Skip links

Life As a New CISO: Best Practices – Part 1

Life As a New CISO: Best Practices – Part 1

This blog is part one of a two-part series to help new CISOs as they take the reins of their InfoSec programs. My thoughts apply to both new roles within a new program or team in a new company—or any combination where those elements already exist such as a program, team or company in which you just received a promotion. Now is the time to pause, take a step back, and gain some personal and community perspective for the journey on which you’re about to embark.

A handful of first-time and emerging CISOs have reached out and asked for some best practices as they continue their InfoSec journey in a new leadership role. If you already started—or will start soon—in your new role, the information here may be helpful.

It’s challenging to write something all-encompassing, but I have captured themes and ideas that help if you’re new to the CISO position. There’s a lot to write about in a way that can be easily consumed, so I broke it down into two parts. This first part focuses on the CISO community and the main reason the role exists in the first place: to help business leaders remove the risks that could put the company’s business objectives in jeopardy.

As you read this post, I invite you to think about how your background and experience have prepared you for this new role. Additionally, PLEASE think about how you’re going to adapt to the new role—there are things you will not understand until you’re for at least 3-6 months. My other piece of coaching for you is to be open and not just take a cookie-cutter approach to build and nurture your security program.

Learn from Experience and Mentorship

First, if you have a mentor, continue to work with them through your transition and beyond. It is critical to understand what you need to work through; having someone coach you will make the transition better.

If you don’t have a mentor, now is the time to seek one out and determine who will be a great resource to help you grow throughout this process. Don’t be afraid to seek out multiple mentors to help with different aspects of the role.

For example, one mentor may help you solidify your business acumen for the sector in which your company operates. Another may teach you how to both listen and speak in a way that demonstrates competence while not entering the role like a bull in a china shop.

The best place to find a mentor? Your community, of course! If you get stuck, you can always reach out to me and we can brainstorm as well.

Be a Student of the Business

I also encourage you to understand the various aspects of the business BEFORE you start in this new role:

  • Is the company public or privately-held?
  • In and with what sectors does it operate?
  • Can you download and read through the financials?
  • Can you get a clear understanding of how the company generates revenue?
  • How many business units and employees support the company?
  • What does the third-party supply chain look like?
  • What is the company’s reliance on outsourced technologies and services?

Having an understanding of these aspects is critical since you need and want to partner with a company where the stakeholders support the business. Knowing this information will help you achieve a number of business goals and objectives while also aligning your security goals and team support through the process.

Gain Perspective to Build Partnerships

There are two areas you can address almost immediately through this process. I challenge you to think about them as you’re onboarding in the new role:


  • What is important to the business and the business leaders?
  • Why is it important to them?
  • Is their main focus on themselves, their team, their partners, or their customers?
  • What’s driving their view on their part of the business?
  • What is your role in helping them succeed?


  • Who are the leaders and the champions you need to work with?
  • Do you need to influence, negotiate, or both?
  • What do those relationships look like?
  • Who are the key business stakeholders?
  • How do they perceive your team?

Looking at your role with these things in mind should provide you with some personal insights. You should also be able to plan your approach to the business and the teams you will support.

With this, I invite you to think about how all your experiences prepared you for this new role. Now is your opportunity to provide your own perspective on the current situation and some of the ways you can enable security.

Of course, if you have your own experiences or questions to share, please let me know. I can always connect and discuss this with you. Feel free to contact us online via LinkedIn @Blue-Lava.

And be sure to stay tuned in to the Blue Lava blog for part two of this series where we get into assessing your situation, engaging with business leaders and your team, and winning their trust.

Laz has 30+ years industry experience, is a 3x CISO, the Co-Founder of Blue Lava, and is a globally-recognized authority in Information Security. He welcomes your feedback and can be reached at: laz at bluelava dot io.