Developing a security function during a CISO’s first 100 days

Meet the team

CISO’s must prioritise meeting with key leadership and business stakeholders early on to understand their perspectives on how well security is addressing the business challenges they face. Questions to ask during these discussions should include:

• What key factors does the business rely on to generate value for customers and shareholders?
• What are the key business priorities over the next three to five years?
• How well has security been historically aligned with these priorities?
• What business challenges does each department and the organisation face?
• Are there any current initiatives, projects or immediate needs the security team could support?

During this time, we also recommend examining information on prior cyber incidents, including details not reported to the public or privileged information. Seek to understand how incidents occurred, evaluate how timely and effective the detection and response capabilities were, what impacts to the organisation were identified and how lessons learned have been implemented to mitigate similar threats in the future and improve the cybersecurity program’s maturity.

As CISOs learn more about the organisation and appreciate the perspective of their peers in the C-suite, it is equally important to balance this understanding with that of their security team. CISOs should take the time to listen to their team, encourage open feedback, and explain their expectations as a new leader clearly and openly. They must focus on developing rapport and avoiding ambiguity. CISOs will need to leverage their team to develop their understanding of cybersecurity priorities for the organisation, as they possess important historical knowledge and perspectives that cannot be ignored. The security team’s buy-in will be essential to success.

Assessing capabilities and communicating risks

One of the next steps we recommend is assessing the level of maturity of the security program along with its capabilities. Evaluate existing security policies and procedures. Assess program capabilities by analysing the people, processes and technology used to meet security objectives. Confirm if policies and procedures match the implemented capability (and where it does not) to understand the strength of governance. If stepping into the role at an organisation with a mature security program, analyse and understand the existing program, current strategies and roadmaps to determine if the program’s current trajectory is in line with the organisation’s vision and management goals.

When evaluating the tools and technology in use, determine whether they are properly implemented, aligned with and able to meet security objectives, and can scale or adapt to the latest emerging cyber threats. A thorough review of staffing levels and capabilities of existing resources will also show the strengths of the program and help identify gaps. We also recommend assessing the maturity against an industry-accepted framework and subsequently aligning with the selected framework in on-going development of the cybersecurity program.

During the first 100 days, it is essential to understand the current state of compliance with applicable regulations and contractual obligations. Collaborating with legal counsel and compliance experts within the organisation can provide valuable insights. CISOs should also remain informed of proposed legislation and industry-specific developments that could affect future compliance obligations. Engagement with industry associations, participation in relevant forums and maintaining open communication channels with regulatory bodies are essential in this role. Maintaining a proactive stance and fostering a culture of compliance will position the organisation to adapt swiftly to evolving legal and regulatory requirements, ensuring a robust cybersecurity strategy that stands the test of time.

Considering the SEC’s recent charges against SolarWinds and their CISO, it is important for the CISO to establish a clear and comprehensive risk communication strategy. CISOs should also consider their role and the potential personal liability associated with it. Ensure there is a clear and formalised methodology for classifying and communicating risk. Special consideration should be given to identifying vulnerabilities, business threats and strict policies and protocols for maintaining and distributing this documentation. If the business lacks an updated risk assessment or risk registry, addressing this gap should be at the top of the CISO’s to do list.

Developing a plan

Depending on the size of the organisation, the time required to complete the tasks discussed may extend beyond a CISO’s first 100 days. Work with leadership to develop realistic timelines and expectations that lead to a holistic strategy. An initial maturity assessment must soon be followed by a roadmap calibrated to capabilities, risks and enterprise objectives. The security roadmap should outline the initiatives designed to remediate identified security gaps and support the company’s immediate, tactical, and long-term strategic objectives. This roadmap must include actionable plans with milestones, timelines, identified owners and resource assignments. CISOs should obtain input from their team and collaborate with peers and key stakeholders outside of technology and security in developing the plan. The roadmap should be reviewed by executive leadership, and in some cases the board as deemed appropriate, to ensure their support. The goal of leadership exposure should be to provide transparency and establish commitment to the budget and resources required to accomplish the program’s goals. If the necessary resource commitments cannot be made by the organisation, having an honest, risk-based discussion with leadership on the tradeoffs that will be made to deliver the program with the resources provided will be necessary.

Management expert Peter Drucker once said, “What gets measured gets managed.” As CISOs develop plans and roadmaps, it is imperative to think about the program’s success criteria and the KPIs that will be measured and reported on early in the process. Determining measurements will not only help in monitoring and reporting on program performance but will also provide the basis for determining actions to take to manage the progression of roadmap initiatives.

It is also critical that the CISO quickly builds a feedback loop from stakeholders to keep the program on course. This collaborative tone should be set from the start. Remember that a changing business environment, technological advances, unanticipated constraints and evolving conditions will require adjustments to the plan. Maintaining flexibility, staying up to date on technology and industry developments, keeping an eye on business objectives, communicating regularly with the security team and stakeholders across the organisation, and documenting key decisions will help CISOs navigate the turbulent waters of today’s environment. Governance functions, when implemented effectively, optimise the cybersecurity maturity of the organisation.

Finally, consider that CISOs are as much technical leaders of cybersecurity as they are partners with the business to enable the goals of the organisation. The most effective CISOs understand the balance required. Remember that the average lifespan of a typical CISO lasts less than three years, so time is of the essence to set the right tone from day one.

To learn more about our cybersecurity solutions, contact us.