[BreachExchange] Challenges of a New CISO: The First Year
Destry Winant
destry at riskbasedsecurity.com
Wed Jun 3 09:42:13 EDT 2020
https://securityboulevard.com/2020/06/challenges-of-a-new-ciso-the-first-year/
The first year as a new CISO can be exhilarating and at times
downright frightening. You have a lot to prove and minds to win over,
but you also have the opportunity to start fresh and make a big
impact.
Early on, the emphasis is on learning the lay of the land of your new
organization, assessing the company’s security maturity level,
developing a business-focused security strategy and building up the
relationships and political capital needed to make it a reality. But
what happens once your first month, your first quarter is under your
belt? You have a solid strategy in place and you’ve survived your
first board meeting … what’s next?
How Will You Put Your Plans into Action?
Security doesn’t happen in a vacuum. Even when you have sign-off and
budget for your initiatives, executing consistently requires
considerable political sway.
In other words, it’s time to cash in on the political capital you’ve
been building from Day 1.
One of the biggest mistakes you can make as a new CISO is not
maintaining strong lines of communication with key stakeholders,
business leaders and risk owners. And we’re not just talking about IT
leaders; senior executives in finance, personnel and operations all
have a significant stake in the success of your security initiatives.
The level of friction you experience will be dependent on the
political environment of your organization. Most organizations have a
low appetite for change (even if they claim otherwise) and your best
chance of overcoming the difficulties this can cause is to build and
maintain strong relationships with key business stakeholders.
Be Seen as a Business Enabler
One of the most important tasks for any CISO, new or experienced, is
the need for security to be seen as something more than a cost center.
If your program is seen as not related to business objectives, it will
be extremely difficult to get traction for your initiatives.
But what does it mean to be a business enabler? At a basic level, you
can tie security to business objectives by asking questions such as:
How much is our reputation worth?
What impact would a breach have on our ability to do business?
However, these questions, while undoubtedly important to answer, are
rooted in negativity. Seen in this light, security is still something
that holds the organization back from doing valuable things.
To really be seen as an enabler, you need to go a stage further. For example:
- Could we enter new markets if we were confident in the security of
our data and assets?
- Could we be early adopters of blockchain/IoT /something else if our
house was thoroughly in order?
- Would it be easier to win government contracts if we could be sure
of meeting regulatory requirements?
Managing stakeholder perceptions of a security program is exclusively
the domain of the CISO. If you want your program to be seen in a
positive light, you’ll need to do two things:
Invest your energy in building the relationships and communication
channels needed to engage with key business stakeholders.
Actively look for ways to tie your initiatives to important business objectives.
Demonstrating Business Value
As you settle into your role as a CISO, one of the most important
functions of program measurement is using metrics to tell a
story—specifically, the story of where the organization is in the
security journey.
For example:
- Have your initiatives led to a reduction in wasted time for IT staff
because they aren’t constantly having to rebuild PCs that have been
infected with malware?
- Is the uptime of vital IT systems higher as a result of improved
security controls?
- Have phishing awareness tests reduced malware outbreaks and reduced
incident management needs?
Identifying and communicating the business benefits of a security
program is often difficult, but it can make a substantial difference
in the way security is seen by the business.
When it comes to communicating with the board, make sure you’re
staying on top of the “latest and greatest” threats—particularly those
that have featured heavily in the media. Demonstrating that you’re
proactively preparing for new threat vectors is an excellent way to
win board trust in your security program.
Handling Changes to the Business Landscape
Changes to the business environment—mergers and acquisitions in
particular—can have an important impact on your security strategy and
program.
Depending on the scale of change, you may need to conduct a new
assessment and develop an entirely new security strategy. This is
particularly likely if your organization moves into a new industry
that’s heavily regulated. Buying a government defense contractor, for
example, is a surefire way to turn a security program on its head.
Fortunately, security also has a valuable part to play in major
business change projects. If your organization is considering adopting
new technology or buying a company, having a seat at the executive
table as a CISO gives you the opportunity to add significant value.
- How much will it cost to securely adopt a new operational technology
(OT) solution?
- What is the state of security at a company you’re acquiring? How
much will it cost to reach an acceptable level of security? Can that
amount be negotiated off the purchase price?
Of course, getting a seat at the table for major change initiatives is
far from guaranteed. As usual, you’ll need to campaign for the access
you need to add this type of value and continue building on the
relationships and political capital you’ve been accumulating since Day
1.
Non-Negotiables of an Effective CISO
Fundamentally, being an effective CISO boils down to two things:
- Building and maintaining relationships with key business stakeholders.
- Being able to evidence the business value of your security program.
If you can do these two things consistently throughout your first
year, you’ll pave the way for a strong, business-focused security
program.
More information about the BreachExchange
mailing list