Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/1/2019
02:00 PM
John Hellickson
John Hellickson
Commentary
50%
50%

Navigating Your First Month as a New CISO

The single most important thing you can do is to start building the relationships and political capital you'll need to run your security program. Here's how.

In any new job, it's important to assess the lay of the land. But when you start a new CISO role — whether it's your first or fifth — there's more to it than getting to know new co-workers. You need to appraise the political landscape of the organization.

Why did this organization need a new CISO? Did the last person simply move on, or was there an incident? Often, CISOs are asked to move on in the event of a serious breach. In these cases, whoever is next in line typically has a lot more license to make changes than they would in an organization that had not recently been breached.

Alternatively, were you promoted from within? If so, you should already understand how things work, but you'll need to quickly accustom yourself with the political realities of being a security leader.

Once you understand your starting point, there are four key questions you'll need to answer during your first 30 days on the job:

Question 1: How does the organization view the CISO role? Are you part of the executive team, or is it a less senior, more operational role? The amount of "power" associated with your position will have a big impact on your ability to make changes.

Question 2: Who does the role answer to? Is your boss the CEO, or an executive who answers to the CEO? If so, you'll have a lot more political sway than if you're reporting to somebody lower down the food chain.

Question 3: What is the organization's tolerance for risk? Find this out by speaking with your boss and/or the CEO, members of the board, and even your predecessor, if possible. Have there been any recent security or privacy incidents, or negative media attention? Are any regulatory bodies involved? Understanding the organization's risk tolerance — both culturally and what's needed to satisfy compliance — will help you determine the foundation of your security program's risk management and investment strategy.

Question 4: What is the organization's appetite for change? This will determine how ambitious you can be with your plans to improve the security program. Keep in mind that most organizations don't have much appetite for change, even if it's fashionable to claim "innovation" and "reactiveness" are part of the organization's DNA. Ironically, a quirk of the CISO role is that life is often easier if your organization has recently been breached, especially if it was publicized in the media. Why? Because the appetite for change in an organization that has suffered a breach is typically much higher than in an organization that hasn't.

Assessing the Current State of Security
Before you can think about improvements, you will need to assess the maturity of your security program. This should be done with a recognized industry framework in mind, for two reasons:

  • Ultimately linking to a framework people know will give your assessment credibility; and,
  • Even if done only at a high level, linking to a framework helps to compare your maturity with other comparable organizations and/or industries.

The framework you choose will depend on your industry and geography. Since many frameworks are "control" focused, your maturity assessment may need to extend beyond just the bounds of those controls and include elements that are more strategic. For example, how you align to the business or your ability to get funding and resources allocated across the organization to improve controls outlined in the chosen framework.

Ideally, you should have your program assessed by an external organization. Having an external assessor makes life much easier politically when issues are raised versus "the newbie" pointing out problems. If, for a variety of reasons, external assessments aren't possible due to a lack of resources or a company's predisposition against external assessments, you'll need to arrange for an assessment to be completed internally.

If an assessment was completed before you were hired, you will need to consider:

  • What was the purpose of the assessment?
  • Was it internal or external?
  • Can you rate the quality of the assessors?
  • Was it comprehensive and in line with an industry framework?
  • Is there any discernible bias to the results?

Whatever happens, you'll also want to conduct your own private assessment. So long as the formal assessment matches approximately with your own, you should be in a good position to move forward.

Building Relationships and Political Capital
The single most important thing you can do as a new CISO is start building the relationships and political capital you'll need to run your security program. This is going to require a lot of your time — particularly if this is your first CISO role — and the first month is critical.

Speak with key players in the business — members of the executive team, in particular — to understand how security is perceived and what you can do to ensure your program is seen to enable the business instead of holding it back. The CISO who is perceived as a business enabler will instill confidence in his or her leadership and program within the organization.

Your ability to make these connections will depend on your standing. If you are a C-level executive (or your boss is) it will be much easier to arrange the meetings you need to introduce yourself and start building key relationships. Lower down in the hierarchy, you may need to look for other ways to make contact — for example, by setting up a risk committee that includes senior members of each department.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Disruptive Trends Transforming Cybersecurity."

John Hellickson has more than 25 years of IT experience, the last two decades focused on security and risk management. He's served as an executive security consultant and trusted partner, providing companies with risk management strategies aligning technology, people, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25660
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
CVE-2020-25688
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
CVE-2020-25696
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
CVE-2020-26229
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
CVE-2020-28984
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.