Landing the position of a Chief Information Security Officer job can be quite thrilling, and at the same time, overwhelming. Regardless of how the new position was secured, the first three months of a new security chief’s life is highly significant. Like any leadership position, how you begin can make or stain that position. When you approach your new role with a strong strategy, you’re bound to enjoy success.
The Role of a CISO
Though information and communication technology are one of the core aspects of cybersecurity, the role of the CISO goes beyond just managing technology. The CISO wears several hats, with communication being a crucial skill. An effective CISO must be a good communicator, a manager and an effective leader.
The fist 100 days in the life of a Chief Information Security Officer (CISO) is often considered as the “honeymoon” period. Having a solid strategy, then a plan will lay the foundation for a strong security program as well as the foundation for a personal brand of credibility and leadership. There’s no way to avoid this: if you must last in this new position beyond the first 100 days, you must be able to manage the daily emergencies and meet the organizational expectations.
According to Tom Scholtz, the vice president at analyst firm Gartner, it is during this period that you establish your credibility and the perception that others will associate to your subsequent actions and plans. The first step is to set up and preserve relationships with the major partners and influences. The next step is to effectively express and communicate your agenda for security. Later, you identify two essential projects that you can either complete or at least start in the first three months. You can then specify other projects that you can take on in the next twelve months.
Reality Vs Expectations
Most often, the reality a new CISO finds on arrival usually differs from his expectations. The complaints of most CISOs is that, what they find upon starting the new role and what they were promised during their recruitment processes, are two different things. A number of factors may be attributed to this disconnect, both from the part of the organization and the CISO. Thus, it is expedient that both parties make attempt to clarify misunderstandings and engage in some healthy self-evaluations with a focus on “broken promises”.
Trying to do too Much
One mistake to avoid, is trying to do too much at once. The role of a CISO is naturally demanding without you adding to it. A CISO has to build and oversee the wide-ranging security function of an organization such that the organization is shielded from internal and external threats, demonstrate measurable ROI, at the same time, incorporate strategies that align with the priorities of the Key stakeholders and business cycle of the organization.
Having a Negative Mindset
Avoid having a fatalistic mindset as this will weigh you down. Thinking that technical issues will always win out, will reduce your role to mere firefighting approach. Having a defensive mindset will only breed defensive attitudes, which is difficult to overcome once you start.
One of the biggest mistakes a new CISO can make is to place blames on his predecessors. Avoid the blame game as much as possible as this sets a negative tone for your security program.
Things to Consider in order to Realize Big Wins in the First 100days
The following are tips for securing big wins in the first 100 days of being a security leader.
The more information you have about your current position, the better equipped you are to tackle challenges and emergencies. You don’t have to wait till you officially resume before you prepare for that job. Never approach your new role with impromptu attitudes. Find out which security initiatives have worked in the past and which ones haven’t, and if there have ever been cybersecurity breaches.
Assess the Organization and Risk Status
Take an inventory of the overall security status of the company with a digital footprint and run an early penetration test on the key systems. Implement direct communications to build strong relationships. Find out what is working and what isn’t working for the security program of the organization. By gaining information about the vulnerabilities and threats of the organization, the CISO can take proactive measures to assess and tackle security challenges.
Start Developing your Security Plan
Make a rough draft or an outline of your agenda for your fist 100 days and implement all the information you have gathered. Share your knowledge with your team and hire additional resources if necessary. Ensure you have a team of expert who can cover up your weakness. This is the time to strategize and establish your credibility as a security officer.
Act and Measure
Make smart decisions and act on them. This is the time to implement all that you have learnt to deliver visible results. Get the support of the board by actively engaging in board discussions with a view of providing information needed to ensure success. Underline early wins and challenges, ensure the participation of key partners and influencers, participate in existing projects, set budgets, and redefine your team. Furthermore, a CISO can get a mentor with relevant security leadership experience to guide him or he can communicate with his predecessors for guidance.
The first 100 days of a CISO’s job can make or mar his success. No function in any large organization exists in a vacuum. If you must get anything done as a CISO and realise big wins, you must ensure that you align your security agenda with the priorities of the key stakeholders, business cycle, and budget cycle. Meaningful change may not necessarily begin in the first 100 days, but they will surely happen over time with proper planning, hard work, and leveraging the drivers in your security team.