Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/1/2019
02:00 PM
John Hellickson
John Hellickson
Commentary
50%
50%

Navigating Your First Month as a New CISO

The single most important thing you can do is to start building the relationships and political capital you'll need to run your security program. Here's how.

In any new job, it's important to assess the lay of the land. But when you start a new CISO role — whether it's your first or fifth — there's more to it than getting to know new co-workers. You need to appraise the political landscape of the organization.

Why did this organization need a new CISO? Did the last person simply move on, or was there an incident? Often, CISOs are asked to move on in the event of a serious breach. In these cases, whoever is next in line typically has a lot more license to make changes than they would in an organization that had not recently been breached.

Alternatively, were you promoted from within? If so, you should already understand how things work, but you'll need to quickly accustom yourself with the political realities of being a security leader.

Once you understand your starting point, there are four key questions you'll need to answer during your first 30 days on the job:

Question 1: How does the organization view the CISO role? Are you part of the executive team, or is it a less senior, more operational role? The amount of "power" associated with your position will have a big impact on your ability to make changes.

Question 2: Who does the role answer to? Is your boss the CEO, or an executive who answers to the CEO? If so, you'll have a lot more political sway than if you're reporting to somebody lower down the food chain.

Question 3: What is the organization's tolerance for risk? Find this out by speaking with your boss and/or the CEO, members of the board, and even your predecessor, if possible. Have there been any recent security or privacy incidents, or negative media attention? Are any regulatory bodies involved? Understanding the organization's risk tolerance — both culturally and what's needed to satisfy compliance — will help you determine the foundation of your security program's risk management and investment strategy.

Question 4: What is the organization's appetite for change? This will determine how ambitious you can be with your plans to improve the security program. Keep in mind that most organizations don't have much appetite for change, even if it's fashionable to claim "innovation" and "reactiveness" are part of the organization's DNA. Ironically, a quirk of the CISO role is that life is often easier if your organization has recently been breached, especially if it was publicized in the media. Why? Because the appetite for change in an organization that has suffered a breach is typically much higher than in an organization that hasn't.

Assessing the Current State of Security
Before you can think about improvements, you will need to assess the maturity of your security program. This should be done with a recognized industry framework in mind, for two reasons:

  • Ultimately linking to a framework people know will give your assessment credibility; and,
  • Even if done only at a high level, linking to a framework helps to compare your maturity with other comparable organizations and/or industries.

The framework you choose will depend on your industry and geography. Since many frameworks are "control" focused, your maturity assessment may need to extend beyond just the bounds of those controls and include elements that are more strategic. For example, how you align to the business or your ability to get funding and resources allocated across the organization to improve controls outlined in the chosen framework.

Ideally, you should have your program assessed by an external organization. Having an external assessor makes life much easier politically when issues are raised versus "the newbie" pointing out problems. If, for a variety of reasons, external assessments aren't possible due to a lack of resources or a company's predisposition against external assessments, you'll need to arrange for an assessment to be completed internally.

If an assessment was completed before you were hired, you will need to consider:

  • What was the purpose of the assessment?
  • Was it internal or external?
  • Can you rate the quality of the assessors?
  • Was it comprehensive and in line with an industry framework?
  • Is there any discernible bias to the results?

Whatever happens, you'll also want to conduct your own private assessment. So long as the formal assessment matches approximately with your own, you should be in a good position to move forward.

Building Relationships and Political Capital
The single most important thing you can do as a new CISO is start building the relationships and political capital you'll need to run your security program. This is going to require a lot of your time — particularly if this is your first CISO role — and the first month is critical.

Speak with key players in the business — members of the executive team, in particular — to understand how security is perceived and what you can do to ensure your program is seen to enable the business instead of holding it back. The CISO who is perceived as a business enabler will instill confidence in his or her leadership and program within the organization.

Your ability to make these connections will depend on your standing. If you are a C-level executive (or your boss is) it will be much easier to arrange the meetings you need to introduce yourself and start building key relationships. Lower down in the hierarchy, you may need to look for other ways to make contact — for example, by setting up a risk committee that includes senior members of each department.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Disruptive Trends Transforming Cybersecurity."

John Hellickson has more than 25 years of IT experience, the last two decades focused on security and risk management. He's served as an executive security consultant and trusted partner, providing companies with risk management strategies aligning technology, people, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.