Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Nik Whitfield
Nik Whitfield
Connect Directly
E-Mail vvv

5 Steps to Success for New CISOs

You've been hired to make an impact. These tips can help set you up for continued success.

There are two fundamental truths for anyone working in security. The first is that there is an increasingly sophisticated threat landscape, making it impossible to be 100% secure. The second is that humans are human, and mistakes will be made, but potential errors have increasing impacts.

Combine these two truths with rapid technological change and the need for organizations to stay relevant in the digital age, and the role and importance of the CISO must evolve significantly. Without doubt, cybersecurity is now a boardroom discussion. If you're a CISO,  you've been hired to make an impact, and with any new leadership role, it's difficult to balance the business, your goals, and the relationships you're forming. The following will help set you up for continued success.

1. Use and Automate Data 
Don't fly blind. You want quick clarity on security performance and the measures, controls, and frameworks you're using to define this. Don't assume any person or system is able to give you the full picture. There are several options available, all of which come with pros and cons. Audits from large consultancy firms are popular but will only give you a single snapshot in time, meaning that the conclusions will be out of date almost immediately. 

And of course, static manual audits aren't automated. Any reporting to show improvement, monthly status requests, or even ad hoc insight requests from your board will require your team to deliver manual updates or another audit. This route is expensive. You could see much of your hard-won budget going toward audits or manual reporting rather than improving security.

Be aware of the manual reporting process. Gathering, cleansing, and unifying data to connect the dots isn't straightforward. The battle to find out what information has been missed is never-ending. The result is information that may or may not give you an accurate view, and quickly, you could be back where you started. Automation brings tangible benefits: speed, reduction in error, and greater insights as computers may well capture things teams can't see in the pressure to complete the task. 

2. The Devil Is in the Inventory
Understanding what you have and should be protecting seems obvious, but this often is a challenge. Clarity on what you have (devices and apps), where it all is (region or business line), and who is using it (identity) is critical for making fast, accurate decisions. Make sure your approach leverages and cross-references data from across HR, business, security, and IT to capture as many devices as possible. 

It's essential to have a breakdown of devices by, at least, technology and business attribute aligned to your business strategies, such as region or product line, to understand your exposures and measure your risk

3. A Risk-Based Approach 
Without insight into your risk appetite, you can't start to drive a risk-based approach to security or even begin to understand if you have the right budgets or ROI measures in place.

Once you've established this risk appetite, determine your level of acceptable cybersecurity risk, and what controls you need in place to support this. To do all of this effectively, you must break down communication silos and connect the dots across the executive suite to security and IT. The goals are getting alignment against agreed acceptable risk, and creating an operation plan that focuses your limited resources on the areas of remediation where there is the most significant return.

4. Remember Relationships 
As the role of CISO evolves, it's becoming a key conduit between the business, IT, and risk teams. It's inherently an interdepartmental/interdisciplinary role and, due to the nature of the relationships, one that tends to govern by influence. This requires trust. Working off a single source of trusted data becomes critical to building that trust.

All teams that touch the security process need to be aligned behind and feeding into a single source of trusted data. If not, time and effort will be wasted on arguing over the validity of the data, creating setbacks in any security improvement process. 

5. Spokesperson for Cybersecurity
You will elevate your role within the business if you can communicate the plain facts about security, risk, and compliance with confidence to get buy-in for your plan and strategy. When providing information to the C-suite, it's vital to remember this team is accountable, too, and can help ensure that the entire company is appropriately prioritizing your initiatives. Make sure you have the technology and procedures in place to be able to provide timely, accurate, and appropriate information to stakeholders. The last thing you want to do is report improved results to the board only to retract this information at the next meeting because you didn't have the full picture due to incomplete data.

Three key indicators will help you avoid pitfalls: timeliness, accuracy, and appropriateness. You can't be 100% secure, but you can be 100% sure of your position.

By solving the data challenge and moving to a risk-based approach, modern CISOs address the basics of enterprise cyber hygiene and drive a more aggressive approach. An ever-improving cycle of data gathering, insight, and efficient use of resources will create a machine that will automate improvement and improve security, allowing you to build key relationships based on trusted, accurate data.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Nik Whitfield is the founder and CEO at Panaseer. He founded the company with the mission to make organizations cybersecurity risk-intelligent. His  team created the Panaseer Platform to automate the breadth and depth of visibility required to take control of ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-27
A double-free vulnerability in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service by triggering texture allocation failure, because vrend_renderer_resource_allocated_texture is not an appropriate place for a free.
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has a buffer overflow and panic, and possibly remote code execution, due to the lack of validation for specific fields of packets sent by a client. Interaction between req_capsule_get_size and tgt_brw_write leads to a tgt_shortio2pages integ...
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic due to the lack of validation for specific fields of packets sent by a client. The ldl_request_cancel function mishandles a large lock_count parameter.
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic (via a modified lm_bufcount field) due to the lack of validation for specific fields of packets sent by a client. This is caused by interaction between sptlrpc_svc_unwrap_request and lustre_msg_hdr_size_v2...
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the mdt module has an LBUG panic (via a large MDT Body eadatasize field) due to the lack of validation for specific fields of packets sent by a client.