The following article appeared on the Tanium Blog and written by George Hulme
When security executive Theresa Payton started at her previous cybersecurity position, one of the first things she asked about was the frequency of the organization’s patch management routine. The answer wasn’t the one she wanted to hear. They only patched software monthly and had a “zero downtime” policy.
“My stomach knotted up,” she recalled of that time. The team was doing what they felt was right, and the organization was content with the process, but it simply wasn’t enough to keep operations adequately secure. “What am I going to do here?” she wondered. “Show me the backlog of updates,” she asked. The backlog was substantial.
Ultimately, Payton—the first female to serve as White House Chief Information Officer, and who oversaw IT operations for the President and his staff from 2006 to 2008—sat down with her director and asked if the organization was open to other possibilities. How they decided to move forward would have a profound impact on the success of her cybersecurity leadership.
For a newly minted chief information security officer (CISO), the first 90 days are a time of both peril and possibility. If CISOs move too fast or push too hard, they risk alienating the organization. Move too slowly and new CISOs risk squandering their momentum and honeymoon period. Experienced CISOs tell Endpoint how they navigated their first few months on the job. Here’s how to navigate your new role.
Start getting a good read on the organization before you land the job, recommends David Elfering, senior director of information security at ReSource Pro, an insurance solutions provider. Elfering advises candidates to understand the precise business model of the organization and how its business outcome depends on cybersecurity.
The prospective CISO will also want to understand the organizational hierarchy—who the CISO reports to, the key officers, the organization’s overall financial health, and the level of employee turnover. Finally: What is the overall IT budget, and what percentage of that budget is dedicated to security?
“Organizations expect you’re going to come in the door with an almost omniscient view and hit the ground running,” says Elfering. “You want to be as prepared as possible.”
The first week on the job is one of the most critical times. “This is boots-on-the-ground week,” says Payton, now CEO at security consultancy Fortalice Solutions. “And I call it your listening assessment tour,” she adds. The early days are a time to be in full information-gathering mode, listening for all of the critical details a CISO will need going forward about the program. “You need to meet with and listen to the needs of all business executives,” adds Payton. “If you’re not enabling the business executives, then you’re not doing your job and you’re not going to be successful.”
You want to meet with leaders in human resources, legal, finance, operations, and, ultimately, the CEO. Payton recommends asking what executives see working well. Be prepared for a short list, she warns. Then ask what they see as not working well. Be ready for a longer list.
This is also a time to build rapport. Martin Fisher, CISO at Northside Hospital in Atlanta, recommends saying something like: “I want your opinion, and I’m going to sit here and listen.”
If you do that in the first 90 days, you will buy credibility with your team, and you’ll also help solve a few challenges along the way. All the while, he says, “you’re evaluating your program. You’re evaluating your staff. And you’re evaluating your technology stack.”
Leadership guru Peter Drucker famously said, “Culture eats strategy for lunch.” Fisher explained it this way: “That means if you come in with a great security strategy, and it’s not aligned with the organization’s culture, it’s going to fail.”
When CISOs discuss culture, three relationships matter: the up-down culture with executives and business leaders, the culture with employees and end users, and the relationship with security staff. “Build alliances during this time because the business outcomes are mutually beneficial, such as securely ensuring business outcomes,” says Elfering. “But it has to be done in a way aligned with the organization’s culture.”
It’s essential new CISOs learn how the organization makes decisions and to honor the processes already in place. “Our organization is pretty doggone hierarchical—it’s just the way it is,” says Fisher. “And if you are not respected as a leader, and if you are not taking care of the people who report to you, things will end badly for you.”
The first rule in building credibility, says Fisher, is to “not be a jerk.” People actually expect a new boss to be bad. “This gives you a great opportunity to prove that you’re not a jerk, that you’ve listened to the team and the executives, and that you’re ready to begin helping them succeed,” he says.
Suppose the new CISO follows the earlier advice to listen and evaluate the existing program, the existing team, and the current technology stack. In that case, it’s time to build credibility with executives.
Elfering recommends learning how people look at the security team. Has the security team historically shut them down when they tried to do interesting things? How can the new CISO fix that relationship?
“If there’s dysfunction, you can go back to the team and fix it,” he says. “You can build credibility while also showing value to the business and that you can return value as quickly as possible.”
In addition to building credibility with executives, it’s essential to establish the best possible relationship you can with your team. Someone is going to mess up during those early days, Fisher says. Incoming CISOs have the opportunity to show they can respond to missteps fairly.
Toward the end of the first 90 days, it’s time to ensure everyone is aligned about what needs to happen to build the new security program. CISOs have built credibility with their team. People have felt heard. They have felt as though they’re part of the process of building the new program.
“Now is the time to begin making the decisions that new CISOs must make,” says Fisher. “And you’re going to own it: good, bad, or indifferent.”
When making changes, educate everyone about how the changes will reduce risk, improve people’s work lives, and improve the business. This is when you say: “These are the changes I want to talk about. Let’s talk about how we’re going to implement them.”
“It’s a decision you’re making,” says Fisher. “It’s not a discussion.”
The leaders we interviewed said that success at this stage depends on how well a CISO has built a solid foundation with the security team and the business leadership. The new CISO will want to watch how well the security team supports them and how much credibility they’ve built with executives. Hitting benchmarks for success has less to do with the bits or bytes of the security technology they have deployed, and more to do with whether they are generating the right business outcomes.
How do new CISOs know they’ve succeeded? Pick a mentor. “I’d pick somebody on the business unit side that you feel was your biggest supporter during the interview process,” says Payton. “Ask what success for you looks like. Tell them that you want to be wildly successful in this role for this company, and enlist their aid to be a confidential sounding board who will tell you about your hits and misses.”
How did Payton eventually solve her patch management challenge? She spent the first several months listening to the team and to leadership in order to understand everything she could about their IT inventory, asset management processes, and team culture.
By understanding their work cycles and technology stack, Payton was able to find ways to accelerate patching cycles without disrupting the organization’s work. “We noted the busiest times of the day and week for the groups, and we could plan our updates around these times,” she explains. “Had I come in and just declared that we would patch daily, it would never have worked.”
New CISOs, take note of these words of wisdom. They will help you put your best foot forward during the first 90 days.
During the course of our investigative work, Fortalice has observed an increasing and alarming trend: personal email compromise is leading to business email compromise. Threat actors will leverage weaknesses regarding executives’ or board members’ personal cybersecurity hygiene to gain access to their business accounts. Extortion also remains a top cybersecurity threat, with organized criminals overseas routinely targeting corporations and the people who support them.
Silicon Valley Bank (SVB) was shuttered early this month and had its deposits seized in the largest U.S. bank failure since the 2008 financial crisis. Although it may seem like SVB’s collapse will only impact its direct customers and depositors, it is far more complicated. Like vultures to roadkill, cyber scammers often wait to exploit and target victims after tragedy strikes, or bad news arises. A perfect storm of stress, uncertainty, and urgency for customers and vendors alike during this time can impair someone’s judgement when they click links and open emails they otherwise would ignore or delete. Fortalice has outlined a few different ways cybercriminals social engineer their victims during times of extreme distress and insecurity.