Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Nik Whitfield
Nik Whitfield
Connect Directly
E-Mail vvv

5 Steps to Success for New CISOs

You've been hired to make an impact. These tips can help set you up for continued success.

There are two fundamental truths for anyone working in security. The first is that there is an increasingly sophisticated threat landscape, making it impossible to be 100% secure. The second is that humans are human, and mistakes will be made, but potential errors have increasing impacts.

Combine these two truths with rapid technological change and the need for organizations to stay relevant in the digital age, and the role and importance of the CISO must evolve significantly. Without doubt, cybersecurity is now a boardroom discussion. If you're a CISO,  you've been hired to make an impact, and with any new leadership role, it's difficult to balance the business, your goals, and the relationships you're forming. The following will help set you up for continued success.

1. Use and Automate Data 
Don't fly blind. You want quick clarity on security performance and the measures, controls, and frameworks you're using to define this. Don't assume any person or system is able to give you the full picture. There are several options available, all of which come with pros and cons. Audits from large consultancy firms are popular but will only give you a single snapshot in time, meaning that the conclusions will be out of date almost immediately. 

And of course, static manual audits aren't automated. Any reporting to show improvement, monthly status requests, or even ad hoc insight requests from your board will require your team to deliver manual updates or another audit. This route is expensive. You could see much of your hard-won budget going toward audits or manual reporting rather than improving security.

Be aware of the manual reporting process. Gathering, cleansing, and unifying data to connect the dots isn't straightforward. The battle to find out what information has been missed is never-ending. The result is information that may or may not give you an accurate view, and quickly, you could be back where you started. Automation brings tangible benefits: speed, reduction in error, and greater insights as computers may well capture things teams can't see in the pressure to complete the task. 

2. The Devil Is in the Inventory
Understanding what you have and should be protecting seems obvious, but this often is a challenge. Clarity on what you have (devices and apps), where it all is (region or business line), and who is using it (identity) is critical for making fast, accurate decisions. Make sure your approach leverages and cross-references data from across HR, business, security, and IT to capture as many devices as possible. 

It's essential to have a breakdown of devices by, at least, technology and business attribute aligned to your business strategies, such as region or product line, to understand your exposures and measure your risk

3. A Risk-Based Approach 
Without insight into your risk appetite, you can't start to drive a risk-based approach to security or even begin to understand if you have the right budgets or ROI measures in place.

Once you've established this risk appetite, determine your level of acceptable cybersecurity risk, and what controls you need in place to support this. To do all of this effectively, you must break down communication silos and connect the dots across the executive suite to security and IT. The goals are getting alignment against agreed acceptable risk, and creating an operation plan that focuses your limited resources on the areas of remediation where there is the most significant return.

4. Remember Relationships 
As the role of CISO evolves, it's becoming a key conduit between the business, IT, and risk teams. It's inherently an interdepartmental/interdisciplinary role and, due to the nature of the relationships, one that tends to govern by influence. This requires trust. Working off a single source of trusted data becomes critical to building that trust.

All teams that touch the security process need to be aligned behind and feeding into a single source of trusted data. If not, time and effort will be wasted on arguing over the validity of the data, creating setbacks in any security improvement process. 

5. Spokesperson for Cybersecurity
You will elevate your role within the business if you can communicate the plain facts about security, risk, and compliance with confidence to get buy-in for your plan and strategy. When providing information to the C-suite, it's vital to remember this team is accountable, too, and can help ensure that the entire company is appropriately prioritizing your initiatives. Make sure you have the technology and procedures in place to be able to provide timely, accurate, and appropriate information to stakeholders. The last thing you want to do is report improved results to the board only to retract this information at the next meeting because you didn't have the full picture due to incomplete data.

Three key indicators will help you avoid pitfalls: timeliness, accuracy, and appropriateness. You can't be 100% secure, but you can be 100% sure of your position.

By solving the data challenge and moving to a risk-based approach, modern CISOs address the basics of enterprise cyber hygiene and drive a more aggressive approach. An ever-improving cycle of data gathering, insight, and efficient use of resources will create a machine that will automate improvement and improve security, allowing you to build key relationships based on trusted, accurate data.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Nik Whitfield is the founder and CEO at Panaseer. He founded the company with the mission to make organizations cybersecurity risk-intelligent. His  team created the Panaseer Platform to automate the breadth and depth of visibility required to take control of ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...