Nailing your First 100 Days in a CISO role
The chief information security officer, or CISO, has become a key player within most executive teams. CISOs are now closely involved in strategic decision making, including mapping product road maps, complying with a raft of regulations, ensuring the business securely embraces digital transformation while assuring the board, clients and investors that cyber capabilities are fit for purpose.
While the benefits of the CISO function are well documented – including soaring remuneration, access to the board and engagement in a range of mission-critical decision-making – the role is also challenging, fast-paced and demanding. Several studies confirm that most CISOs are constantly stressed, hardly last 18 months in their roles, while some feel like their messages continuously fall on deaf ears.
The road to the CISO role isn’t linear. While many have risen the ranks through the broad range of information security disciplines, with many coming from engineering and network security backgrounds, some enter the profession via an alternative route, such as technology risk, legal, IT or program management. Wherever they come from, it’s rare to reach the role of CISO without some preconceptions built up during the course of a career.
To maximize their chances of success, new CISOs must hit the ground running fast, deliver some critical capabilities and secure the trust of critical stakeholders. To do so, the CISO must develop a strong grasp of the enterprise’s critical risks, capabilities and other hurdles that may delay or impede change. Based on our experience training aspiring and experienced CISOs that go through the Cyber Leadership Institute, CISOs lose credibility or worse yet, get fired for making terrible purchasing decisions, failing to spot critical blind spots, souring relationships with influential executives or falling victim to an avoidable data breach. That’s why we here, at the Cyber Leadership Institute, have developed a detailed framework outlining how to utilize your first 100 days best as CISO while identifying and overcoming issues. This framework has been deployed to wide success by several Cyber Leadership Institute alumni.
The SUPER acronym provides a framework for each phase in the first 100 days of a CISO.
PHASE 1: S – START-UP Days 0-15
Before starting the role, prepare thoroughly by conducting company research, reading annual reports, investigating whether there are headline breaches related to the company and exploring the executive team’s critical members.
PHASE 2: U – UNDERSTAND Days 0-45
Meet with important stakeholders to learn about the business, issues and areas with room for improvement. Examine board reports, assessments, audit findings, existing strategy documents, policies, and metrics to understand critical risks and issues. Amanda Fennell, CSO at Relativity[i], agrees, recommending new CISOs study the new environment carefully to identify what works and what doesn’t.
PHASE 3: P – PRIORITIZE Days 15-60
Identify the quick wins and complex capabilities that take time to rollout. That way, you can rapidly secure credibility with key stakeholders while giving yourself enough time to plan more complex initiatives. Tom Scholtz[ii], research vice president of Gartner, suggests identifying two projects that you can complete or show meaningful progress on in the first three months. Once you identify the low hanging fruit, develop a plan and enlist the buy-in of your manager, team and key stakeholders. Remain open to feedback and constantly refine the plan as new information emerges.
PHASE 4: E – EXECUTE Days 30-80
Deliver on some of the quick wins you have identified. Put in place agreed plans to address some of the longer-term issues. Organize your team by creating security team roles and responsibilities, setting up your management system, and ensuring governance effectiveness.
PHASE 5: R – RESULTS Days 45-100
Re-confirm key actions you’re taking and identify any progress made where you might need your key stakeholders’ help and feedback. Complete an executive assessment report of critical risks and issues. We have developed a CISO Playbook: First 100 Days, Setting the CISO up for success here at the Cyber Leadership Institute that further details our phases, including a daily guide to follow to ensure success in your first 100 days.
BEFORE “DAY ZERO” – PREPARE THOROUGHLYTo thrive in their roles, CISOs today must combine strong soft skills with a solid understanding of the technical environment and digital transformation roadmap. As the Harvard Business Review[iii] (HBR) states, CISOs must be fluent in business strategy and technology. Establishing and maintaining effective communication lines with a myriad of stakeholders and departments is critical to a CISO’s success. Our 100-day plan framework will only be useful if you can communicate it effectively.
To successfully execute the new strategy and program of work, the CISO must gain unwavering executive cooperation. The Cyber Leadership Institute helps emerging CISOs and new cyber executives sharpen their influencing, negotiation, communication and strategy design skills through intensive training packages, mentorship and ongoing support. Our Cyber Leadership Program has been designed to assist new CISOs to quickly hit the ground running and excel in their roles.
Learning about the company, both during the interview stage and once in the role, is essential to success. To understand the core values of the company and achievable goals:
- Begin with the organizational mission statement (its core reason for existence).
- Learn about organizational core activities, products, services, research and development, intellectual property, and mergers and acquisitions plans.
- Research publicly available information such as the company annual report, financial statements, press releases, news, audit statements, data breaches, patents, executive leadership team, and Board of Directors.
This vital information will assist you in developing a high-impact, cost-effective, and, most importantly, business centred cyber transformation strategy.
Once appointed as CISO, take time to get to know everyone in the team. Understanding their personalities, quirks, concerns, and goals will help the new CISO understand how they work. This includes fostering good relationships with everyone with whom the CISO has regular contact, including the business, IT teams, C-suite, external partners/agencies, sales/marketing, auditors, board members, public members, and so on. Understanding how each of these stakeholders contribute to company goals will help prioritize high-influence and high-interest stakeholders.
The most crucial step is to gain top-down support. CISOs are a strategic and integral part of the business management team and need to make sure there is buy-in from the board of directors. According to Forbes[iv], “the Board has a fiduciary obligation to protect shareholder value, so the Board needs to take security seriously.” By establishing strong working relationships with key executives and the board, the CISO will gain vital support to get their budgets approved and critical initiatives prioritized.
