Carrying out the mandate of the chief information security officer (CISO) has never been easy, but today’s increasingly fraught digital landscape has made it even more difficult. What’s more, new and complex compliance requirements have opened the door for potential personal criminal liability in the event of a data breach or other cyber incident.
It’s a big job that touches just about every part of the organization, and the ability to hit the ground running can make a big difference. But with so many tasks at hand, just knowing where to start can be a significant challenge.
How a new CISO operates during their first 90 days on the job will set the tone and precedent for the remainder of their term. When I first stepped into my role as a CISO, I established clear goals for myself at the 30-, 60- and 90-day benchmarks because I knew it was important to enter with a plan and a clear vision of what would constitute success.
It was a learning experience, and despite the fact that not everything went according to plan, I look back on those first 90 days with pride and fondness. Here’s what I learned from my initial three months on the job:
Hit the ground running, but don’t try to sprint
Preparation is critical. Before you even set foot in your new office, you should be doing extensive research on the threat landscape of your industry.
The worst thing you can do is hear about a risk and not document it.
What recent threat activity has been in the news? What major (and minor) incidents have taken place over the past year or so? You should also know the relevant costs associated with a breach in your industry based on the attack activity your research reveals. It’s important to know what dangers are out there and the cost of inaction.
One piece of advice has always stuck with me: you’ll never get those first 90 days back. There will never be another time when you can focus purely on research and discovery. As you settle into the role, you’ll become more ingrained in daily activities and begin executing your vision. But during those first 90 days, it’s important to resist the urge to dive in, start working on deliverables or going heads-down on new initiatives. This is your time to watch and listen.
Know who can give you the answers you need
As soon as you can, map out the internal and external stakeholders you need to know and start scheduling meetings with them.
Before I even started, I sent a complete document collection request to each one, asking for recent maturity assessments, organizational charts, recent board decks, and documentation on any relevant processes. Because of that, I had all the documentation I needed on my first day.
This allowed me to go into my stakeholder meetings as prepared as possible. It was a good opportunity to dive into the documentation they provided and ask about their challenges, as well as what they were proud of.
Even when talking to stakeholders outside the security team, ask what keeps them up at night. I can guarantee you that even those without a security background have noticed things that don’t seem right. They may bring an outside perspective on how certain processes or controls can be improved.
Align your vision with your security teams
Of course, you’ll want to prioritize talking to the security teams. They can provide you with the most accurate view of what is happening on the network and tell you about the threats they see, the threats they fear, and which controls are working effectively.
If you’ve already done your research on what the industry-at-large is facing, this will help you zero-in on the specific challenges your company is dealing with. Together with your security stakeholders, you should determine the most pressing threat scenarios you face. I first became a CISO in the immediate aftermath of the SolarWinds breach, so it won’t come as a surprise that software lifecycle compromise figured heavily in our assessment.
Be sure to document all of the risk findings from your stakeholder interviews and ensure your risk functions are tracking those risks toward a remediation date. The worst thing you can do is hear about a risk and not document it — make sure every finding you come across is documented during that initial discovery period.
Once those risks are understood and everyone is aligned on the threat scenarios you need to defend against, you’ll find it much easier to generate risk-based reporting against those threat scenarios. For example, I determined that ransomware and software lifecycle compromise were our two biggest threat scenarios, and was then able to map relevant risk findings and key risk indicator (KRI) metrics to those two risk scenarios. This allowed me to speak about strategy in terms of risk reduction.
Define your mission, vision and services model
It’s hard to make a successful roadmap or strategy unless you’ve thought through your overall vision for cybersecurity functionality, including which services you’ll offer and which ones you won’t.
When you assess what your company is currently doing, you may identify some services that don’t provide much bang for your buck. When I first started, I realized that the threat intelligence newsletters that were being sent company-wide weren’t being broadly read or understood — they just weren’t an effective use of resources based on where the company was in its maturity process, so we repurposed those resources for higher return on investment activities.
I decided to focus on four key service pillars and worked to define what “good” looks like for each one. Which areas are right for your company will likely depend on the threat scenarios you defined in the previous step — you’ll naturally want to focus on the areas with the most impact on the business, or where a disruption would hurt the most.
Defining success is critical, and it should be done quickly. We looked at the services we wanted to offer and determined what their mission and objectives would be along with what it would take to bring each one up to peak performance. Identifying which services needed to be prioritized helped determine which metrics to focus on when we began collecting initial key performance indicator (KPI) metrics.
In addition to service clarity, it was also important to establish role clarity by clearly defining career paths, position descriptions and RACIs. We did not just define RACIs within cybersecurity but also across key partners such as IT and DevOps in order to eliminate redundancies, confusion, and potential coverage gaps.
Build a roadmap with the help of documentation
Now it’s time to start looking ahead. By the end of my first 90 days, I knew I wanted to generate a reprioritized strategy for the remainder of my first year and present a three-year roadmap beyond that.
I knew that roadmap wasn’t set in stone, but it can be helpful to clearly define your point of view at a given time. Even if you know you’ll have to readjust it in 12 to 18 months, it helps communicate to your team (and to the business as a whole) where your priorities lie over a given period of time.
Generating buy-in is important, which is why I presented my plans and findings to the board. I laid out the top threat scenarios we faced, alongside specific statistics and breach reports in the industry. I also presented our internal threat detection and response findings, along with a comprehensive list of where we discovered gaps and opportunities, as well as what we considered to be strengths.
It was a great way to demonstrate to the board that we understood the challenges in front of us and had a clear plan to move forward. For a new CISO, that’s an ideal way to end your first 90 days.
One step lent me additional credibility: I brought in a third-party security team to assess the situation alongside me. This may not be an option for all CISOs, but I highly recommend doing it if you can.
It’s one thing to stand in front of your team, your company, or your board and tell them where you think problems and opportunities lie, but it’s another thing entirely to have independent analysis supporting you. What’s more, a compromise assessment can help you ensure you didn’t inherit a breach, or at least make you aware of an existing breach more quickly.
Put your plans into action
The first 90 days of a new CISO’s term are critical. They’re the best chance you’ll ever have to research, gather documentation, and assess where things stand and how they can be improved. Use those 90 days to talk to stakeholders, listen to their problems, and determine what is possible and what is practical. Make plans, establish benchmarks, and set the tone that will carry through the rest of your term.
Those initial days on the job are intimidating, but it’s important to recognize them for the opportunity they provide. A productive and successful first 90 days can have a real, measurable impact on the rest of your time as a CISO.