Developing a security function during a CISO’s first 100 days This blog post was authored by Ryan Edison - Director, Security and Privacy and David Jacobs - Senior Manager, Security and Privacy on Protiviti's technology insights blog.These turbulent times of evolving threats and rising personal responsibility considerations for cybersecurity leaders make the CISO role a challenging but rewarding position. The CISO must contend with an increasing sophistication of attacks, potential geopolitical adversaries and the material impact cybersecurity can have on organisational value. Whether it’s a new CISO or a seasoned cybersecurity executive, the first 100 days of a CISO’s tenure are critically important to setting up their role for success.In planning for the first day in this new role, take the time to grasp the company culture, values and initiatives. Understand how the company operates and what distinguishes them from their peers. These important inputs help to ensure security is appropriately aligned to best support and enable the business’s goals and objectives. Topics Cybersecurity and Privacy Meet the teamCISO’s must prioritise meeting with key leadership and business stakeholders early on to understand their perspectives on how well security is addressing the business challenges they face. Questions to ask during these discussions should include:What key factors does the business rely on to generate value for customers and shareholders?What are the key business priorities over the next three to five years?How well has security been historically aligned with these priorities?What business challenges does each department and the organisation face?Are there any current initiatives, projects or immediate needs the security team could support?During this time, we also recommend examining information on prior cyber incidents, including details not reported to the public or privileged information. Seek to understand how incidents occurred, evaluate how timely and effective the detection and response capabilities were, what impacts to the organisation were identified and how lessons learned have been implemented to mitigate similar threats in the future and improve the cybersecurity program’s maturity.As CISOs learn more about the organisation and appreciate the perspective of their peers in the C-suite, it is equally important to balance this understanding with that of their security team. CISOs should take the time to listen to their team, encourage open feedback, and explain their expectations as a new leader clearly and openly. They must focus on developing rapport and avoiding ambiguity. CISOs will need to leverage their team to develop their understanding of cybersecurity priorities for the organisation, as they possess important historical knowledge and perspectives that cannot be ignored. The security team’s buy-in will be essential to success.Assessing capabilities and communicating risksOne of the next steps we recommend is assessing the level of maturity of the security program along with its capabilities. Evaluate existing security policies and procedures. Assess program capabilities by analysing the people, processes and technology used to meet security objectives. Confirm if policies and procedures match the implemented capability (and where it does not) to understand the strength of governance. If stepping into the role at an organisation with a mature security program, analyse and understand the existing program, current strategies and roadmaps to determine if the program’s current trajectory is in line with the organisation’s vision and management goals.When evaluating the tools and technology in use, determine whether they are properly implemented, aligned with and able to meet security objectives, and can scale or adapt to the latest emerging cyber threats. A thorough review of staffing levels and capabilities of existing resources will also show the strengths of the program and help identify gaps. We also recommend assessing the maturity against an industry-accepted framework and subsequently aligning with the selected framework in on-going development of the cybersecurity program.During the first 100 days, it is essential to understand the current state of compliance with applicable regulations and contractual obligations. Collaborating with legal counsel and compliance experts within the organisation can provide valuable insights. CISOs should also remain informed of proposed legislation and industry-specific developments that could affect future compliance obligations. Engagement with industry associations, participation in relevant forums and maintaining open communication channels with regulatory bodies are essential in this role. Maintaining a proactive stance and fostering a culture of compliance will position the organisation to adapt swiftly to evolving legal and regulatory requirements, ensuring a robust cybersecurity strategy that stands the test of time.Considering the SEC’s recent charges against SolarWinds and their CISO, it is important for the CISO to establish a clear and comprehensive risk communication strategy. CISOs should also consider their role and the potential personal liability associated with it. Ensure there is a clear and formalised methodology for classifying and communicating risk. Special consideration should be given to identifying vulnerabilities, business threats and strict policies and protocols for maintaining and distributing this documentation. If the business lacks an updated risk assessment or risk registry, addressing this gap should be at the top of the CISO’s to do list.Developing a planDepending on the size of the organisation, the time required to complete the tasks discussed may extend beyond a CISO’s first 100 days. Work with leadership to develop realistic timelines and expectations that lead to a holistic strategy. An initial maturity assessment must soon be followed by a roadmap calibrated to capabilities, risks and enterprise objectives. The security roadmap should outline the