[BreachExchange] Navigating Your First Month as a New CISO

[Destry Winant]

https://www.darkreading.com/risk/navigating-your-first-month-as-a-new-ciso/a/d-id/1335926

The single most important thing you can do is to start building the
relationships and political capital you'll need to run your security
program. Here's how.

In any new job, it's important to assess the lay of the land. But when
you start a new CISO role — whether it's your first or fifth — there's
more to it than getting to know new co-workers. You need to appraise
the political landscape of the organization.

Why did this organization need a new CISO? Did the last person simply
move on, or was there an incident? Often, CISOs are asked to move on
in the event of a serious breach. In these cases, whoever is next in
line typically has a lot more license to make changes than they would
in an organization that had not recently been breached.

Alternatively, were you promoted from within? If so, you should
already understand how things work, but you'll need to quickly
accustom yourself with the political realities of being a security
leader.

Once you understand your starting point, there are four key questions
you'll need to answer during your first 30 days on the job:

Question 1: How does the organization view the CISO role? Are you part
of the executive team, or is it a less senior, more operational role?
The amount of "power" associated with your position will have a big
impact on your ability to make changes.

Question 2: Who does the role answer to? Is your boss the CEO, or an
executive who answers to the CEO? If so, you'll have a lot more
political sway than if you're reporting to somebody lower down the
food chain.

Question 3: What is the organization's tolerance for risk? Find this
out by speaking with your boss and/or the CEO, members of the board,
and even your predecessor, if possible. Have there been any recent
security or privacy incidents, or negative media attention? Are any
regulatory bodies involved? Understanding the organization's risk
tolerance — both culturally and what's needed to satisfy compliance —
will help you determine the foundation of your security program's risk
management and investment strategy.

Question 4: What is the organization's appetite for change? This will
determine how ambitious you can be with your plans to improve the
security program. Keep in mind that most organizations don't have much
appetite for change, even if it's fashionable to claim "innovation"
and "reactiveness" are part of the organization's DNA. Ironically, a
quirk of the CISO role is that life is often easier if your
organization has recently been breached, especially if it was
publicized in the media. Why? Because the appetite for change in an
organization that has suffered a breach is typically much higher than
in an organization that hasn't.

Assessing the Current State of Security
Before you can think about improvements, you will need to assess the
maturity of your security program. This should be done with a
recognized industry framework in mind, for two reasons:

Ultimately linking to a framework people know will give your
assessment credibility; and,
Even if done only at a high level, linking to a framework helps to
compare your maturity with other comparable organizations and/or
industries.

The framework you choose will depend on your industry and geography.
Since many frameworks are "control" focused, your maturity assessment
may need to extend beyond just the bounds of those controls and
include elements that are more strategic. For example, how you align
to the business or your ability to get funding and resources allocated
across the organization to improve controls outlined in the chosen
framework.

Ideally, you should have your program assessed by an external
organization. Having an external assessor makes life much easier
politically when issues are raised versus "the newbie" pointing out
problems. If, for a variety of reasons, external assessments aren't
possible due to a lack of resources or a company's predisposition
against external assessments, you'll need to arrange for an assessment
to be completed internally.

If an assessment was completed before you were hired, you will need to consider:

What was the purpose of the assessment?
Was it internal or external?
Can you rate the quality of the assessors?
Was it comprehensive and in line with an industry framework?
Is there any discernible bias to the results?

Whatever happens, you'll also want to conduct your own private
assessment. So long as the formal assessment matches approximately
with your own, you should be in a good position to move forward.

Building Relationships and Political Capital
The single most important thing you can do as a new CISO is start
building the relationships and political capital you'll need to run
your security program. This is going to require a lot of your time —
particularly if this is your first CISO role — and the first month is
critical.

Speak with key players in the business — members of the executive
team, in particular — to understand how security is perceived and what
you can do to ensure your program is seen to enable the business
instead of holding it back. The CISO who is perceived as a business
enabler will instill confidence in his or her leadership and program
within the organization.

Your ability to make these connections will depend on your standing.
If you are a C-level executive (or your boss is) it will be much
easier to arrange the meetings you need to introduce yourself and
start building key relationships. Lower down in the hierarchy, you may
need to look for other ways to make contact — for example, by setting
up a risk committee that includes senior members of each department.