Chief Information Security Officer: A Role in Rapid EvolutionThe role of the chief information security officer (CISO) has changed profoundly over the years, from IT security management to high-level risk management. Today a CISO is a crucial figure for any organization — a company executive responsible for establishing and maintaining a firm’s security strategy. CISOs coordinate internal experts in an effort to identify threats and vulnerabilities, and find ways to mitigate IT risk.
Many large enterprises still fail to implement and maintain effective security programs, resulting in serious repercussions for their businesses. According to TechTarget, Target and JPMorgan Chase are just two examples of Fortune 500 companies that didn’t have CISOs, and have fallen victim to major data breaches that caused millions in losses. In response to the rapid evolution of cyberthreats, many companies are completely reviewing their approaches to cybersecurity, opting to allocate more resources to the protection of their digital assets, and assigning CISOs the responsibility of managing and reducing risk.
If you are a new CISO or starting a new Security Leadership gig, your first few months on the job are critical to your ongoing success in your new role. In the first few months you’ll be judged, tested by your organization and staff, and put on a “stage” to perform in front of your C-Level peers. The precedent you set and first impression in your first 101 days will dictate how your organization perceives you and whether your tenure is marked by overcoming early mis-perceptions or you get a “hall-pass” to do all the good things you were originally hired to do.
This is the New CISO’s Playbook and some initiatives that will help you be successful in the first 101 days in your new role.
1. Days 1-10
Start to get your arms around your Information Security Program. As you would expect the first thing to start doing is taking an inventory of all the pieces of your Information Security Program. This includes direct and dotted line Information Security Staff and their responsibilities, what program capabilities are in place and if possible how mature those capabilities are, any available metrics on department performance. It’s critical that you at least start to take cursory program-level inventory of services in your first week, because as you meet with other Business Unit leaders in the coming weeks you can start formulating a more robust and relevant Information Security Program and Strategy.
Get to know colleagues. This is an important step in kindling great relationships. If you have been promoted into your role, this is a good opportunity to attempt to recover difficult working relationships from days past. If you are new to your Company, as you have these relationship building discussions it’s important not to pass judgment on anything you hear since you might not know the political underpinnings of the information that’s being shared. Use this time to build political capital by listening to your colleagues, displaying empathy, and most importantly gather their goals and objectives so you can help them be successful when you build your Information Security Roadmap and Strategy.
Hold a Department Meeting. This is a must-do! Your team might be apprehensive about having new leadership and how your strategy and management style will affect their jobs. Give everyone a chance to talk and ask questions. Be sure to listen, express empathy, and advise that you are still gathering information and not ready to make any decisions. Most importantly this is a good opportunity to demonstrate everyone is on the same team with a common goal.
Review Budget and Associated Metrics. In the course of understanding your Information Security Program also spend some time dissecting your budget breaking down Capital and Operating Expenditures. The question might come up in the next couple weeks about the financial footprint of the Information Security team. If a lot Security of Compliance spending has taken place before your arrival as CISO, the question might be asked if capital expenditures can be reduced. If you are building the Information Security function for the first time in the history of your company there might be less attention on spending as an initial capital spend is expected; however, it might be good to begin political posturing to appropriately set expectations if you think a lot of spending might be required. Also use this time to find a financial analyst to assist in budget formulation and help communicating a common definition your CFO understands.
Let people know you exist! Information Security is pervasive to an organization–it requires that you interface with many difference departments not just IT. Putting people on alert and driving awareness to your role will give people an invitation to reach out and discuss security topics, concerns, or just open a communication thread. Reaching out early helps to enforce that you are an approachable person within your organization.
2. Days 11-20
Queue up an Information Security Assessment. At the beginning of your third week, queue up an independent Information Security Assessment. Depending on the purchasing requirements of your company coordination of the assessment could take a few weeks and scheduling an assessor can require a lead time. This should be an an assessment of your Information Security Program not just a Penetration Test or Vulnerability Assessment. Find a quality Information Security Assessor who can review your overall program posture using a framework such as ISO27001. You would be well served to find an seasoned Information Security assessor that can measure the ISO27001 controls with a business context so you can gain an accurate read on business risk and subsequently appropriately prioritize remediation plans.