initiatives designed to remediate identified security gaps and support the company’s immediate, tactical, and long-term strategic objectives. This roadmap must include actionable plans with milestones, timelines, identified owners and resource assignments. CISOs should obtain input from their team and collaborate with peers and key stakeholders outside of technology and security in developing the plan. The roadmap should be reviewed by executive leadership, and in some cases the board as deemed appropriate, to ensure their support. The goal of leadership exposure should be to provide transparency and establish commitment to the budget and resources required to accomplish the program’s goals. If the necessary resource commitments cannot be made by the organisation, having an honest, risk-based discussion with leadership on the tradeoffs that will be made to deliver the program with the resources provided will be necessary.Management expert Peter Drucker once said, “What gets measured gets managed.” As CISOs develop plans and roadmaps, it is imperative to think about the program’s success criteria and the KPIs that will be measured and reported on early in the process. Determining measurements will not only help in monitoring and reporting on program performance but will also provide the basis for determining actions to take to manage the progression of roadmap initiatives.It is also critical that the CISO quickly builds a feedback loop from stakeholders to keep the program on course. This collaborative tone should be set from the start. Remember that a changing business environment, technological advances, unanticipated constraints and evolving conditions will require adjustments to the plan. Maintaining flexibility, staying up to date on technology and industry developments, keeping an eye on business objectives, communicating regularly with the security team and stakeholders across the organisation, and documenting key decisions will help CISOs navigate the turbulent waters of today’s environment. Governance functions, when implemented effectively, optimise the cybersecurity maturity of the organisation.Finally, consider that CISOs are as much technical leaders of cybersecurity as they are partners with the business to enable the goals of the organisation. The most effective CISOs understand the balance required. Remember that the average lifespan of a typical CISO lasts less than three years, so time is of the essence to set the right tone from day one.To learn more about our cybersecurity solutions, contact us. Find out more about our solutions: Cybersecurity Consulting From the speed of innovation, digital transformation, and economic expectations to evolving cyber threats, the talent gap, and a dynamic regulatory landscape, technology leaders are expected to effectively respond to and manage these competing priorities. Data Security We help preserve your business value by protecting sensitive data while assessing and maintaining compliance with regulatory and contractual requirements. Data Privacy Consulting Protiviti’s data privacy consulting team understands the risks and challenges companies face in developing and maintaining effective privacy and data protection programs. Leadership Michael Pang Michael is a managing director with over 20 years’ experience. He is the IT consulting practice leader for Protiviti Hong Kong and Mainland China. His experience covers cybersecurity, data privacy protection, IT strategy, IT organisation transformation, IT risk, post ... Learn More Alan Wong Alan is a director at Protiviti Hong Kong with over 21 years of experience in IT and security solutions and project management. He specialises in IT governance, risk assessment, regulatory compliance, and cybersecurity assessment and consulting. He also has an extensive ... Learn More Featured insights BLOGS Tackling gender bias: Women in cybersecurity Cybersecurity is distinguished not only by a talent shortage but also by having a predominantly male workforce. Women are in the minority on most cybersecurity teams that have women at all, so when they experience gender bias, they’re likely to be... BLOGS Creating a resilient cybersecurity strategy: The governance lifecycle approach Cybersecurity governance should do more than manage cyber risk. Goodcybersecuritygovernance creates efficiencies by clarifying the outcomes expected from its processes and establishing boundaries of responsibility among cybersecurity... BLOGS Embrace DEI intersectionality for effective cybersecurity The role of a cyber incident responder is more critical than ever as these professionals are tasked with protecting organisations from cyber threats, mitigating risks and minimising the impact of security incidents. As cyber threats continue to... WHITEPAPER Four Ways Finance Leaders Strengthen Cybersecurity As CEOs and boards become more informed about the extreme threats that cybersecurity lapses pose, their expectations are growing. CFOs’ expanding contributions to fortifying organisational data security, the highest priority identified in Protiviti’s... BLOGS The importance of dark web monitoring In today’s interconnected world, where adversaries seem to always be one step ahead, companies face an increasingly complex threat landscape. One of the most challenging and often overlooked threats is the dark web, an intentionally hidden part of... BLOGS A Guide to pen testing and red teaming: What to know now Penetration testing and red teaming are essentialcybersecuritypractices that bolster an organisation’s security posture by uncovering vulnerabilities within their systems, networks, and people or business processes. These methodologies... BLOGS A house divided: Key differences in cybersecurity implementation for IT and OT This blog post was authored by Justin Turner - Director, Security and Privacy on the technology insights blog. Anyone who has spent a significant amount of time in any U.S. state where college football is popular, has likely seen a “house divided”... Button Button