Article updated in July 2018.
If you’re reading this post, you’ve probably been appointed as Chief Information Security Officer (CISO). Congratulations, this will be one heck of a ride!
Today’s CISOs are faced with a challenging task – developing and implementing an organization-wide security program in such a way that the organization is protected from internal and external threats, demonstrate measurable ROI, all while aligning with corporate strategy with the backing of the board of directors and other C-level executives.
If this is your first time in a CISO role, you may be wondering especially focused on how you can establish yourself as a credible and effective security leader in the eyes of your boss and employees.
In fact, your first 100 days on the job can make or break your success. According to the IT research organization Gartner, CISOs who approach their new role with a strong action plan for the first 100 days are more likely to succeed than their counterparts without a solid plan. We’ve gathered a few ground rules to follow to make your first 100 days as a CISO count*.
* Disclaimer: The recommendations below are meant to serve as guidance only, and don’t represent a comprehensive 100-day plan.
Before you can begin planning for how to improve your organization’s security posture, you need to make sure to know exactly what you’re dealing with. A frequently recommended approach to develop a sustainable information security program is to take inventory of the security services and systems that are currently in place, and to find out whether metrics exist to measure performance.
Ask yourself a couple of security-related questions:
Make sure to develop relationships with relevant stakeholders from different departments to get their feedback and point you towards resources that may be helpful. If you have predecessors in the CISO role, make sure to leverage their previous research and tools to complement your data and learn from their achievements and mistakes.
The more information you gather about the current situation, the more successful you will be in addressing challenges and proposing sustainable solutions.
As the threat landscape changes, so does your cybersecurity posture! To find out how secure your organization really is, make sure you can define and improve your security posture over time.
A security posture assessment can help:
By gaining a deep knowledge of your corporate vulnerabilities and the threats that can exploit them, you can be proactive about addressing these shortcomings and properly safeguard your data.
“Coming together is a beginning, staying together is progress, and working together is success.” – Henry Ford
The difference between success and failure is a great team. As CISO, you will not only engage with a variety of different departments but also need to ensure that your strategic initiatives are backed by a capable, driven and passionate team that is based on commitment, accountability, and mutual trust.
Before you begin materializing your game plan, make sure to meet with all employees who are currently involved in security-related projects, and identify whether you have enough resources on your team with the skills you need to make your plans happen.
If not, identify what roles are currently missing and recruit competent resources from within or outside of the organization. Once you’ve gathered your team, make sure to solicit everyone’s feedback in order to determine your rules of engagement, objectives, key performance indicators and career development opportunities in a comprehensive victory plan. A victory plan that is mutually agreed upon will help guide your team’s efforts, provide motivation for growing in their roles and avoid losing top talent to the competition, considering that specialized security professionals only average about 18 months in their role.
Skilled security professionals are a scarce commodity these days, and successful CISOs need to ensure to provide enough incentives for their team to stick around for the long haul. After all, it will take more than just a one-man-show to implement organization-wide and sustainable change – it will take a village.
A good CISO is somebody who combines technical knowledge with a strategic vision and excellent communication skills. To get buy-in for your security projects and a sufficient security budget, CISOs need to be effective communicators and get their point across clearly.
If you’re unsure about how your communication skills measure up, consider taking some professional training. Your team and your security posture will thank you for it.
The role of the CISO and other security executives evolves as quickly as today’s cybersecurity threat landscape. Unlike a couple of years ago, CISOs need to demonstrate that they possess deep technical knowledge as well as the necessary soft skills to perform well, such as establishing and maintaining effective lines of communication with a myriad of stakeholders and departments.
Jay Leek, CISO at The Blackstone Group, says that “a broad technical foundation with some depth combined with strong business leadership and communication skills will be a must for CISOs to succeed.”
According to Deloitte, the majority of CISOs “have to invest a lot of time to get buy-in and support for security initiatives”. In other words, communication and credibility have become critical success factors for CISOs. The more effective your communication skills, the easier you can gain executive cooperation to allocate funding for relevant security investments that would be crucial in implementing enterprise-wide change to protect your organization’s data assets. If you’re unsure about how your communication skills measure up, consider taking training on how to become an effective communicator.
Employees are often the first line of defense against cyberthreats and can be the weakest link of an organization at the same time. To avoid insider threats or negligence, make sure to offer regular security awareness to all employees as part of a company-wide security program.
Successful CISOs recognize that employees are often their first line of defense against cyberthreats. According to Verizon’s 2016 Data Breach Incident Report, a whopping 63% of all data breaches involve using default, stolen or weak passwords and 30% of phishing messages were opened – a 23% increase in two years.
Over 75% of IT professionals report that their corporate data was lost or stolen over the last two years, with insider negligence being cited as the root source (Ponemon, 2016). Despite advanced cybersecurity protection mechanisms, attackers still rely on uninformed employees as their first entry point when hacking a corporate network.
What does this mean for you as a CISO?
Make sure to incorporate employee security awareness training in your company-wide information security program. Provide employees with easy-to-understand training resources and best practices to help them improve their cybersecurity skills and adjust their behavior towards data protection. If your workforce is dispersed, make sure to offer on-demand web trainings for easy access, and don’t forget to include links to printable “how to guides” or infographics that employees can pin to their work stations.
When preparing your curriculum for the employee security awareness training, make sure to include the following elements at a minimum:
More about best security practices here: [Infographic] Top 10 Security Tips
“Thanks to the constant stream of mega-breaches, cybersecurity has moved from the server room to the boardroom.” (CFO, 2016)
Cybersecurity has moved from the server room to the boardroom.
Regardless of what strategies you propose during your first 100 days as a CISO, make sure that you have the buy-in of your board of directors in everything you do. Unlike a couple of years ago, CISOs are no longer technology leaders, but “a strategic and integral part of the business management team”. To make sure that they are independent from the budgetary constraints and decision-making of the IT operations divisions, CISOs should report to executive management or the board. Effective CISOs are actively engaged in boardroom discussions and have visibility on relevant information that they need to succeed, including the organization’s business strategy, financial standing, investment plan, risk tolerance etc. According to Forbes, “the board has a fiduciary obligation to protect shareholder value, so the board needs to take security seriously”.
Unfortunately, most of today’s CISOs still struggle to get in front of the board to advocate for the crucial role of information security. A report on the collaboration between CISOs and the board reveals that “only 29 percent of respondents believe they get the support they need from their boards.” And yes, getting this level of support is still extremely difficult. To make sure that your board hears you out, get prepared to provide answers to the following questions:
“Your first 100 days as a CISO constitutes a “honeymoon” period. Within this brief timeframe, you must formulate a course of action, make connections, and establish and communicate a personal management style.” – Tom Scholtz, Research Vice President & Gartner Fellow, Gartner
Being a CISO is no piece of cake. In order to navigate today’s cybersecurity threat landscape effectively and fulfill their mandate to protect their organization’s data, CISOs need to build a solid foundation for their tenure during their first 100 days, and position themselves as capable cybersecurity leaders in front of the board of directors, the C-suite and their team. By sticking to a few essential ground rules, you are well on the way of becoming an effective and respected CISO.
Want to find out more about how a security audit can help CISOs build a comprehensive information security program? Check out our case study below to learn more about the value of penetration testing.