Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/1/2019
02:00 PM
John Hellickson
John Hellickson
Commentary
50%
50%

Navigating Your First Month as a New CISO

The single most important thing you can do is to start building the relationships and political capital you'll need to run your security program. Here's how.

In any new job, it's important to assess the lay of the land. But when you start a new CISO role — whether it's your first or fifth — there's more to it than getting to know new co-workers. You need to appraise the political landscape of the organization.

Why did this organization need a new CISO? Did the last person simply move on, or was there an incident? Often, CISOs are asked to move on in the event of a serious breach. In these cases, whoever is next in line typically has a lot more license to make changes than they would in an organization that had not recently been breached.

Alternatively, were you promoted from within? If so, you should already understand how things work, but you'll need to quickly accustom yourself with the political realities of being a security leader.

Once you understand your starting point, there are four key questions you'll need to answer during your first 30 days on the job:

Question 1: How does the organization view the CISO role? Are you part of the executive team, or is it a less senior, more operational role? The amount of "power" associated with your position will have a big impact on your ability to make changes.

Question 2: Who does the role answer to? Is your boss the CEO, or an executive who answers to the CEO? If so, you'll have a lot more political sway than if you're reporting to somebody lower down the food chain.

Question 3: What is the organization's tolerance for risk? Find this out by speaking with your boss and/or the CEO, members of the board, and even your predecessor, if possible. Have there been any recent security or privacy incidents, or negative media attention? Are any regulatory bodies involved? Understanding the organization's risk tolerance — both culturally and what's needed to satisfy compliance — will help you determine the foundation of your security program's risk management and investment strategy.

Question 4: What is the organization's appetite for change? This will determine how ambitious you can be with your plans to improve the security program. Keep in mind that most organizations don't have much appetite for change, even if it's fashionable to claim "innovation" and "reactiveness" are part of the organization's DNA. Ironically, a quirk of the CISO role is that life is often easier if your organization has recently been breached, especially if it was publicized in the media. Why? Because the appetite for change in an organization that has suffered a breach is typically much higher than in an organization that hasn't.

Assessing the Current State of Security
Before you can think about improvements, you will need to assess the maturity of your security program. This should be done with a recognized industry framework in mind, for two reasons:

  • Ultimately linking to a framework people know will give your assessment credibility; and,
  • Even if done only at a high level, linking to a framework helps to compare your maturity with other comparable organizations and/or industries.

The framework you choose will depend on your industry and geography. Since many frameworks are "control" focused, your maturity assessment may need to extend beyond just the bounds of those controls and include elements that are more strategic. For example, how you align to the business or your ability to get funding and resources allocated across the organization to improve controls outlined in the chosen framework.

Ideally, you should have your program assessed by an external organization. Having an external assessor makes life much easier politically when issues are raised versus "the newbie" pointing out problems. If, for a variety of reasons, external assessments aren't possible due to a lack of resources or a company's predisposition against external assessments, you'll need to arrange for an assessment to be completed internally.

If an assessment was completed before you were hired, you will need to consider:

  • What was the purpose of the assessment?
  • Was it internal or external?
  • Can you rate the quality of the assessors?
  • Was it comprehensive and in line with an industry framework?
  • Is there any discernible bias to the results?

Whatever happens, you'll also want to conduct your own private assessment. So long as the formal assessment matches approximately with your own, you should be in a good position to move forward.

Building Relationships and Political Capital
The single most important thing you can do as a new CISO is start building the relationships and political capital you'll need to run your security program. This is going to require a lot of your time — particularly if this is your first CISO role — and the first month is critical.

Speak with key players in the business — members of the executive team, in particular — to understand how security is perceived and what you can do to ensure your program is seen to enable the business instead of holding it back. The CISO who is perceived as a business enabler will instill confidence in his or her leadership and program within the organization.

Your ability to make these connections will depend on your standing. If you are a C-level executive (or your boss is) it will be much easier to arrange the meetings you need to introduce yourself and start building key relationships. Lower down in the hierarchy, you may need to look for other ways to make contact — for example, by setting up a risk committee that includes senior members of each department.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Disruptive Trends Transforming Cybersecurity."

John Hellickson has more than 25 years of IT experience, the last two decades focused on security and risk management. He's served as an executive security consultant and trusted partner, providing companies with risk management strategies aligning technology, people, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13817
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
CVE-2020-13818
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
CVE-2020-6640
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
CVE-2020-9292
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
CVE-2019-16150
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...