The CISO's Guide to the First 90 Days
The following article appeared on the Tanium Blog and written by George Hulme
“My stomach knotted up,” she recalled of that time. The team was doing what they felt was right, and the organization was content with the process, but it simply wasn't enough to keep operations adequately secure. “What am I going to do here?” she wondered. “Show me the backlog of updates,” she asked. The backlog was substantial.
For a newly minted chief information security officer (CISO), the first 90 days are a time of both peril and possibility. If CISOs move too fast or push too hard, they risk alienating the organization. Move too slowly and new CISOs risk squandering their momentum and honeymoon period. Experienced CISOs tell Start getting a good read on the organization before you land the job, recommends David Elfering, senior director of information security at ReSource Pro, an insurance solutions provider. Elfering advises candidates to understand the precise business model of the organization and how its business outcome depends on cybersecurity.
“Organizations expect you're going to come in the door with an almost omniscient view and hit the ground running,” says Elfering. “You want to be as prepared as possible.”
Get your boots on the ground
You want to meet with leaders in human resources, legal, finance, operations, and, ultimately, the CEO. Payton recommends asking what executives see working well. Be prepared for a short list, she warns. Then ask what they see as not working well. Be ready for a longer list.
If you do that in the first 90 days, you will buy credibility with your team, and you'll also help solve a few challenges along the way. All the while, he says, “you're evaluating your program. You're evaluating your staff. And you're evaluating your technology stack.”
Learn the organizational culture
When CISOs discuss culture, three relationships matter: the up-down culture with executives and business leaders, the culture with employees and end users, and the relationship with security staff. “Build alliances during this time because the business outcomes are mutually beneficial, such as securely ensuring business outcomes,” says Elfering. “But it has to be done in a way aligned with the organization's culture.”
The first rule in building credibility, says Fisher, is to “not be a jerk.” People actually expect a new boss to be bad. “This gives you a great opportunity to prove that you're not a jerk, that you've listened to the team and the executives, and that you're ready to begin helping them succeed,” he says.
Elfering recommends learning how people look at the security team. Has the security team historically shut them down when they tried to do interesting things? How can the new CISO fix that relationship?
In addition to building credibility with executives, it's essential to establish the best possible relationship you can with your team. Someone is going to mess up during those early days, Fisher says. Incoming CISOs have the opportunity to show they can respond to missteps fairly.
Start Making Changes
“Now is the time to begin making the decisions that new CISOs must make,” says Fisher. “And you're going to own it: good, bad, or indifferent.”
“It's a decision you're making,” says Fisher. “It's not a discussion.”
Benchmark your success
How do new CISOs know they've succeeded? Pick a mentor. “I'd pick somebody on the business unit side that you feel was your biggest supporter during the interview process,” says Payton. “Ask what success for you looks like. Tell them that you want to be wildly successful in this role for this company, and enlist their aid to be a confidential sounding board who will tell you about your hits and misses.”
By understanding their work cycles and technology stack, Payton was able to find ways to accelerate patching cycles without disrupting the organization's work. “We noted the busiest times of the day and week for the groups, and we could plan our updates around these times,” she explains. “Had I come in and just declared that we would patch daily, it would never have worked.”