RSA CONFERENCE – San Francisco – A trio of high-powered CISOs talked about the first 90 days in their roles, and whether the aim was getting board of directors' buy-in or building rank-and-file credibility, they all said how they communicated was what mattered the most.
The RSAC panel included Allison Miller, Reddit's CISO and VP of Trust; Olivia Rose, Amplitude's CISO and VP of IT; and Caleb Sima, CISO for Robin Hood. Chenxi Wang, founder of the Rain Capital venture capital fund, moderated the discussion.
Practically, Sima opened up by explaining how during his first few days with Robin Hood he gathered simple data points he labeled "top challenges" and "things that scare me."
But Rose interjected that in many instances blunt statements like that could end up offending and alienating critical engineering and IT teams right out of the gate, which can make a CISO's job much harder.
The Internal Comms "Dance"
"It's a dance," Rose said. "You have to be careful not to offend those who have been handling this before you got there."
Rose suggests meeting members of other departments where they are.
"Whether its infrastructure or executive, talk their language," she said. "And be very clear and persistent."
Sima disagreed, adding with a bit of a chuckle, "If you don't have any haters, you're not doing the right thing."
Regardless of the approach, both of them, as well as Miller, spent time early in their positions trying to sell a security program to internal teams often not in line with their strategies. Miller and Rose said legal and compliance became their most natural partners inside the business.
"You've got to have allies," Rose said. There's often friction with engineering, infrastructure, IT, product, customer service, and others, but the legal and compliance teams have a clearer vision of the consequences of a security incident and can be invaluable in communicating them to the wider enterprise.
Communicating With the Board of Directors
Beyond everyday internal wrangling, these CISOs unpacked their communications approach with their respective companies' boards of directors. Sima explained he relies heavily on narrative to tell the story about where his team is right now and where it's heading. The techie stuff he drops in the appendix in case someone wants more detail.
When it comes to providing boards with data they can digest and use, Rose said she relies on the CMMI Cybermaturity Model and Sima and Miller said they lean on the NIST CSF framework.
"It's an easy way to visually show people who don't understand security where you need to be and why," Rose said.
Moderator Wang sits on a company's board of directors and suggested the boards should requisition a third-party validation assessment so they can be assured that the information the CISO is providing is correct.
"The first board meeting should be about setting expectations," Sima added.
But for all the competing messages and audiences CISOs regularly juggle, during the first 90 days in the CISO chair, talking as little as possible is the best bet, Rose explained.
"You first 90 days you should just shut up," Rose said. "You have to listen to what's going on."