Developing a Security Function During a CISO’s First 100 Days

These turbulent times of evolving threats and rising personal responsibility considerations for cybersecurity leaders make the CISO role a challenging but rewarding position. The CISO must contend with an increasing sophistication of attacks, potential geopolitical adversaries and the material impact cybersecurity can have on organizational value. Whether it’s a new CISO or a seasoned cybersecurity executive, the first 100 days of a CISO’s tenure are critically important to setting up their role for success.

In planning for the first day in this new role, take the time to grasp the company culture, values and initiatives. Understand how the company operates and what distinguishes them from their peers. These important inputs help to ensure security is appropriately aligned to best support and enable the business’s goals and objectives.

Meet the team

CISO’s must prioritize meeting with key leadership and business stakeholders early on to understand their perspectives on how well security is addressing the business challenges they face. Questions to ask during these discussions should include:

  • What key factors does the business rely on to generate value for customers and shareholders?
  • What are the key business priorities over the next three to five years?
  • How well has security been historically aligned with these priorities?
  • What business challenges does each department and the organization face?
  • Are there any current initiatives, projects or immediate needs the security team could support?

During this time, we also recommend examining information on prior cyber incidents, including details not reported to the public or privileged information. Seek to understand how incidents occurred, evaluate how timely and effective the detection and response capabilities were, what impacts to the organization were identified and how lessons learned have been implemented to mitigate similar threats in the future and improve the cybersecurity program’s maturity.

As CISOs learn more about the organization and appreciate the perspective of their peers in the C-suite, it is equally important to balance this understanding with that of their security team. CISOs should take the time to listen to their team, encourage open feedback, and explain their expectations as a new leader clearly and openly. They must focus on developing rapport and avoiding ambiguity. CISOs will need to leverage their team to develop their understanding of cybersecurity priorities for the organization, as they possess important historical knowledge and perspectives that cannot be ignored. The security team’s buy-in will be essential to success.

Assessing capabilities and communicating risks

One of the next steps we recommend is assessing the level of maturity of the security program along with its capabilities. Evaluate existing security policies and procedures. Assess program capabilities by analyzing the people, processes and technology used to meet security objectives. Confirm if policies and procedures match the implemented capability (and where it does not) to understand the strength of governance. If stepping into the role at an organization with a mature security program, analyze and understand the existing program, current strategies and roadmaps to determine if the program’s current trajectory is in line with the organization’s vision and management goals.

When evaluating the tools and technology in use, determine whether they are properly implemented, aligned with and able to meet security objectives, and can scale or adapt to the latest emerging cyber threats. A thorough review of staffing levels and capabilities of existing resources will also show the strengths of the program and help identify gaps. We also recommend assessing the maturity against an industry-accepted framework and subsequently aligning with the selected framework in on-going development of the cybersecurity program.

During the first 100 days, it is essential to understand the current state of compliance with applicable regulations and contractual obligations. Collaborating with legal counsel and compliance experts within the organization can provide valuable insights. CISOs should also remain informed of proposed legislation and industry-specific developments that could affect future compliance obligations. Engagement with industry associations, participation in relevant forums and maintaining open communication channels with regulatory bodies are essential in this role. Maintaining a proactive stance and fostering a culture of compliance will position the organization to adapt swiftly to evolving legal and regulatory requirements, ensuring a robust cybersecurity strategy that stands the test of time.

Considering the SEC’s recent charges against SolarWinds and their CISO, it is important for the CISO to establish a clear and comprehensive risk communication strategy. CISOs should also consider their role and the potential personal liability associated with it. Ensure there is a clear and formalized methodology for classifying and communicating risk. Special consideration should be given to identifying vulnerabilities, business threats and strict policies and protocols for maintaining and distributing this documentation. If the business lacks an updated risk assessment or risk registry, addressing this gap should be at the top of the CISO’s to do list.

Developing a plan

Depending on the size of the organization, the time required to complete the tasks discussed may extend beyond a CISO’s first 100 days. Work with leadership to develop realistic timelines and expectations that lead to a holistic strategy. An initial maturity assessment must soon be followed by a roadmap calibrated to capabilities, risks and enterprise objectives. The security roadmap should outline the initiatives designed to remediate identified security gaps and support the company’s immediate, tactical, and long-term strategic objectives. This roadmap must include actionable plans with milestones, timelines, identified owners and resource assignments. CISOs should obtain input from their team and collaborate with peers and key stakeholders outside of technology and security in developing the plan. The roadmap should be reviewed by executive leadership, and in some cases the board as deemed appropriate, to ensure their support. The goal of leadership exposure should be to provide transparency and establish commitment to the budget and resources required to accomplish the program’s goals. If the necessary resource commitments cannot be made by the organization, having an honest, risk-based discussion with leadership on the tradeoffs that will be made to deliver the program with the resources provided will be necessary.

Management expert Peter Drucker once said, “What gets measured gets managed.” As CISOs develop plans and roadmaps, it is imperative to think about the program’s success criteria and the KPIs that will be measured and reported on early in the process. Determining measurements will not only help in monitoring and reporting on program performance but will also provide the basis for determining actions to take to manage the progression of roadmap initiatives.

It is also critical that the CISO quickly builds a feedback loop from stakeholders to keep the program on course. This collaborative tone should be set from the start. Remember that a changing business environment, technological advances, unanticipated constraints and evolving conditions will require adjustments to the plan. Maintaining flexibility, staying up to date on technology and industry developments, keeping an eye on business objectives, communicating regularly with the security team and stakeholders across the organization, and documenting key decisions will help CISOs navigate the turbulent waters of today’s environment. Governance functions, when implemented effectively, optimize the cybersecurity maturity of the organization.

Finally, consider that CISOs are as much technical leaders of cybersecurity as they are partners with the business to enable the goals of the organization. The most effective CISOs understand the balance required. Remember that the average lifespan of a typical CISO lasts less than three years, so time is of the essence to set the right tone from day one.

To learn more about our cybersecurity solutions, contact us.

Ryan Edison

Director
Security and Privacy

David Jacobs

Senior Manager
Security and Privacy

Subscribe to Topics

Can you name the key pillars of enterprise resilience? Read this introduction to these six pillars that—when implemented—enable organizations to better prepare for the risk environment. https://ow.ly/LpbE50TxygX #ProtivitiTech #Resiliency

Protiviti enabled a global automotive technology manufacturer client to prioritize cybersecurity investments effectively after successfully implementing a Factor Analysis of Information Risk (#FAIR) quantification program. https://ow.ly/req350Txvbx #ProtivitiTech

Protiviti is a proud sponsor of #FAIRCON! Join us October 1-2 as we partake in this year’s theme "Managing Risk at the Speed of the Business.” Visit our FAIRCON page to learn more and get our code for $200 off your conference registration. https://ow.ly/qZHE50Tqan5 #ProtivitiTech

Protiviti’s tailored #Microsoft solutions address unique organizational needs. Learn more about the different use cases for integrating Microsoft Dynamics 365 and CoPilot— from improving sales to enhancing customer service to delivering deep insights. https://ow.ly/8Hhn50Twj2C

Discover how capturing key metadata via a data catalog tool leads companies to make better operational decisions. Read the latest Technology Insights blog: https://ow.ly/O1aX50Twi4K #Protiviti #TechnologyInsights #Data

Load More