Todd Fitzgerald is a builder. An information security leader for more than 20 years (and an IT pro for even longer) he has encountered a common theme in his career: He's the guy who is asked to create programs from scratch.
He started the software life cycle development program in one organization. The data-modeling initiative in another. As he moved from industry to industry, and from one Fortune 500 company to another, he helped launch many organizations' initial security efforts.
"I'm used to being the CISO walking in the door for the first time and getting things off the ground," says Fitzgerald, now managing director of CISO Spotlight. His latest book, "CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers," was published late last year. He is also co-author of "(ISC)2 CISO Leadership: Essential Principles for Success, "Information Security Governance Simplified: From the Boardroom to the Keyboard," and co-author for the E-C Council's "CISO Body of Knowledge."
What has Fitzgerald learned in more than two decades? Go slowly. There are vital steps to take before a security manager should even think about change.
As more organizations invest in security, the role of the chief information security officer is growing and evolving. But those CISOs who fill roles often don't stay long. A recent survey of CISOs from Nominet found the majority of CISOs said average job length was less than three years (55%), with nearly one-third (30%) saying less than two years.
In a role that often offers only a short time to make an impact, where should these security managers start when they first arrive in an organization?
A New CISO's First Priority: Listening
Practice patience. "It takes restraint to not suggest solutions in those first few weeks," Fitzgerald says. "But I think one of the most important things to do first is understand the culture of the organization."
A period of listening and observing is paramount to comprehend why things are being done the way they are, he says. Preconceived notions will only hinder your efforts to understand what makes employees tick, he says.
"There may be a whole lot of reasons why the environment is the way it is," Fitzgerald says. "If you go in there and start to make observations that are critical, you don't know who it is you might offend. You really do have to listen to how things got the way they are."
It is also a time to understand where the security department has been and what changes might be expected going forward.
"Was there a recent data breach? Why are you there? Why is your predecessor gone?" he advises asking.
Meet Your Team
Plan to have one-on-one meetings with your direct reports to understand their strengths, weaknesses, and insights on security strategy. Tap their institutional knowledge and build trust so they know they can come to you with concerns and feedback.
It's also a time to get to know the multigenerational workforce dynamics on the team. Fitzgerald devotes an entire chapter of his latest book to the topic.
In a blog post from Ken Xie, CEO of Fortinet, he notes there are now three generations of security workers. The first generation founded initial security efforts and departments and were focused on securing network connections with legacy tools and strategies. The second generation of security continued to protect traditional networks in new ways. Now a third generation is emerging to protect digital organizations.
Each of these security team members will bring different perspectives about the mission and goals of your security efforts. It is important to understand each of them by taking the time to have listening sessions.
"When I have done these sessions with people, we wind up with a greater understanding of one another," Fitzgerald says. "I think it is really important to get to know each other before you can get things done."
Build Bonds Outside Security
Beyond the core security team, those first few months are also a time to build connections with key stakeholders outside of security. Sit down with leaders and decision makers in finance, human resources, marketing, and other lines of business.
Fitzgerald advises putting together a short but informative presentation that can be used to engage senior leaders around the business.
"I would go around to all senior executives, managers, and staff and put together 20-minute PowerPoint presentation on what I do and what I think my role is," he says. "Then listen to their concerns about what they have seen work, what they have not. It's a great time to not push your agenda, but to really build relationships."
Focus on Driving the Business
With those executive and management meetings under your belt, it's time to shift focus to how the security department will not only defend critical data and assets, but add value and further the business mission.
Return on investment matters for security today, and CISOs are increasingly asked to demonstrate that whenever they make the case for budget. While it may not be possible to measure direct ROI for every aspect of cybersecurity, the end goal is to optimize investments through a combination of people, processes, and technology. CISOs should plan to create a road map for their next few months with these objectives in mind, Fitzgerald says.
"This starts by recognizing management is motivated by their own goals," he explains. "There has to be an honest attempt to try and understand what the major initiatives are for them. What do they want to do this year? How can security make that easier for them?"
Finally, Make an Action Plan
Within 60 days, new CISOs should establish a draft action plan. Look at it merely as a draft of your vision, open to revision.
Then, according to Fitzgerald, share that strategy and invite feedback from other stakeholders in the organization. And be ready to make changes. Your security strategy will always be a work in progress.
"People want to know what are you going to do for them," Fitzgerald says. "And you need to start there when you're explaining your plans to them."
- Haas Formula 1 CIO Builds Security at 230 MPH
- 'Culture Eats Policy for Breakfast': Rethinking Cybersecurity Awareness
- 5 Ways to Improve the Patching Process
- The State of IT Operations and Cybersecurity Operations