Alyned Thinking

Why new thinking is needed and how we are putting our expertise to work.

How to succeed as a new CISO – Part 2

life as a ciso with arrows pointing up

A couple of months ago, I gave you an overview of some origin stories that might influence your experience and personal development. Now it is time for part 2 of the article series that will give you some battle-tested tips and different time frames (e.g. what questions to ask before accepting the new job, how to prepare before starting your new job, how to survive your first week/month/100 days/year and how to build a strategic plan for the next 3 years.)

Before your start

If you’re still negotiating about the position and have yet to have a job interview, ask these questions before accepting:

  • What are the main priorities of the organization?
  • How is the Security part organized and how are the reporting channels structured?
  • Why is the position vacant right now? (Replacement, newly structured position)
  • How is the budget process structured?

Before the job interviews, you should do some homework and acquire some knowledge about the industry and sector of the company. It will prove to be very crucial that you understand all the business priorities the company might have.

Your first week

As soon as you start the job, you will have access to all the important internal information. Use those first days, because during this time, no one will bother you too much. If your predecessor is still at the firm for a smooth handover, use this opportunity for gathering info about the current situation, ongoing projects and important stakeholders.

If there is an existing security team, introduce yourself to them and take your time to talk to each of the security team members. Also look at all or at least a large share of all the past documentation and look through different shared folders & sharepoints.

Your first month

… is the time you need to use for building relationships and networking in your new company. Even if you’re not new to the company, you should do this thoroughly because you will need some new allies. Your relationships with former well-known colleagues might even change. Here are some positions and departments that are worth visiting for a coffee or a quick chat:

  • IT Manager/ CIO
  • Data protection
  • Legal department
  • Corporate communications and the corresponding PR officer
  • Customer Service
  • Internal Audit
  • Human Resources
  • Worker’s council
  • Facility Management (or the department that is responsible for physical security)
  • Executive assistants to relevant board members

The first 100 days

As in politics, the first 100 days are meant for strategic planning. First, do an assessment of the current situation and therefore look at standards, such as ISO certifications or benchmarking tools for assessing your cyber maturity (as long as you can start the assessments quickly without much preparation). Pick the crown jewels right away – meaning the assessment of business units, which have the highest demand for protection. Look at them in depth and try to find out all the crucial dependencies that they include (such as IT-systems, suppliers, different office locations) and do cyber maturity checks. That’s how you gather the important technical organisational gaps.

Group those into different topics and, if possible, into interrelated projects. Illustrate the dependencies and prioritise the different topics (main risks go first as well as the measures that take care of as many different risks, meaning you start with the highest return-on-invest). This will be your strategic 3-year plan and the core of your Info-Sec agenda.

Let either the management board sign off on the risk assessment and the mitigation actions and request clear and well-documented statements as to what risks they will accept. Convey your plan to all your affected colleagues.

The first year

Now you have to start the projects you have planned. I strongly suggest that you do not overburden yourself. Even if you do not have any problems receiving enough budget (if your risk argumentation is conclusive that should not be a problem), you and your team will only have a limited amount of ‘horsepower’ that you can get on the street. Security projects can also be very excruciating for the rest of the company and often entail major changes in the company processes that can be rather difficult to handle.

I strongly suggest the following: Don’t take up more than 3 security projects that are running at the same time. One of those projects should be the construction of an Incident-Response plan and the corresponding simulated exercise should have all the important stakeholders as participants (see the list above for further reference).

The first 3 years

Check your plan at least once every year and report it to the executive board, so that you can adjust it together if needed. Execute your projects and communicate your successes. Learn from operative topics and optimize them accordingly.

Potentially, there were some IT-Security incidents in the last 3 years. Use the new insights you might gain from these events for effective awareness measures within the organisation and talk about is as much and as often as you can (but don’t forget to make sure that the executive board is okay with open communication and include them in your awareness measures).  

Stefan Sulistyo
Author: Stefan Sulistyo
Co-Founder & Chief Customer Officer
google plus
About the author
Co-Founder & CCO of Alyne, 10+ year InfoSec & GRC veteran, first of his name, waiting for the singularity.