As a new CISO, the first 100 days on the job are critical
As a chief information security officer, you won't get a second chance to make a first impression. Learn how a CISO's first 100 days lay the foundation for a successful tenure.
While the CISO role is more important, prestigious and lucrative than ever, it is also high-profile and potentially high-risk. Recently, for example, a jury convicted Uber's former CSO of mishandling cyber attacks at the company, with up to eight years in prison on the table. While this is an extreme case, one must take the CISO role seriously.
Given the critical nature and high stakes of the position, first impressions are paramount. Approach the first 100 days in a new CISO job as a key period to accomplish the following:
It is vital to immediately establish a tone that balances transparency with high standards, accountability with understanding, and competence with humility and a willingness to learn.
Roadmap to CISO success
As a new CISO, successfully navigating the first 100 days on the job starts well before your first day in the office. Upon landing a new role, immediately begin sketching out a working list of immediate, medium and long-range goals, which you'll continue to update in the coming days, weeks and months.
It is vital to immediately establish a tone that balances transparency with high standards, accountability with understanding, and competence with humility and a willingness to learn.
Before day one: Prepare
First, do your homework. Learn everything you can about the following:
Company. Conduct extensive research on your organization -- even if the new CISO job is a promotion and you have been with the company for years. Study its overall mission and high-level objectives, and weigh how security fits within the broader business context. Consume news articles, interviews and other available content about the organization, paying particular attention to any security incidents and business issues that could affect cybersecurity.
Outgoing CISO. Find out everything possible about the outgoing CISO -- strengths, as well as weaknesses. Don't assume the worst, as your predecessor may well have accomplished positive things in the security program and left on good terms. Regardless, it's helpful to understand as much as possible about your predecessor's tenure and departure, whether it was in pursuit of a CISO gig at a bigger company or following a serious security incident.
Your mandate. Revisit notes from the job interview process to assess your mandate -- what, specifically, the company wants you to do and any ongoing security issues on leadership's radar. By the end of your first 100 days as CISO, you and executive stakeholders should share a clear, detailed understanding of your role, responsibilities and goals as a security leader.
Technology. Learn everything you can about any tools, systems and services you already know are in place at the organization.
Stakeholders. Take the time to find out what you can about major stakeholders, including your boss, executive leadership, key business unit leaders and security team members. The more you know about these people's backgrounds, strengths and shortcomings ahead of time, the better.
Talking points. Draft a short professional biography you can lean on when introducing yourself to new colleagues, and prepare some go-to questions to help you get the lay of the land.
First week: People
In your initial days officially on the job, watch, look and listen. Do not act.
While some issues might become immediately apparent, resist the temptation to make any changes during the first week or two. Instead, take a beat to observe and understand the current security landscape as fully as possible.
First and most importantly, learn about the people. Meet with security staff, and ask about their roles and responsibilities and how they do their jobs. Listen carefully as you get to know the team's personalities and dynamics. Consider the following:
how they coordinate and hold meetings;
how they discover and handle security issues;
how security works with IT operations; and
how security interfaces with risk management and lines of business, if at all.
Set up introductory meetings with other key stakeholders as well, such as executives, business unit leaders and other relevant staff.
First month: Process and technology
Once you understand the human element, start methodically assessing existing security processes. This review should include the following:
Security architecture and strategy. First, establish whether formal security architecture and strategy documentation exists. If so, compare it against business goals and organizational risk appetite, and make note of any obvious gaps or misalignments. If documentation does not exist, make developing it and formalizing the security strategy a priority.
Internal incident response, disaster recovery and business continuity plans. Assess whether existing incident response, disaster recovery and business continuity plans follow best practices in situations such as ransomware attacks.
Next, ask how often the security team and broader organization have historically held training drills to the put these plans into practice. Often, companies check the proverbial box with annual exams, but best practice dictates quarterly exercises.
If it has been at least six months since the last exam, consider holding a tabletop exercise to see how well security staff, IT staff and other appropriate stakeholders respond to a security incident. You may well find the existing plans' processes need adjusting, contact information needs updating, etc.
Security tools and technology. Finally, establish a comprehensive list of the tools and technologies currently in place, and note how the security team uses them. Review company security requirements and assess the following:
whether the tools in place are appropriate for their given tasks;
whether multiple tools fulfil the same requirements;
whether staff has proper training for using the tools and technology in the environment; and
whether additional tools and technology are necessary to meet core security requirements.
Inevitably, you will find some gaps, whether in tooling, training or integrations.
First quarter: Establish your vision and act on it
Once you have fully assessed your company's security program, including its people, processes and technology, consider its weaknesses. Draft a list of strategic priorities that close existing security gaps -- in alignment with the company's risk appetite and high-level business goals -- and group each into one of the following buckets:
Short term: Easy and inexpensive. Identify immediate actions your team can take to improve security without investing much time or money -- the low-hanging fruit. Examples include eliminating redundant tools and making light modifications to the incident response plan, such as updating key contact information. Secure these easy wins quickly to both bolster security and build credibility early in your tenure.
Medium term: Significant and relatively affordable. Identify significant security gaps that you can address relatively quickly and inexpensively. These might include making organizational realignments, training security personnel, making substantive incident response plan modifications and integrating tools.
Long term: Important but costly. Lastly, identify important issues that need fixing but require more time and resources to do so. Examples include addressing staff shortages and filling major tooling and service gaps for which the current budget does not account.