Hold One on One Meetings with your team. Begin to meet with members of your team. Start with your direct reports first before making your way through your organizational structure. If you’re organization is so big you can not talk with everyone then definitely make some time to talk with front line Security Staff even it means skipping the middle management tiers. Your front line staff are the individuals who see issues and deal with problems, and as problems are escalated from the front lines up the organization structure the message will get filtered before reaching you–so for a candid view of the challenges your security organization faces, be sure to talk to or survey your front-line team. During these meetings with your team you can and should be building political capital and trust within your organization. Ask for informed fact based opinions, what the department risks are, and seek their opinion as to how risks can best be mitigated. You can also use these meetings to establish your approachability by actively soliciting their feedback.
Begin to Understand what projects or initiatives will be active in 6 Months time. Time permitting in your busy third and fourth week, start to understand new company initiatives or projects that might be active in six months time. The idea is that these will be emerging projects and initiatives you will be dealing with once you are full orientated in your new position, and starting to gather a strategy will help you be purposeful in your first 101 days and ensure your success on those projects or initiatives. Starting this process now will help give you some context when you begin having one-on-one meetings but it will also give a glimpse as to what members of your team are already planning six months out, and how they are tracking risks associated with these initiatives.
3. Day’s 21-30
Prepare Steering Committee Materials. By this point you’ve been in your position for a few weeks, if you have a Security Steering Committee you should begin preparing materials and begin framing what the first meeting agenda should be. If you are inheriting an existing committee this can be a tricky proposition because it’s critical you get the first meeting right and start off the relationship on the right foot, the complexity of this arrangement can be amplified if you have the wrong stakeholders involved in the meeting (i.e. the committee members aren’t at the right level in the organization). If you find yourself in this position of dealing with a low-level Security Steering Committee, you should pause and critically evaluate whether you want to “start over” with the committee–politically speaking it might be easier to dissolve legacy committees and spend time amassing political capital to build new. If you find yourself in this position, this step of meeting with the Security Steering Committee comes much later in your first 101 days. If you are starting a new Security Steering Committee for the first time, in addition to framing the agenda and first meeting format you should also be considering and actively selling the position to committee members you would like to participate.
Hold One on One Meetings with Business Leaders. Start meeting with peers and Business Unit Leaders. The relationships you begin to form here will be critical to your ongoing success. In addition to gaining the trust of your company’s Business Leaders, you should also begin learning what their goals and objectives are. It’s important to gather this information and ingest into your strategic plan and strategic roadmap. This information will help to ensure your Information Security goals and initiatives directly correlate to business objectives. During this meeting also gather their advice how the Security team can help.
Begin participation in Information Security Projects. At this point you should have an inventory of active Information Security projects. Based on your emerging work load pick some of the most important and strategic security projects to participate in. As you participate, keep in mind your position and granted creditability that comes with being a CISO. If you participate too actively you may inadvertently take over the project and accidentally derail progress. Establish some personal guidelines for yourself as you operate in these meetings, focus on steering the project and adding value or suggestions that might improve the project. Otherwise be a mentally and physically present tie-breaker when collaboration ends in a stalemate, encourage and motivate the team, and at the end of the day your presence in the meeting will give creditability to the project.
4. Day’s 31-40
Review the Operational Security Budget. Hopefully you were able to obtain a good understanding of your budget in the first couple weeks (Day’s 1-10). Now that you have a solid month under your belt, you should be able to start answering specific questions about your budget and how spending is improving the program. By now you should have also recruited a financial analyst to help with your budget and develop ROI metrics and start developing metrics to show how you are improving the fiscal posture of the Information Security Program.
Establish a Program Vision. It’s doubtful you’ll have your full vision formalized by this point, but if you do it will help shape the conversations you are about to have in the coming weeks. Following your conversations with business leaders from the previous weeks, you should begin to have a picture of what success looks like and how to help your company deliver on strategic goals and initiatives. While your vision might not be formalized, you’ll have plenty of time to firm up your goals in the coming months. Consider this step a prerequisite to developing an overall strategy for your Information Security Program.
Take Inventory of the Security Team Skill Sets and Establish Development Plans. In talking with your team, holding one-on-one meetings, and observing performance of your team members collect an inventory of skills. This inventory should include technical and soft skills. Soft skills are a little harder to articulate and measure but there are tested frameworks such as Lominger that can help to measure soft skills. In the course of developing a staff development plan give some consideration as to what your employee wants in their career. Based on the career aspirations of the employee that will drive their skills development. In this role you should act as advisor and motivator, the act of developing a plan should be driven by the employee and they need to be invested in the process to feel motivation to improve. Under-performing employees or employees with a negative attitude can perpetuate bad feelings among the team–and you owe it to your top performers to fix this ASAP. Also, don’t spend all your time on the under-performers, each team member should receive equal attention. This might be one of the most important tasks that you complete. Spend some time here and get this right.
