A Look into a CISO’s First Quarter
Becoming a new CISO brings new exciting opportunities and responsibilities but also new challenges and pressure. In the past few years, the role of the CISO has become increasingly complex as it evolves from a predominately technical role to a more strategic, advisory capacity.
Navigating Your First Quarter as a New CISO
The first quarter as a new CISO will be when the spotlight shines the hardest and all eyes will be on you. The pressure will be on to understand your new business, build relationships with your business peers, build a positive reputation for your department, and also position the security function as a business enabler.
During those first three months you’ll need to tackle four critical stages: assess the current state of security and strategize a consequent plan, communicate the results, participate in board meetings and measure the results of the plan.
Strategizing a Security Plan
One of the first notable landmarks in a new CISO role is the completion of an initial maturity assessment. Asking the right questions, such as what is the organization’s tolerance for risk? Do I need to educate on the concept of risk? Is the organization’s security program mature enough? Or simply learning about previous breaches, will help draw your own conclusions about the state of the security program and whether it’s based on an industry framework, such as NIST CSF or ISO 27001, or not.
However, the results of this assessment alone aren’t enough to inform security strategies. You need to decide what’s reasonable for your organization and know the current and desired levels of maturity for each security discipline. This will require a strong understanding of your regulatory environment, the security culture of the organization, as well as what is acceptable to your board and customers.
By completing this first stage, you’ll identify the top priorities, issues and gaps to create security strategies that will fit. Many CISOs struggle with prioritization at this point, trying to fix bigger, deeper business problems. This is the time to identify some small, manageable actions to start off with and build your political capital, while you work to understand and plan for long term important initiatives.
Communicating Maturity Assessment Results and Gaps
Once your plan is ready, you’ll need to strategize how to communicate the gaps you have identified to the rest of the business.
The first step is understanding how to frame the security needs of the company and how they relate to the business. It is essential to focus on the results but also on how you will face them. Remember that your goal is to get real cooperation from key stakeholders, so you need to get top management and the different business departments on your side if you’re going to initiate real change, and that means using a light touch, and sharing your plan in a language they will understand, tying back to overall business goals. Building relationships early is the key to success here.
CISOs need to be seen as business enablers, to that end talking about how security initiatives will mitigate critical foreseeable risks to profitability or how those will help expand the business in different areas will be critical. Try to focus on finding ways for your organization to generate revenue. This isn’t always possible but aiding revenue growth should always be one of our key strategies.
The First Board Meeting
Whether this is your first CISO role or not, the first board meeting at a new organization is a big event. The average CISO can spend 40-80 hours preparing a presentation deck for each board meeting. And depending on how complex the organization is, they can also go through 5-25 iterations before the final version is reached.
Why so much effort? Because getting the board to buy-in and support your security program is essential if you want to do your job right.
Fundamentally, your board needs an answer to one question: “Are we secure?” To answer this effectively, you’ll need to understand your board’s risk tolerance and what level of detail they expect from your presentations. Before you start preparing try to find out what your board expects from you. Try to gain an understanding of prior board meetings as well as the board members themselves. Research what other boards/organizations they are members of. Having this knowledge will prepare you when and if difficult conversations arise as well as speed building relationships with your board.
Your presentation should set the expectation that you can never be 100% safe from cyber threats, but you can achieve a reasonable level of resilience and reduce risks to the business. You should dive into the specifics including the maturity of the current program, the organization’s cyber risk level, where are the gaps, how you plan to address those and what timeline you’d propose.
Finally, be aware that board members probably don’t have a grasp of basic security concepts but are actively showing interest. Many board members are CEOs of other companies, so they likely already have some exposure to security risks and initiatives. Try to translate the security technical terms to non-technical audience. CISOs today need to speak in business language. In today’s environment you will most likely have a member that is the board’s “Cybersecurity Expert” or an Audit Committee, focus on building a relationship with them as quickly as possible.
Forecasting and Measuring Results
Metrics play an essential role in tying security initiatives to the needs of the business. There’s just one problem: there is no universally accepted way to measure the effectiveness of security programs or the return on investment. Subjectivity plays a large part in strategic security metrics.
There are crucial considerations when designing your measurement system:
- Give careful consideration to your audience’s needs. Your executive board will likely demand less operational detail than you’d need for a departmental meeting, and a slightly different focus to your risk committee.
- Give details on where your budget was allocated, the results you obtained, the amount of incidents/vulnerabilities you were able to resolved and what is the trend and how those have affected the company’s risk posture, the average time threats are in the environment before being removed (dwell time) and the effects of your initiatives in the overall risk levels of the organization.
- Choose and develop a set of metrics that will convey the success of the program and that meets the needs of all of your audiences. Ideally you will be ready to produce separate, focused dashboards for each audience you share your results with.
Ensure that your metrics are strategic in nature. Many CISOs today struggle in board conversations because they are reporting tactical items. Tell a story with your metrics and how they improve your company’s overall risk posture.
Closing the Quarter
After you have finished this cycle, new challenges and opportunities will arise. As you move forward, open communication and maintaining the new relations you have formed will be paramount to continue building a security program that is inclusive and is viewed as a business driver.