aligned with these priorities?
  • What business challenges does each department and the organization face?
  • Are there any current initiatives, projects or immediate needs the security team could support?

During this time, we also recommend examining information on prior cyber incidents, including details not reported to the public or privileged information. Seek to understand how incidents occurred, evaluate how timely and effective the detection and response capabilities were, what impacts to the organization were identified and how lessons learned have been implemented to mitigate similar threats in the future and improve the cybersecurity program’s maturity.

As CISOs learn more about the organization and appreciate the perspective of their peers in the C-suite, it is equally important to balance this understanding with that of their security team. CISOs should take the time to listen to their team, encourage open feedback, and explain their expectations as a new leader clearly and openly. They must focus on developing rapport and avoiding ambiguity. CISOs will need to leverage their team to develop their understanding of cybersecurity priorities for the organization, as they possess important historical knowledge and perspectives that cannot be ignored. The security team’s buy-in will be essential to success.

Assessing capabilities and communicating risks

One of the next steps we recommend is assessing the level of maturity of the security program along with its capabilities. Evaluate existing security policies and procedures. Assess program capabilities by analyzing the people, processes and technology used to meet security objectives. Confirm if policies and procedures match the implemented capability (and where it does not) to understand the strength of governance. If stepping into the role at an organization with a mature security program, analyze and understand the existing program, current strategies and roadmaps to determine if the program’s current trajectory is in line with the organization’s vision and management goals.

When evaluating the tools and technology in use, determine whether they are properly implemented, aligned with and able to meet security objectives, and can scale or adapt to the latest emerging cyber threats. A thorough review of staffing levels and capabilities of existing resources will also show the strengths of the program and help identify gaps. We also recommend assessing the maturity against an industry-accepted framework and subsequently aligning with the selected framework in on-going development of the cybersecurity program.

During the first 100 days, it is essential to understand the current state of compliance with applicable regulations and contractual obligations. Collaborating with legal counsel and compliance experts within the organization can provide valuable insights. CISOs should also remain informed of proposed legislation and industry-specific developments that could affect future compliance obligations. Engagement with industry associations, participation in relevant forums and maintaining open communication channels with regulatory bodies are essential in this role. Maintaining a proactive stance and fostering a culture of compliance will position the organization to adapt swiftly to evolving legal and regulatory requirements, ensuring a robust cybersecurity strategy that stands the test of time.

Considering the SEC’s recent charges against SolarWinds and their CISO, it is important for the CISO to establish a clear and comprehensive risk communication strategy. CISOs should also consider their role and the potential personal liability associated with it. Ensure there is a clear and formalized methodology for classifying and communicating risk. Special consideration should be given to identifying vulnerabilities, business threats and strict policies and protocols for maintaining and distributing this documentation. If the business lacks an updated risk assessment or risk registry, addressing this gap should be at the top of the CISO’s to do list.

Developing a plan

Depending on the size of the organization, the time required to complete the tasks discussed may extend beyond a CISO’s first 100 days. Work with leadership to develop realistic timelines and expectations that lead to a holistic strategy. An initial maturity assessment must soon be followed by a roadmap calibrated to capabilities, risks and enterprise objectives. The security roadmap should outline the initiatives designed to remediate identified security gaps and support the company’s immediate, tactical, and long-term strategic objectives. This roadmap must include actionable plans with milestones, timelines, identified owners and resource assignments. CISOs should obtain input from their team and collaborate with peers and key stakeholders outside of technology and security in developing the plan. The roadmap should be reviewed by executive leadership, and in some cases the board as deemed appropriate, to ensure their support. The goal of leadership exposure should be to provide transparency and establish commitment to the budget and resources required to accomplish the program’s goals. If the necessary resource commitments cannot be made by the organization, having an honest, risk-based discussion with leadership on the tradeoffs that will be made to deliver the program with the resources provided will be necessary.

Management expert Peter Drucker once said, “What gets measured gets managed.” As CISOs develop plans and roadmaps, it is imperative to think about the program’s success criteria and the KPIs that will be measured and reported on early in the process. Determining measurements will not only help in monitoring and reporting on program performance but will also provide the basis for determining actions to take to manage the progression of roadmap initiatives.

It is also critical that the CISO quickly builds a feedback loop from stakeholders to keep the program on course. This collaborative tone should be set from the start. Remember that a changing business environment, technological advances, unanticipated constraints and evolving conditions will require adjustments to the plan. Maintaining flexibility, staying up to date on technology and industry developments, keeping an eye on business objectives, communicating regularly with the security team and stakeholders across the organization, and documenting key decisions will help CISOs navigate the turbulent waters of today’s environment. Governance functions, when implemented effectively, optimize the cybersecurity maturity of the organization.

Finally, consider that CISOs are as much technical leaders of cybersecurity as they are partners with the business to enable the goals of the organization. The most effective CISOs understand the balance required. Remember that the average lifespan of a typical CISO lasts less than three years, so time is of the essence to set the right tone from day one.

To learn more about our cybersecurity solutions, contact us.

Ryan Edison

Security and Privacy

David Jacobs

Senior Manager
Security and Privacy

Subscribe to Topics

Join our experts on April 25 as they delve deep into the strategies and practices essential for safeguarding customer trust, ensuring a stellar user experience, and adhering to privacy and data security standards. Register today! #DataPrivacy

Find out how businesses can use #AI technologies for real use cases in #Quantum sensing, simulations and migration to post-quantum cryptography during the latest podcast episode with guest @paul_kassebaum.

Protiviti’s Kim Bozzella explains how technology and #Automation in the #Manufacturing industry has—and will continue to—improve productivity and quality enhancement. Read more from the Forbes Technology Council.

Organizations who are part of the Department of Defense supply chain must understand, identify and protect controlled unclassified information, often called #CUI in their environments. Here’s what you need to know: #ProtivitiTech

A global hospitality company is well positioned to leverage the latest AI technologies after hiring Protiviti to establish and implement a comprehensive AI governance standard. Read our latest client story: #ProtivitiTech #ClientStory

Load More