Begin your Information Security Assessment. This should an independent review of your Information Security posture. While you might be qualified to do the assessment yourself, you should resist the temptation to do so. There’s an opportunity cost in doing the assessment yourself, and the opportunity cost is all the program and relationship development you should be doing instead of the assessment. Additionally, the independent lens of someone impartial and removed from the organization will help add to the creditability of any findings. During this assessment it’s critical, as always, to partner with your independent Information Security Assessor and guide them to ensure you get the results and quality you are looking for. Since the assessor is more than likely new to the organization, helping them think in the right business and security context will help to ensure an accurate measure of risk. An information security assessment without business context is just a gap assessment not a risk assessment. A risk assessment is needed so you can begin to prioritize what remediation efforts to tackle first. Depending on your corporate purchasing processes a 31-40 day start time might be unrealistic, but this assessment should be performed as soon as possible. This is a prerequisite to formalizing your Information Security Program Strategy.
5. Day’s 41-50
Write or review the Information Security Charter. Ideally you want your charter approved by the CEO and Board of Directors, so it should be written at a high enough level that it encompasses all your mission and objectives but still provides enough detail that you can translate the charter into an operational plan. If your CEO and Board of Directors take interest in this document, it’s worth taking the time to get it right the first time because each edit and change will need to be “re-approved” by the CEO and Board of Directors. Alternatively, many CISO’s have their charter approved by their Security Steering Committee. If you are inheriting an existing Information Security Charter, this is good opportunity to review the Charter and make any changes or modifications you require.
Appoint team leaders. By now you’ve been able to observe the performance of your team for the past couple months and hopefully you have some obvious stand-out leaders. Considering your Information Security Program strategy and direction you want to take the program, you need to start putting the right team in place to ensure delivery of that Strategy. Considering the strength of the leaders you select should drive the autonomy which you afford them. Junior leaders might need a little more structure with work plans and project reviews. More Senior Leaders will be able to work autonomously and help you coach and provide oversight to Junior Leaders.
Be visible in established Security Projects. Whether you inherited a list of Security Projects or getting ready to kick-off your own, you should judiciously select a couple projects to participate in. This will help to ensure projects stay on track or help and existing stalled project get back on track. Plus, while ramping up in your new role this will allow to gain some credibility in your team and show you’re there to help them be successful. You have be careful not to overstep your role and responsibility on the project because depending on your background and expertise you don’t want to be perceived as taking over the project from your team. Also, your role on the project should be a consensus builder not a C-Level overriding vote. There will be times when you need to pull out your “CISO card” but that should be only in dire circumstances; your modus operandi should be using your excellent communication skills to get everyone on the same page and consensus within the teams.
6. Day’s 51-60
Review Budget for Second Month. Review your budget again and by now you might be seeing trends in your expenditures. You should have enough information by this point to start making informed decisions about top expenditures. Also, now that you’ve met with your team about development plans, there might be some members on your team which you can delegate budget monitoring responsibilities.
Meet with Information Security Steering Committee or Board of Directors. If you operate with an Information Security Steering Committee then you have flexibility as to when this meeting is scheduled, because you drive the agenda and timing. Alternatively, if you have an opportunity to meet with the Board of Directors you have to work around their schedule and agenda. Depending on when the Board of Directors meeting falls on the calendar and how it aligns with your employment start date it might make sense to skip presenting at the first Board of Directors meeting and so your first impression with the Board of Directors is strong, fact based, and value-adding to the overall business strategy.
Obtain approval for you Security Charter. In previous weeks you published a new charter or you edited an existing charter. Now it’s time to get it approved. Based on the timing of when the approving body meets, Information Security Steering Committee or Board of Directors, will drive when and how this task is completed. Before requesting a formal approval of the Information Security Charter you should make sure you have buy-in from appropriate reviewers. This will help to grease the skids of the approving body to ensure a smooth approval process.
