Being the C-suite officer in charge of security requires handling significant pressure. Cybercriminals are thriving; in 2021, the average cost of a data breach rose 10% and there were 17% more data breaches than in 2020.
Whether you’re new to the role of Chief Information Security Officer (CISO) or a seasoned CISO at a new organization, it’s critical to make an impact in the first 90 days at the job. Your actions in the first 90 days will lay the groundwork for your tenure or failure.
It is easy to fall prey to Shiny Object Syndrome and tempting to knock out every high-visibility task on your to-do list so you look (and feel) as if you’re getting things done. But the surest way to pave a path to success is to methodically and thoughtfully make a 90-day plan and stick to it.
This nine-step, week-by-week roadmap will guide you through crafting a competent cybersecurity program, driving digital transformation at your organization and leveraging SaaS technology to accelerate business plans and reduce operating costs.
Also see: The Successful CISO: How to Build Stakeholder Trust
Weeks 1-3: Identify and Understand Business Risk
In the first three weeks of your employment, learn about the business – the whole business. Explore how it operates, where dispersed teams are located, how the company addresses its market and provides services and goods. This is your opportunity to develop a deep understanding of the organization’s go-to-market strategy and supply chain.
Set up as many meetings as you can with other C-suite executives, the board of directors, and other company leaders to gain intimate insights into their business functions and responsibilities. Meetings with other technology officers is the best way to get a grip on the greater organizational tech stack, too.
In these first three exploratory weeks, gauge leadership’s willingness to shift left with security during the development cycle; shifting security left in the development lifecycle reduces costs and increases reliability by baking in security from the get-go.
Weeks 4-5: Get a Feel For the Organization’s Tech Processes and Begin Developing Your Team
Well-defined processes have a greater impact on cybersecurity than the tech stack does. In the fourth and fifth weeks of your new CISO role, meet with your team to learn about the processes in place, especially around project, incident and account lifecycle management.
Find out what’s working and what is not. Ask for any documented standards available and create a list of which processes and technologies lack documentation. Next, meet with other technology teams to identify which tech and processes overlap with your scope. Repeat the same exercise you did with your own team.
It’s also time to start getting to know your team well. Take one-on-one time to ascertain their career goals, and explore how you can help them meet those goals. Find out what training and professional development they’re interested in, what types of training the company has provided in the past, and then follow up with human resources to learn about career paths for your team’s growth.
This is a perfect time to discuss automation with your team members – they probably have ideas about where automation could benefit the organization.
Also see: Secure Access Service Edge: Big Benefits, Big Challenges
Week 6: Build a Strategy
Now that you’ve gathered information, it’s time to plan. Build a strategy to:
- Meet the organization’s overarching business strategy, objectives and goals.
- Meet your staff’s career goals and objectives.
- Augment staff with automation by alleviating them of repetitive, tedious tasks.
- Assess cyber risks facing the organization as one critical, holistic gap.
- Shift security left in the development lifecycle.
- Encourage SaaS adoption.
- Move all IT to a zero-trust architecture.
Week 7: Finalize Your Strategy and Begin Plan Implementation
It’s your seventh week, and your strategy and plan are good to go. Your next step is to run your strategy by your peers. Get feedback, be receptive to it, make adjustments, then present it to your executive committee for approval.
After it’s been approved, collaborate with the appropriate team(s) to identify tactics that will drive success. Collaboration is key here – it will cultivate rapport and help your new colleagues build trust in you. Then, start implementing your strategy.
Also see: Top Digital Transformation Companies
Week 8: Get Agile
Transitioning your team to Agile project management methodology will ensure fast wins of functional elements.
If your team is small, scrums will be appropriate and effective. If your organization already works on sprints, align your team’s sprint cycle with the engineering team’s duration. If no one else uses sprints, set your cycle to three-week sprints.
Week 9: Start Measuring and Reporting
You may or may not have access to historic reports when you start as a CISO. Either way, week nine is the right time to kickstart new benchmarks and a regular cycle of measuring and reporting back to your peers and to the executive committee.
Make sure to give credit to your staff and the other departments you work with! By nurturing the good will you established in your first several weeks, you’ll have stronger relationships with your colleagues – and that’s not a bad thing when you have to point out problems and gaps.
As your reporting becomes regular, start educating and communicating about cybersecurity to the whole organization. Encourage partnership, engagement, and celebrate successes rather than focusing on problems. Create a “security champions” program across departments in which your champions are encouraged to report when things go wrong and rewarded for engaging.
Also see: Best Website Scanners
Week 10: Conduct a Thorough Pen Test
Penetration testing is how you will get some data on how bad things really are. You should plan for, schedule, and execute a thorough pen test (or red team exercise) of the infrastructure and applications.
Find a pen-test partner that follows either the PTES or OSSTMM 3 methodology for infrastructure testing and that uses the OWASP testing framework for each application.
Week 11: Get Moving on a Zero Trust Authentication Framework
Transitioning to a zero-trust authentication (ZTA) framework is a crucial step in your first 90 days as a CISO.
In a ZTA, users are not given access by default, but they’re given access once they’re authenticated. A ZTA will enhance the security posture of your organization. The first step of your ZTA should be to begin sunsetting passwords wherever possible and transitioning to secure multi-factor authentication (MFA).
Also see: Secure Access Service Edge: Big Benefits, Big Challenges
Week 12: Evaluate SaaS Providers
Starting your new CISO role by diving into buying guides and SaaS-vendor comparisons is tempting, but it makes much more sense to do this once you have a grasp of the company, your strategy, the existing tech stack and budgets.
When you begin evaluating SaaS providers, certify prospective vendors’ compliance with the CSA CCM, registration in the CSA STAR Alliance, or at the minimum, SOC 2 type 2 attestation.
If you evaluate vendors that do not meet these criteria, you will need to develop a thorough program to evaluate their security. It’s critical to evaluate SaaS vendors against objective, third-party assessments and not simply the vendor’s shiniest marketing efforts.
90 Days Down
Following this roadmap will help you reach your 90th day with a solid foundation: a functioning cybersecurity team, data baselines for repeatable reporting, trust and rapport with new colleagues and teams, a list of opportunities for digital transformation, and an intimate understanding of most facets of the organization.
Congratulations on your first 90 days!
Also see: Tech Predictions for 2022: Cloud, Data, Cybersecurity, AI and More
About the author:
Eyal Gruner is the Co-founder and CEO of Cynet