With, by and for the CISO Community

ThisNew CISO Strategy isn’t trying to be prescriptive. What we’re offering you are some lessons learned, experiences, and a proven approach to the CISO role. Our New CISO action plan has been developed with, by, and for the CISO community leveraging our years of experience as security leaders. There is no silver bullet for what we do as security leaders; however, these proven strategies have been battle-tested.

Business drivers will always dictate the speed that we move, and in today’s world, this is usually at the speed of innovation. As a result, we wanted to ensure you have the support you need to effectively navigate the critical CISO role, particularly as it relates to managing your information security program. This New CISO Plan will provide a pragmatic approach that outlines things to consider as you’re building or supporting your security program. Please consider leveraging them in your role.

Before you Start Your New CISO Plan

Congratulations on your new role as Chief Information Security Officer! You made it through the gauntlet of interviews, asked insightful questions, decided this was the next best step for your career and accepted the offer. Give that a moment to settle in… ok, now let’s get started.

There’s no time to waste. It’s tempting to relax and celebrate, but you may miss a golden opportunity to set yourself up for success as a security leader. Take advantage of the interim period between when you accept your offer and your start date to do the kind of work that may be harder to accomplish on or after day one. When you arrive for your first day, please keep this in mind: every hour you spend on administrative tasks is an hour you could’ve spent with people or on understanding them. Administration is unavoidable, AND it can be minimized. Your pre-arrival objective is to maximize your time for meeting, listening, and getting to know your new colleagues and company. The objective of a new CISO prior to their first day should be to initiate and/or complete as many of those administrative tasks as possible.

Consider submitting requests, scheduling meetings, collecting research notes, reading background information, and even setting up trusted vendor relationships. Doing this work now will help you optimize your onboarding to understand the business, supporting teams and making a lasting impression on your new colleagues. Here are some things you can accomplish before your first day in your new role:

Requests

Submit a list of requests for items, resources, and access you want ready when you arrive. These can be mundane and rudimentary or complex and nuanced, and anything in between. Anything you can think of that you need to get working right away is potentially in scope. Hopefully most of the things you have on your own onboarding list are already on your team’s onboarding list and therefore redundant. However, many of us know from personal experience that something is always missing. Work with your company before you start to get you the following:

• Work necessities: laptop (and/or desktop, preferred make/model/size/color), screen(s), cable(s), adapter(s), phone (mobile, office, preferred make/model/size/color), desk (sitting, standing, unconventional), corporate card (t&e, opex), and badge(s)
• Resources, including policies, procedures, organization charts, assessment reports, compliance certifications, audit findings, penetration test results, and data flow diagrams. If any of these can’t be shared before you start, do what you can to have them ready for you to review on day one
• Company access, such as shared folders, source code repositories, intranet sites, and chat rooms

Scheduling

Ask for a series of meetings to be scheduled prior to your first day. In addition to everything else you’ll have going on, it can be quite overwhelming to try to navigate calendars and availability. If you can shift that burden to another, you’ll be able to focus on the task at hand. If you don’t already have a plan for how to schedule all these meetings, here’s a recommendation:

• In your first week, prioritize individual meetings with your boss and direct reports as well as a meeting with your entire team
• In your second week, prioritize individual meetings with your direct peers (your boss’s directs) as well as small group meetings with your team members (we’ve found limiting the meeting 2 to 4 at a time is ideal)
• In your third week, prioritize individual meetings with your boss’s boss, your boss’s peers, and other executive leaders

For a more in-depth look at a new CISO plan for your first 90 days, check out our blog.

Research

Consider conducting a SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis and risk assessment of your prospective employer prior to even scheduling the first interview. If you’ve done this, please skip this step. If not, consider spending some of your available time before you start in your new role. Exercise your open-source intelligence (OSINT) skills and learn as much as you can. This knowledge will streamline your onboarding and ensure you are efficient with your time.

