Life As a New CISO: Best Practices – Part 2
Life As a New CISO: Best Practices – Part 2
Demetrios Lazarikos (Laz)
April 18, 2022
This blog is part two of a two-part series to help new CISOs as they take the reins of their InfoSec programs. Now is the time to pause, reflect, take a step back, and gain some personal and community perspective for the journey on which you’re about to embark.
A handful of first-time and emerging CISOs reached out to me and asked for some best practices as they continue their InfoSec journey in a new leadership role. If you already started—or will start soon—the information here may be helpful.
It’s challenging to write something all-encompassing, and there’s a lot to write about in a way that can be easily consumed. So I broke it down into two parts by capturing a few themes and ideas that should help if you’re new to the CISO position.
Part 1 of this series focused on the CISO community and the main reason the role exists in the first place. That blog explained how the goal is to understand how to coach business leaders about understanding the biggest risks to revenue.
This second part focuses on what we can do in our leadership role to assess our current situation and to successfully engage with business leaders and your team. At the end of the day, I want to help you build relationships of trust with your business leaders and demonstrate that you’re a student of the business.
Let’s get started.
Assess What’s Important to the Business
Once you know where you stand (or where you’re running to or from), it’s time to figure out what’s important to the business: for example, how does the company generate revenue?
Once you have this understanding, you can align security efforts (people, process, and technology) and prioritize your efforts accordingly. This helps determine what’s possible with the resources and skillsets you have available.
It’s important to not build a space shuttle to cross the street. Right now, you may just need a skateboard! Maybe you will need that space shuttle in three years (due to staged appropriate growth of the company mapped to the InfoSec program), but don’t shoot for the stars just yet if reaching an important intersection will suffice.
This doesn’t mean you can, nor should you, shy away from the things you face. It’s just that you need to find a way to map the above perspective to what’s important to the business—so you can have a meaningful conversation with the business leaders that will have a positive impact on the business.
To understand the context of your findings, meet with your team to discuss these three things:
- Their perspective on how the company makes money.
- How they perceive their role in both meeting and protecting the business objectives.
- How they think they’re perceived by the rest of the company.
How your team responds will shed light on where you, your team, and your program really stand.
Take Inventory of Your Resources and Surroundings
Take inventory of what you have, what you don’t have, and what you believe you need to be successful. This applies to your team, your processes/workflows, and your technology stack. It also extends beyond your own InfoSec team and throughout the rest of the organization.
Many organizations aggressively pursue digital transformation efforts. So understanding what you have (or don’t have) could make or break the success of your team and its ability to protect the organization’s data, applications, products, and revenue from unauthorized users, an attack, or a compromise.
It’s critical to recognize you won’t see or know about everything. Expect challenges with your visibility and that there may be some ambiguity to deal with. The idea is to figure out what you know, what you don’t know, and what both of these mean to your program and the success of the business.
Believe me, you need to find comfort with this approach. If you recognize this approach is uncomfortable, get ready to embrace it. If you can’t get past feeling uncomfortable and you feel a bit stuck in a single spot, then seek coaching from your peers both inside and outside of the organization. Trust me—there are people out there that can help you with this effort, myself included.
Find Comfort and Strength in Leadership – Yours
Consider going on an internal roadshow to educate the organization about your team and your program. Let them know you’re there and willing to be a business partner looking to align on meeting a common set of business objectives.
As part of your roadshow, reinforce that business leaders have a safe place to collaborate and negotiate with you. Remember, you have to be the “office of enablement” while presenting and discussing risks to revenue—not obstacles or ultimatums! There will be trade-offs!
To engage in reality, work with your team(s) to gain their insights and:
- Brainstorm threat scenarios
- Discuss risk exposure areas
- Conduct quick tabletop exercises
Do things you feel comfortable doing to get your team out of their shell and to share who they are and how they think about the business, revenue, risk, and InfoSec.
Find and Execute Quick Wins
Can you and your team identify low-hanging fruit that’s been out there a while? Will addressing this demonstrate your ability to lead a team through a project that positively impacts the business?
Good… Do It!
Those quick wins will give you much-needed credibility and show the rest of the organization how you think, operate, and…collaborate. Pick something meaningful from your discussions with the team (remember the item above?) and figure out how to address it in the short term. This not only delivers a message to the company but also establishes confidence and credibility with your team as well.
Of course, if you have your own experiences or questions to share, please let me know. I would love to connect, learn more, and discuss this with you. Feel free to contact us online via LinkedIn @Blue-Lava.
And be sure to stay tuned in to the Blue Lava blog for more CISO tips and best practices!
Laz has 30+ years industry experience, is a 3x CISO, the Co-Founder of Blue Lava, and is a globally-recognized authority in Information Security. He welcomes your feedback and can be reached at: laz at bluelava dot io.