A New CSO’s 8-Step Guide on How to Succeed
Do you have a new job as the Chief Information Security Officer (CISO), Chief Security Officer (CSO), the Security Information Manager or something similar? Congratulations! You’ve just received a great job opportunity – one that can either be your dream job, your worst nightmare, and sometimes both simultaneously.
- Before you start/accept the job offer:
If you’re still negotiating about the position or have yet to have a job interview, ask these questions:
- What are the main priorities of the organization?
- How are the security department and the reporting channels organized?
- Why is the position vacant right now? (Replacement, newly structured position)
- How is the budget process structured?
You should do your own homework and acquire some knowledge about the company’s industry. It will prove to be very crucial that you understand all the company’s business priorities.
- Your first week:
When starting your new job, you’ll have access to internal information. Use those first days, as no one will bother you too much. If your predecessor is still working, use this for gathering info on the current situation, ongoing projects and important stakeholders. If there is an existing security team, introduce yourself and take time to talk to each member. Look at all or at least a large share of the recent documentation and read different shared folders and sharepoints.
- Your first month:
This is the perfect time for building relationships and networking in your new environment. Do it even if you’re a new employee, because you’ll need some new allies for the position.
- Positions and departments that are worth visiting for coffee or a quick chat:
- IT Manager/ CIO
- Data protection
- Law department
- Corporate communications and PR office
- Customer service
- Internal audit
- Personnel management/Human Resources
- Works council
- Facility management (or the department that is responsible for physical safety)
- Executive assistant
- The first 100 days:
As in politics, the first 100 days are for strategic planning. Start with assessing the current situation and look at standards, e.g. ISO certifications. Pick the crown jewels right away – that is assessing business parts with the highest demand for protection. Look at them in depth and try to find all crucial dependencies they entail (e.g. IT-systems, suppliers, different office locations). Do cyber maturity checks. That’s how you gather important technical and organizational loopholes.
Group those into different topics and into interrelated projects. Illustrate dependencies and prioritize different topics (main risks first, followed by measures that take care of many different risks, meaning you start with the highest return-on-invest). This will be your strategic three-year plan and the core of your InfoSec agenda.
Let the management board sign off on the risk observation and the migrating plan or request clear and well-documented statements as to what risks are accepted. Convey the plan to all affected colleagues.
- The first year:
Now you start the projects you have planned. Don’t overburden yourself! Even if you receive enough budget (you need a conclusive risk argumentation), you and your team will have a limited amount of ‘horsepower’ you can work with. Security projects can be very excruciating for the rest of the company and often entail major changes in the company processes that are rather difficult to handle.
Don’t take up more than 3 security projects running simultaneously. One of those projects should be the construction or tailoring of an Incident Response plan, and all important stakeholders should participate in the corresponding simulated exercise.
- The first three years:
Check your plan at least once every year and report to the executive board, so you can adjust it together if necessary. Do your projects and communicate your success. Learn from operative topics and optimize them accordingly.
Potentially, there have been IT/Security breaches in the last three years. Use newly gained insights for huge awareness measures within the organization and talk about it as much and often as possible (but ensure that the executive board is okay with open communication; include them in awareness measures).
- What to read:
Invest some time and try to read a lot of security blogs such as Bruce Schneier, Grugq, Brian Krebs or the The Hacker News to stay up to date.