LEADERSHIP AND TEAM
It is essential to meet with all of the team in the very early days in a CISO role. Ideally, these meetings should be 1-to-1 and face-to-face, followed by a team meeting. Start by meeting direct reports. Depending on the size of the team, try and meet as many as possible. These meetings will indicate and help solve any unrest while identifying what is going well.
The CISO will need to evaluate the team. Go in and shake the tree, but always take a measured approach. Hasty action compromises trust and credibility, which may lead to inadvertently losing valuable team members. Every team has some excellent, some average and some unsatisfactory people in place. As every team will have its dynamics and habitual ways of working. Our checklist can help structure decision making:
- Competence – Does this person have the technical skills and experience to do the job well?
- Judgement – Does this person exercise sound judgement under pressure or when faced with sacrifice for the greater good?
- Energy – Does this team member bring the right kind of energy to the job? Or is he/she disengaged, burnt out or unfulfilled?
- Focus – Does this person get along well with other team members, supporting team decisions?
- Trust – Can this person be trusted to be honest, consistent and reliable?
Establish a team management system that includes a note of regular meetings they attend, reports they produce, and projects and deliverables for which they are accountable.
DEFINE THE IMPORTANCE OF CYBERSECURITY
Consumers care about their security, personal data and privacy more than ever before. Customers will change their behaviour if the company is the subject of a successful cyber-attack. In fact, recent research run in the US, UK, France and Germany, suggests 78% of total participants said they would stop shopping online with a brand if it gets breached, and 36% would stop engaging with a brand both on and offline.
The devastation of a breach extends beyond losing sales to losing the brand support and promotion born from positive customer/brand interaction and engagement on social media. To quickly position themselves as business centred executives, CISOs must develop a cyber resilience strategy focused on doing the right thing, not necessarily what’s easy. That means carefully working with new product development teams, key customer segments and balancing consumer privacy and digital experience. In sum, the CISO must shape and push the narrative that cybersecurity is not merely a compliance matter but a critical business enabler that underpins long term brand value, stock performance, and profitability.
ASSESSING RISK, KNOWING THE ISSUES AND MEASURING CAPABILITIES
CISOs should focus on performing a high-level maturity capability self-assessment during the first 100 days, defining the organization’s highly plausible cyber risk scenarios. It is unlikely there will be an opportunity to conduct a full threat scenario-based cyber risk assessment in the first 100 days. However, the CISO must demonstrate its importance and how it will be conducted as part of the overall strategy. The initial executive report must clarify the need for a more thorough independent third-party assessment to look at maturity against industry standards, such as NIST Cybersecurity Framework, and benchmark against similar peer organizations.
The end of 100 days report should be able to provide answers to the following questions:
- How well protected is the organization? What is our capability maturity?
- What are our most plausible threats / cyber risk scenarios?
- What risks could have the most significant negative impact on the organization, should they materialise?
- What will it take to improve the organization’s security posture?
- How can the effectiveness of investments be measured?
- What is the anticipated ROI for security investments?
- What will the organization risk if nothing changes?
- What is required from the Board to be successful?
- What is being done well, and how can this be preserved during change?
NO ONE SIZE FITS ALL CISO
A new CISO must immediately assess the organization’s commitment to cyber resilience. One indication, which is also a question for the interview stage, is who will the CISO be reporting to – directly to the CEO, CIO, COO or CRO? The direction of execution, and potential effectiveness, depends on the level of empowerment and who the role reports to. It’s crucial, however, that a charter with clear principles be drawn up and approved by the CEO and shared with the Board during the first 100 days, regardless of whom the CISO reports.
BE READY TO RESPOND TO MAJOR CYBER INCIDENT OR CRISIS
Cyber incidents are inevitable, and it’s possible a significant breach could occur during the first 100 days. The Executive Team and Board will look to the CISO for assurance and control. Running cyber-simulation exercises assists in assessing the team’s incident management capability by understanding how the organization responds. The training also provides an opportunity to increase awareness of the impact major security breaches can have on the business. Equally important, the CISO must consider purchasing a cyber incident response retainer, providing assurance that the organisation will get prompt access to experienced cyber threat responders while maturing its capabilities.
SO, WHAT CAN A CISO DO TO PREPARE FOR THE ROLE AND PROTECT THEMSELVES?
Here are five top tips:
- Firstly, it’s essential to get off on the right foot. Develop a 100-day plan like the one suggested in our 100 Days playbook; it provides structure and an effective communications tool to all your key stakeholders.
- Know your scope and your boundaries, plus where you can break [the business] and where you can add value.
- Take time to get to know key stakeholders, understand the business, how it makes money, its customers and its priorities.
- Try and make it real for executives by using benchmarks and maturity assessments to show how the company stacks up to competitors and best practice. What assets do they really care about i.e. the Crown Jewels, (For a more detailed analysis of this area, refer to our separate CISO Playbook: Protecting the Crown Jewels) what are the most likely threat actors, what are the critical few things they must accelerate (cyber hygiene factors). If they understand it and it challenges them, they can tell you their risk appetite.
- And finally, register with the Cyber Leadership Program, gain valuable insights from mentors and gain free access to tools, templates and much more.
[iii] https://hbr.org/resources/pdfs/comm/pwc/Evolvingtheciso.pdf[iv] https://www.forbes.com/sites/tonybradley/2015/01/22/7-ceos-share-why-cisos-need-to-be-involved-in-the-boardroom/?sh=55af51d2e0ad