A CISO’s First 100 Days: Finding Champions and Building Relationships It’s our good fortune to have an abundance of information security expertise at Protiviti, and it’s even better when we assemble these experts to share their experiences. In this first of a three-blog series, we discuss the early days for the CISO’s transition into a new leadership role which include: Establishing crucial relationships with the business, IT and security and privacy teams. the relationships that are crucial to the new CISO’s success and describe approaches for building those relationships. The drivers for CISOs establishing meaningful organisational relationships and exploring major influencing factors affecting the new CISO’s actions. Lastly, we’ll describe the activities that will make CISOs effective early on, enabling the quick wins that convey competence and confidence. Topics Business Performance For security leaders, trust is paramount Trusting relationships bring influence, credibility, political capital — and the information CISOs need to be effective. These are the means via which CISOs gain support from subordinates, peers and superiors. They help CISOs master the inside story: organisational politics, history – and what’s driven the organisation’s success to date. Building relationships requires preparation and calls for particular skills, tactics and patience. It can start with getting to know colleagues and team before even meeting them. Research their professional experience and get to know their affiliations and interests. Once on the job, ask questions shaped by these learnings. Then, really listen to their answers to uncover individual concerns, temperaments, peeves and ambitions. Identify the commonalities that strengthen partnerships. This approach works for all the connections made in these important early days. Building a solid information security team It’s critical to begin by assessing capability and delivery strengths and weaknesses, which includes identifying candidate processes needing improvement. Doing this while prioritising initial objectives and defining the role can ultimately enable the CISO to create a highly skilled team that is responsive to the organisation’s needs. With a leadership change, some employees may consider resigning, especially those with close and trusted relationships with their predecessor. Conversely, there may be situations where employees did not have a trusted relationship with their predecessor, or perhaps were not motivated to perform at the top of their game. These situations may require candidate discussions and early attention. Beyond knowing staff members’ attitudes and performance, learning about opinions and desires of all security employees is a necessary and healthy process, representing the best initial steps for a new CISO to understand the drivers for the new organisation. Get to know the team as a group. Observe how they relate together and note where the alliances and rivalries are. It’s equally important to know team members individually; typically, one-on-one conversations uncover information people won’t voice in a group. Take care of the team and make sure they know their success is supported. Be honest and transparent when providing feedback; strive for an objective perspective while managing performance. Listen to what they say and seek opportunities to communicate frequently. The timing of these conversations is very important as leadership changes can be dramatic for employees, so move quickly to ensure the best and brightest feel they are being heard and know they are essential to the future of the programme. In a similar light, be quick to identify employees that could culturally detract from the team. The Chief Information Officer The CISO’s responsibilities are complementary to those of the CIO. While the CIO seeks to keep technology up and running, remotely accessible and aligned with the business’ rapidly changing needs, the CISO secures the technology, protects sensitive assets and manages risk in an ever-changing threat landscape. The CIO will likely have established many of the same relationships needed for the CISO to succeed, so this individual can facilitate those relationships and help navigate the organisation. The relationship with the CIO is crucial whether or not the CISO reports to this individual. Take time early on to build the relationship in a thoughtful way. Encourage the CIO to share their take on people and situations but develop relationships independently. The Board Boards differ from one organisation to another in how they relate to the CISO. Some boards don’t interact with a new CISO until there’s a security event in progress. At some point, however, board interaction will happen, especially if the previous CISO interacted with board members regularly. Take full advantage of the time before meeting the board to develop a clear understanding of the organisation, develop its risk profile and perform an assessment. Meet with other board-facing executives who can help with developing an understanding of board personalities, style and expectations, and help define what works and what to avoid with the board. This is a more favorable circumstance than meeting the board during a security incident when the emphasis is on describing the event and what’s being done while also likely asking for resources. It’s a tough sell to an unfamiliar board. It’s better to build trust first. If possible, get acquainted with individual board members by meeting one-on-one. Assess their familiarity with the current information security and risk landscape; discover what expertise and perspectives they might bring to incident planning. The business leaders To align the information security programme with the business, first understand the business. It’s important to engage business leaders early on to learn an organisation’s priorities. Identify key drivers and key business processes, along with a go-to-market strategy and how the business unit generates value and what that value may be (revenue, shareholder value, etc.). Use this information to articulate how to protect key business assets and processes against cyber threats; this is how CISOs gain influence and justify investments in security programmes. The Chief Financial Officer The CFO likely knows breaches will result in significant financial loss and reputational damage and should influence the sponsorship of information security programmes. Investing in this relationship will earn support to help shape business cases for security initiatives. Finance staff can help quantify security benefits in financial terms, like minimising losses and supporting business strategies. The internal audit team Auditors understand business process and risk, organisational culture and dynamics. This expertise alone makes them key allies for the CISO. This team will have a significant influence on the CISO team’s activities as they perform their internal audits. It is important to develop strong relationships in order to work through any differences that may arise. Moreover, they interact with the board as participants in the audit committee, so they can provide coaching on effective approaches to board updates. The General Counsel The general counsel often takes point in breach response and investigation and will handle any litigation arising from a breach. They’re participants in compliance programmes, and they guide public disclosure communications as well. Therefore, they can provide guidance to the CISO and take a significant role in defending the organisation against threats. For all of these reasons, they’re powerful allies for a new CISO. The Chief Risk Officer The CRO’s role is synergistic to the CISO’s because they both participate in managing risk across the organisation. CROs typically select cyber insurance for the organisation, and this choice constrains third-party incident response team selection. Prioritise this partnership before any adverse incident or threat becomes its proving ground. Getting ahead early on Trusting relationships are important to a CISO’s influence and credibility and provide the organisational knowledge for new CISOs to prove themselves fast. Before, during and after any security incident, new CISOs will need these allies for support, information and resources. Getting to know the concerns, personalities and drivers of stakeholders and partners, then listening and responding to their needs are proven ways to build the trust that helps CISOs get ahead — ahead of time. In our next post, we’ll explore how a predecessor’s reason for leaving the organisation can help establish priorities for a CISO’s first days. We’ll follow that up with our third and final post on a CISO’s early days: describing actions that secure quick wins. To learn more about our CISO Next programme, contact us. Blogs May 17, 2024 Developing a security function during a CISO’s first 100 days These turbulent times of evolving threats and rising personal responsibility considerations for cybersecurity leaders make the CISO role a challenging but rewarding position. The CISO must contend with an increasing sophistication of attacks, potential geopolitical adversaries and the material impact cybersecurity can have on organisational value. Whether it’s a new... Read more