CISO Careers: How to Survive Your First 90 Days
February 8, 2023
Brian Johnson is Armorblox’s first CSO. He has over 20 years of experience building and leading private and public companies, including working with government agencies. To say Brian’s track record is impressive would be a tremendous understatement. He was a co-founder and general partner at Crucyble, served as CISO at Lending Club, and has held leadership positions at Netflix and ForeScout (FSCT). In addition, Brian has been instrumental in creating and securing systems for the U.S. Department of Defense and other global finance and technology companies.
More recently, Brian has graciously agreed to share his thoughts on CISO careers. He has valuable insight into what you should do before you accept an offer and what a CISO’s first 90 days will look like.
During the Interview Process
It’s impossible to truly know what you’re getting into before you start working, but there are steps you can take before and during the interview process that can help identify any red flags and give you a better idea about the company. All organizations are going to put their best face forward when they’re trying to recruit you, so you should do some research and ask the right questions to dig a little deeper.
Ultimately, you’re there to support the business and solve issues. While there will be security issues you know about upfront, there will always be those that take you by surprise, too. Think of the interview process as your chance to ask questions about the company culture so you can figure out how it functions and what power dynamics are at play.
Brian notes that every organization is different, so it’s up to you to find the answers to those questions — either by asking the right questions during the interview, directly observing, or doing your own research. The only thing Brian advises against in the interview process is asking questions you could find the answers to with a simple web search.
Before starting, make sure that you’re prepared, learning things like:
- What breaches they’ve had
- What breaches have been occurring outside the company
- How they’ve handled security issues
- What data they’re collecting, and how
Tailor your questions to the business. Brian says there’s no point in asking a lot of questions about a company’s long-term history or evolution if they’re more recently established. Instead, you can showcase your value in cybersecurity leadership during the interview by demonstrating that you want to understand where they’re trying to go and how you can help them get there.
The First 30 Days
You’ve got to deeply understand how the business works before you start implementing a plan or controls. As a new CISO, the temptation will be to charge in and start making changes. If your background is in security, you’ll go straight for implementing controls. If you’re coming from a compliance perspective, your main concern is what frameworks you should implement.
However, first, take a step back and spend your first 30 days learning the business. Think like an executive. How are you going to enable the business? The business is your customer, and the better you know it, the better you can serve it. Look for your ideal customers within the business and figure out their roles and how you fit inside the organization.
Brian suggests you resist the urge to swoop in and immediately start deploying. Instead, take time to assess the people and the infosec that’s already in play. Look for people who may not be obvious candidates to interview but can provide unique insight. Spend a lot of time listening.
The first 30 days can be overwhelming. . One way you can cope is to write down your plan. It won’t be a static plan — it’ll change as you learn — but it will provide a roadmap you can share with your direct reports. It will cover, in general, what you want to get done in the next 90 days.
Days 31 Through 60
After your initial assessment, you’ll have a better idea of how the company works and what gaps you need to fill. You should always hire to fill your gaps. As Brian points out, if you’re a great AppSec person, you don’t want your first hire to be a senior AppSec person. Hire into your blind spots. During this period, you should also continue to focus on building trust within your organization.
Remember it use to be people, processes and tools, I would add automation after or with tools. These systems need to work together with the least human interaction.
You’ll probably be surprised by how much time is spent marketing and hiring. Much of your second month will include talking to people and trying to recruit them. You’ll also continue your organizational assessment and the discovery process with your new and existing staff.
This is also a good time to become more customer-facing. You now know the product and what data needs to be protected. Talk to the sales team and figure out how to empower them, particularly if you’re working for a start-up.
This is when you’ll validate and verify what you’ve learned, so you can integrate security into the organization and establish governance. You’ll work on consensus building and deliver your first strategic plan.
Days 61 Through 90
Now it’s time to start making changes if they’re needed to your people, processes, and tools. Document, envision, and plan. Hopefully at this point you have a better understanding of the business agenda and motivations, and you’ve built trust within your company. It’s all about building relationships and communicating with those who will help you hit those milestones on your roadmap—the executive team, your board of directors and your new bestie, the legal department.
Establish your program’s baseline maturity level as a starting point. Identify gaps in staff, processes, and technology so you can create priorities from there.
Brian believes the community at large is one of the best tools you can leverage. No one knows everything. Building relationships with other cybersecurity professionals at all levels will help you learn and keep on top of new trends and technologies.
It’s also essential not to overload yourself. Brian points out that you have one of the organization’s largest risk portfolios to manage. You need to have processes and people to manage your tools to avoid too many overlapping tools. Tooling budgets have increased, and there are many excellent tools on the market. Still, having too many can be overwhelming and, thus, counterproductive.
In parting, Brian notes that one of his “aha” moments was that no day is ever the same in the CISO role. The bad guys are constantly innovating, so you have to stay abreast of new ideas. You are a conduit from the outside in, so having a strong network like the Blue Lava Community is essential. A CISO is a true business leader when you can bring this valuable knowledge, planning, and communication to your customers and executives.