The Ultimate Plan for a New CISO’s First 90 Days
The Ultimate Plan for a New CISO’s First 90 Days
Demetrios Lazarikos (Laz)
April 18, 2022
- Before starting your first 90 days as a new CISO, study the business and lean on mentors to bounce ideas off of.
- Within the first 30 days, secure partnerships throughout the organization and assess the things that are most important to the business.
- Use the 60-day mark to take inventory of what resources you have and make adjustments according to what you need to be successful.
- Within a CISO’s first 90 days, identify opportunities for quick wins to garner trust, and don’t forget to take comfort in your own leadership.
This blog is designed to provide a new CISO plan to support you as you take the reins of an InfoSec program. New CISO success is challenging, but it can be much smoother when you have a plan for your first 90 days as a CISO. My thoughts apply to both new roles within a new program or team in a new company—or any combination where those elements already exist such as a program, team or company in which you just received a promotion. Now is the time to pause, take a step back, and gain some personal and community perspective for the journey on which you’re about to embark.
A handful of first-time and emerging CISOs have reached out and asked for some best practices as they continue their InfoSec journey in a new leadership role, especially during their first 90 days. If you already started—or will start soon—in your new role, the information here may be helpful.
It’s challenging to write something all-encompassing, but I have captured themes and ideas that help if you’re a new CISO in the first 90 days. There’s a lot to write about in a way that can be easily consumed, so I broke it down into specific tasks to do before you begin the new job, and what to approach for the new CISO’s first 30, 60, and 90 days.
As you read this post, I invite you to think about how your background and experience have prepared you for this new role. Additionally, PLEASE think about how you’re going to adapt to the new role—there are things you will not understand until you’re there for at least 3-6 months. My other piece of coaching for you is to be open and not just take a cookie-cutter approach to build and nurture your security program.
Before the First 90 Days: Learn from Experience and Mentorship
First, if you have a mentor, continue to work with them through your transition and beyond. It is critical to understand what you need to work through; having someone coach you will make the transition better within the first 90 days.
If you don’t have a mentor, now is the time to seek one out and determine who will be a great resource to help you grow throughout this process. Don’t be afraid to seek out multiple mentors to help with different aspects of the role.
For example, one mentor may help you solidify your business acumen for the sector in which your company operates. Another may teach you how to both listen and speak in a way that demonstrates competence while not entering the role like a bull in a china shop.
The best place to find a mentor? Your community, of course! If you get stuck, you can always reach out to me and we can brainstorm as well.
Before the First 90 Days: Be a Student of the Business
I also encourage you to understand the various aspects of the business BEFORE you start in this new role:
- Is the company public or privately-held?
- In and with what sectors does it operate?
- Can you download and read through the financials?
- Can you get a clear understanding of how the company generates revenue?
- How many business units and employees support the company?
- What does the third-party supply chain look like?
- What is the company’s reliance on outsourced technologies and services?
Having an understanding of these aspects is critical since you need and want to partner with a company where the stakeholders support the business. Knowing this information will help you achieve a number of business goals and objectives while also aligning your security goals and team support through the process.
CISO First 30 Days: Gain Perspective to Build Partnerships
There are two areas you can address almost immediately through this process, even in your first 30 days as a CISO. I challenge you to think about them as you’re onboarding in the new role:
- What is important to the business and the business leaders?
- Why is it important to them?
- Is their main focus on themselves, their team, their partners, or their customers?
- What’s driving their view on their part of the business?
- What is your role in helping them succeed?
- Who are the leaders and the champions you need to work with?
- Do you need to influence, negotiate, or both?
- What do those relationships look like?
- Who are the key business stakeholders?
- How do they perceive your team?
Looking at your role with these things in mind should provide you with some personal insights. You should also be able to plan your approach to the business and the teams you will support.
“With this, I invite you to think about how all your experiences prepared you for this new role. Now is your opportunity to provide your own perspective on the current situation and some of the ways you can enable security.”
