A Handy Reference for Maximizing Your Impact as a New CISO
When a new CISO or Director of Security takes over this top cybersecurity role, the first 100 days offers an opportunity to assess cyber risk, review the cybersecurity program and maturity, as well as establish data security priorities and demonstrate some initial wins that the c-suite will notice and applaud. My goal is to give you a set of strategic steps that gives you a clear view of your organization’s current-state and set a future-state. These steps are all part of our CyberLean methodology.
New CISO: Leadership wants to see you hit the ground running and establish a roadmap to meet business & security objectives
As the CISO role evolves from one that is highly technical to becoming a greater business influencer, more organizations are adding this c-level role to their organization. Fortune 500 companies went from 70 percent in 2018 having a CISO to 100 percent expected in 2021. But, as mid-tier companies become a greater target of hacks and ransomware, more are hiring a security director or CISO as well or utilizing virtual CISO services.
First 100 Days To Dos:
- Ramp up and demonstrate your understanding of how the organization works and how cyber has traditionally been viewed and approached.
- Engage and build rapport with all key organizational stakeholders, which will be invaluable to creating a trustworthy and capable first impression, as well as reveal important insights and opinions.
- Think about how you want to be viewed and the top three qualities or values you want to demonstrate, which will establish a positive personal brand within the organization.
New CISO: Prepare for your new cybersecurity role and duties
Prepare for your new role before you start by doing your homework. Intel is a new CISOs friend.
First 100 Days To Dos:
- Research information about your boss, leadership and your colleagues, as well as folks who may be on the team you will be leading.
- What issues is the organization facing that may impact cybersecurity? Any news items, interviews, or social media to indicate past challenges, future business direction, what competitors are doing, and possible roadblocks.
- Draft your initial communications that would go out to various stakeholders – leadership, your team, the entire organization. Is there a “welcome” message coming from the CEO to announce your role and any vision?
- Make a list of what potential teams and leaders you will want to engage quickly. Draft up meeting invites and agendas templates at the ready.
Six Cases: When to Choose a Virtual CISO vs. CISO as a Service
CyLumena explores six client cases to share tips on when to choose a Virtual CISO or CISO as a Service.
New CISO: Perform high-level assessment of your organization’s security maturity level
Getting your hands dirty and digging into a high-level current-state assessment will give you a greater sense of where the cyber program stands (if there was one previously). Different from an IT audit, your initial assessment might need to be comprehensive to reveal the strengths, weaknesses, and risks buried within analysis. It’s important to capture what is working well with current cybersecurity activities while identifying security challenges, risks, and opportunities. Your assessment will give you an opportunity to rank order potential priorities.
First 100 Days To Dos:
- Review the existence, frequency, and scale of negative security events over the past three years.
- Assess the overall maturity of any existing cybersecurity program or processes in place.
- Look into metrics that demonstrate the importance of data security and privacy protections as they are tied to customer satisfaction and business goals, as well as potential financial impact.
- Compare the organization’s responsiveness to cyber incidents against industry standards and/or benchmarks. Is there a business continuity plan or business impact analysis in place?
- Assess the value delivered by any security vendors, partners, or auditors.
New CISO: Create new or upgrade existing cybersecurity strategy
Once you’ve had a taste of leadership’s appetite for cybersecurity and conducted your own assessment via data analysis and conversations, it’s time to create a compelling cyber strategy or determine needed upgrades and improvements that align to business objectives.
First 100 Days To Dos:
- Draft a vision for the cybersecurity program and socialize with stakeholders to establish your priorities and to gain trust and buy-in with the program’s direction and goals.
- Define what resources you will need to realize the strategy and direction you want to take data security, including people, metrics, and financial constraints.
- Share these security plans with leadership (particularly the CFO) and, once approved, rollout a communication plan with your team, line managers, and key stakeholders in other departments.
The Problem Of CISO Turnover
Why do CISOs leave and what you can do to ensure cybersecurity continuity.
New CISO: Establish a focused cybersecurity roadmap, addressing security remediation, organizing your team, updating your cyber budget
Creating a roadmap is where all of the preparation, analysis, and strategic planning takes hold in action. Your roadmap should include the top five challenges that should be prioritized with a specific focus on actions to take and metrics to achieve in the first three to six months.
First 100 Days To Dos:
- Design a security roadmap focused on select near-term priorities.
- Ensure every goal in the roadmap has measurable outcomes desired and metrics that will be monitored.
- Stress the evidence for these focus areas to ensure initial success.
- Create, or realign, the cybersecurity budget to match priorities for year one.
New CISO: Set clear expectations and performance monitoring management
Now that you’ve conducted your assessment, determined your strategy, and established a budget, it’s time to set oversight and governance around the roadmap and the cybersecurity improvements you want to achieve.
First 100 Days To Dos:
- Before implementing your strategy, determine the metrics baseline that you will use to measure success against.
- Capture corresponding metrics during set intervals throughout the roadmap, demonstrating progress towards outcomes.
- Meet regularly with leadership, any governance teams, and security project leaders for monthly updates.
- Periodically review how shifting business objectives and financial constraints impact your budget and resources needed.
- Connect the dots between the value of achievements, results from the roadmap, and return on the cyber investment to the business.
New CISO: Build, enhance, and grow your cyber team
Honestly, once you’ve established yourself as a cyber and business leader (aka a modern CISO), it’s time to grow and train your team to meet the cyber needs of the moment but also your future plans. Your ability to set strategy, gain leadership buy-in, and navigate c-suite priorities is only as valuable as your ability to encourage, mentor, and challenge your team.
First 100 Days To Dos:
- Assess the roles on your team or design a near-term, future-term vision of how your team needs to evolve over the next one to three years.
- Align new hires, promotions, and training/certification budget needs to the overall cyber priorities and strategy.
- Ensure a clear line of sight from individual employee performance goals to cyber priorities.
New CISO: Make the most of your first 100 Days
Taking these initial steps will set you up for success and reveal quick wins as you ramp up bigger plans. As you tackle this crucial first months, look for ways to “multiply yourself” with outside resources or a temporary CISO side-kick like a virtual CISO service.
First 100 Days To Dos:
- Let’s sync up for a CISO intro call. Getting an outsider’s perspective can be beneficial even if it’s prior to your start date.
- Consider hiring a team to support your current-state assessment. Using a cybersecurity firm gives you a non-biased perspective and input to inform your roadmap.
- Request a complimentary cybersecurity review.