Form Security Awareness team. This might be most overlooked task in most CISOs Information Security Playbook. It’s fairly challenging to continually develop new and engaging Security Awareness ideas, content, and dissemination schemes. It’s common for a CISO to tag their marketing department to develop creative content and fresh ideas for delivery. It is recommended you enlist any and all help you can get from creative marketing teams. Everyone on the Information Security team has a responsibility to take up the Security Awareness flag and take a turn disseminating a Security Awareness message. There’s many avenues which this can be completed, but at a minimum everyone on the team should have an obligation to deliver training at least once a year.
7. Day’s 61-70
Formalize your Information Security Program Strategy. Four months to develop a strategy might seem like too long, but considering your prerequisites of developing your vision (figuring out how good you want your Information Security Program to be), and completing your Information Security Assessment (figuring out how good your Information Security Program is today) you’ll need sometime to put all these data points together. Your strategy should ultimately be your roadmap to delivering you program. Some ingredients to a successful Information Security Roadmap and Strategy include:
- a maturity model for each competency you plan to develop in-house,
- consideration of how/if an Managed Security Service Provider (MSSP) helps you mature quicker for less money,
- fiscal capital costs to develop a competency and how the investment improves the maturity of the program,
- fiscal operational costs to develop a competency (headcount, etc) and how the investment in staff and operations improves the maturity of the program.
It’s important to remember Information Security is a Risk Management exercise and to mitigate Information Security risks costs time and money. In some cases it might make sense to mature an Information Security competency to 90% of the potential capability because the additional 10% improvement might be cost prohibitive. Developing this Information Security Roadmap and being purposeful about investment and return on investment will help gain traction for your future budget.
Identify Objectives for your Information Security team. Once your Information Security Strategy is complete (or currently in development), you should begin developing your Annual Information Security Playbook. This Playbook should outline how your Information Security team delivers on your strategic Information Security objectives for the year. The projects you assign your team members to in the Playbook should tie to professional development plans. Your Information Security Playbook can also be a mechanism which to hold people accountable for the work they perform.
8. Day’s 71-80
Monitor your Information Security Program Delivery. Based on your Information Security Program Strategy and your Information Security Playbook, you have solid platform which to track progress of your strategic deliverables, the tasks that are on track and those that are falling behind. Given all the work you’ve put in to date you now have a good mechanism to measure your program and more importantly have an early warning system when your Information Security Program begins to deviate from the plan. This can be used as a component of your overall Information Security Governance processes.
9. Day’s 81-90
Continue monitoring Information Security Program Delivery. Depending on the number of initiatives you have in your Information Security playbook and the number of Senior Team Leaders you might need to jump in to help Junior Leaders get started and gain traction.
Preset at an all Company Meeting. If you have the opportunity to do so, you should take advantage of an All-Company meeting to talk about the Information Security program, what to expect and how to engage with the Information Security team. The sooner you can get onto the agenda to present–the better, but when you do talk hopefully you’ve had enough time in your role to form some contextually relevant material about vision and how Information Security can help your business succeed in their goals and objectives. While everyone on the Information Security team has an obligation to perform or deliver some level of Security Awareness, this is your opportunity as CISO to do your part toward Security Awareness and share the Information Security brand with your company.
10. Day’s 91-100
BCP/DR Planning. If you have responsibility for Business Continuity Planning and Disaster Recovery, it is time to look into performing or refreshing your Business Impact Analysis (BIA) for Business Continuity Planning (BCP). Depending on the size of your business and Executive support received will drive the level of effort required here. In other words, if you need to convince other executives to “give-up” resources to help with BIA and BCP efforts then it might take a little longer to complete this effort. However, while you organizationally and politically posture your BIA and BCP efforts, you can start to collect your asset inventory for the complementary Disaster Recovery (DR) efforts.
11. Day 101
Enjoy a celebratory beverage. You’re on your way to building a top-notch Security Program. By this point you’ve completed some significant tasks including:
- completed an Information Security assessment of your Organization,
- built solid working working relationships with your Business Peers,
- improved on your Information Security budget,
- developed staffing development plans for your Information Security staff.
- completed an Information Security Strategy, Plan, and operationalized an Information Security Playbook,
- established a great working relationship with other Executives and the Information Security Steering Committee or Board of Directors.
You have built a solid foundation for your Company’s Information Security program and you’ll be well served for future growth with the ability to recruit and retain top talent.