— Demetrios Lazarikos
CISO First 30 Days: Assess What’s Important to the Business
Once you know where you stand (or where you’re running to or from), it’s time to figure out what’s important to the business: for example, how does the company generate revenue?
Once you have this understanding, you can align security efforts (people, process, and technology) and prioritize your efforts accordingly. This helps determine what’s possible with the resources and skill sets you have available.
It’s important to not build a space shuttle to cross the street. Right now, you may just need a skateboard! Maybe you will need that space shuttle in three years (due to staged appropriate growth of the company mapped to the InfoSec program), but don’t shoot for the stars just yet if reaching an important intersection will suffice.
This doesn’t mean you can, nor should you, shy away from the things you face. It’s just that you need to find a way to map the above perspective to what’s important to the business—so you can have a meaningful conversation with the business leaders that will have a positive impact on the business.
To understand the context of your findings, meet with your team to discuss these three things:
- Their perspective on how the company makes money.
- How they perceive their role in both meeting and protecting the business objectives.
- How they think they’re perceived by the rest of the company.
How your team responds will shed light on where you, your team, and your program really stand.
CISO First 60 Days: Take Inventory of Your Resources and Surroundings
Take inventory of what you have, what you don’t have, and what you believe you need to be successful. This applies to your team, your processes/workflows, and your technology stack. It also extends beyond your own InfoSec team and throughout the rest of the organization.
Many organizations aggressively pursue digital transformation efforts. So understanding what you have (or don’t have) could make or break the success of your team and its ability to protect the organization’s data, applications, products, and revenue from unauthorized users, an attack, or a compromise.
It’s critical to recognize you won’t see or know about everything. Expect challenges with your visibility and that there may be some ambiguity to deal with. The idea is to figure out what you know, what you don’t know, and what both of these mean to your program and the success of the business.
Believe me, you need to find comfort with this approach. If you recognize this approach is uncomfortable, get ready to embrace it. If you can’t get past feeling uncomfortable and you feel a bit stuck in a single spot, then seek coaching from your peers both inside and outside of the organization. Trust me—there are people out there that can help you with this effort, myself included.
CISO First 90 Days: Find and Execute Quick Wins
Can you and your team identify low-hanging fruit that’s been out there a while? Will addressing this demonstrate your ability to lead a team through a project that positively impacts the business?
Good… Do It!
“Quick wins will give you much-needed credibility and show the rest of the organization how you think, operate, and…collaborate.”
— Demetrios Lazarikos
Pick something meaningful from your discussions with the team (remember the item above?) and figure out how to address it in the short term. This not only delivers a message to the company but also establishes confidence and credibility with your team as well.
CISO First 90 Days: Find Comfort and Strength in Leadership – Yours
Consider going on an internal roadshow to educate the organization about your team and your program. Let them know you’re there and willing to be a business partner looking to align on meeting a common set of business objectives.
As part of your roadshow, reinforce that business leaders have a safe place to collaborate and negotiate with you. Remember, you have to be the “office of enablement” while presenting and discussing risks to revenue—not obstacles or ultimatums! There will be trade-offs!
To engage in reality, work with your team(s) to gain their insights and:
- Brainstorm threat scenarios and crisis management
- Discuss risk exposure areas
- Conduct quick tabletop exercises
Do things you feel comfortable doing to get your team out of their shell and to share who they are and how they think about the business, revenue, risk, and InfoSec.
Of course, if you have your own experiences or questions to share, please let me know. I can always connect and discuss this with you. Feel free to contact us online via LinkedIn @Blue-Lava.
Take a look at the Blue Lava blog for other CISO resources, including discussing the Top Common CISO Challenges with a 3x CISO.
Laz has 30+ years industry experience, is a 3x CISO, the Co-Founder of Blue Lava, and is a globally-recognized authority in Information Security. He welcomes your feedback and can be reached at: [email protected]