In any new job, it's important to assess the lay of the land. But when you start a new CISO role — whether it's your first or fifth — there's more to it than getting to know new co-workers. You need to appraise the political landscape of the organization.
Why did this organization need a new CISO? Did the last person simply move on, or was there an incident? Often, CISOs are asked to move on in the event of a serious breach. In these cases, whoever is next in line typically has a lot more license to make changes than they would in an organization that had not recently been breached.
Alternatively, were you promoted from within? If so, you should already understand how things work, but you'll need to quickly accustom yourself with the political realities of being a security leader.
Once you understand your starting point, there are four key questions you'll need to answer during your first 30 days on the job:
Question 1: How does the organization view the CISO role? Are you part of the executive team, or is it a less senior, more operational role? The amount of "power" associated with your position will have a big impact on your ability to make changes.
Question 2: Who does the role answer to? Is your boss the CEO, or an executive who answers to the CEO? If so, you'll have a lot more political sway than if you're reporting to somebody lower down the food chain.
Question 3: What is the organization's tolerance for risk? Find this out by speaking with your boss and/or the CEO, members of the board, and even your predecessor, if possible. Have there been any recent security or privacy incidents, or negative media attention? Are any regulatory bodies involved? Understanding the organization's risk tolerance — both culturally and what's needed to satisfy compliance — will help you determine the foundation of your security program's risk management and investment strategy.
Question 4: What is the organization's appetite for change? This will determine how ambitious you can be with your plans to improve the security program. Keep in mind that most organizations don't have much appetite for change, even if it's fashionable to claim "innovation" and "reactiveness" are part of the organization's DNA. Ironically, a quirk of the CISO role is that life is often easier if your organization has recently been breached, especially if it was publicized in the media. Why? Because the appetite for change in an organization that has suffered a breach is typically much higher than in an organization that hasn't.
Assessing the Current State of Security
Before you can think about improvements, you will need to assess the maturity of your security program. This should be done with a recognized industry framework in mind, for two reasons:
- Ultimately linking to a framework people know will give your assessment credibility; and,
- Even if done only at a high level, linking to a framework helps to compare your maturity with other comparable organizations and/or industries.
The framework you choose will depend on your industry and geography. Since many frameworks are "control" focused, your maturity assessment may need to extend beyond just the bounds of those controls and include elements that are more strategic. For example, how you align to the business or your ability to get funding and resources allocated across the organization to improve controls outlined in the chosen framework.
Ideally, you should have your program assessed by an external organization. Having an external assessor makes life much easier politically when issues are raised versus "the newbie" pointing out problems. If, for a variety of reasons, external assessments aren't possible due to a lack of resources or a company's predisposition against external assessments, you'll need to arrange for an assessment to be completed internally.
If an assessment was completed before you were hired, you will need to consider:
- What was the purpose of the assessment?
- Was it internal or external?
- Can you rate the quality of the assessors?
- Was it comprehensive and in line with an industry framework?
- Is there any discernible bias to the results?
Whatever happens, you'll also want to conduct your own private assessment. So long as the formal assessment matches approximately with your own, you should be in a good position to move forward.
Building Relationships and Political Capital
The single most important thing you can do as a new CISO is start building the relationships and political capital you'll need to run your security program. This is going to require a lot of your time — particularly if this is your first CISO role — and the first month is critical.
Speak with key players in the business — members of the executive team, in particular — to understand how security is perceived and what you can do to ensure your program is seen to enable the business instead of holding it back. The CISO who is perceived as a business enabler will instill confidence in his or her leadership and program within the organization.
Your ability to make these connections will depend on your standing. If you are a C-level executive (or your boss is) it will be much easier to arrange the meetings you need to introduce yourself and start building key relationships. Lower down in the hierarchy, you may need to look for other ways to make contact — for example, by setting up a risk committee that includes senior members of each department.