• For publicly traded companies, regulatory filings provide a wealth of information. All the time you can spend reading through investor reports and listening to quarterly call recordings will be worthwhile
• For privately held companies, learn as much as possible about the founder(s), owner(s), and largest investor(s)
• Familiarize yourself with your new employer’s competition and market Space. Know your company’s competitive advantage and unique selling proposition, and read up on the news, commentary, presentations, and blog posts of your own company. This background will help you better understand the decisions your company makes, the goals they set, and why

Trust Advisors & Vendors

Consider proposing 1-2 trusted advisors and vendors you want to engage in your first 90 days that may help you jumpstart your program.

Get to Know Your Team

Security is pervasive across your entire organization, so fostering relationships early by listening to the needs of your team before making changes is critical. Enter with the attitude of “Do No Harm.”

Introductions

Getting to know your individual team members

As you meet your team members, it is important to understand the role each person plays within your team structure, what projects they work on, and their view on the company security culture. This information will help you build a mental picture of how your team is running and where there may be potential gaps.

Key questions you can ask everyone you meet:

• How long have you been with the company?
• What are your primary responsibilities?
• Which security and compliance certifications does the company have in place now? In the future?
• What tools do we have in place? How are they working?
• What tools do we believe we need? Why?
• What does a typical day look like?
• What does a typical week look like?
• Tell me about the company goals and how our team aligns to them?
• How does our team work to achieve these goals?
• What’s working? What’s not?

Tips to Prepare for your Meetings

Time management

Schedule your time accordingly, while you might not be able to meet with everyone in your first 100 days, please try to get to know as much of your immediate team as possible.

Goals for the meeting

Jot down notes for what you hope to get out of each meeting. You can share this with the person you are meeting with at the start of the meeting.

Agenda

Create a rough agenda for your meeting to add in an email or calendar invitation. You can include specific questions you don’t want to forget or give them to prepare for the meeting.

Follow-up notes

Share any notes that you take after your meeting. Ask for clarification anywhere that you might have missed details you think you’ll need later on. Include a thank you as well for taking time to meet with you to establish a good rapport.

Continue the Conversation

As you build rapport with your team, dig deeper to understand your organization’s past incidents, program assessment and audit results

Review previous incidents and ask your team:

• What were the past incidents?
• How did we do with handling them?
• What have we learned from past cybersecurity incidents?
• How have we improved our incident response strategies over time?
• What changes were made with how we communicated the incident to key stakeholders?

Review past risk assessments and develop your own conclusions around your program’s evolution

• Have these past assessments given me a full understanding of changes to my security program to date?
• Do I have a clear understanding of where progress has been made over the past year? Two years?

Consider framing your questions to cover the following areas:

• GRC
• Business & Rev Ops
• Vendor Risk
• IT Ops
• Sec Ops
• Applications
• Eng & SDLC
• Endpoint, Cloud, IoT
• InfoSec
• Databases
• Networks

1×1 Meetings

Get your arms around your own security program – from your team’s perspective

If you haven’t yet, now is a great time to schedule 1:1 meetings with each of your team members. Your conversations will help you understand and evaluate the state of affairs of active security projects and gain valuable insights as to where support is needed.

Remember that your leadership and style make all the difference in your early tenure with your team. It’s important to show your support and understanding of their individual value to the team.

You’ve likely already learned some quick lessons:

• Listen and learn how your team manages projects, works through challenges, and collaborates to solve problems
• Being too vocal too early can stifle the fluid dynamics of the meeting and members may act differently due to posturing with you, the new boss
• This is your opportunity to ask questions to better understand the criteria for how decisions are made, how the team resolves conflict, and how members communicate with each other and their managers

Use this 1:1 time to get a holistic understanding of your team and program needs.

Start by keeping the focus on how you can improve things for your team. Open-ended questions can help you know where each person is focusing their energy and what gaps might exist. Try asking the following questions:

• What do you think is working?
• What do you think isn’t working?
• What’s missing from your day-to-day?
• What can be done to improve your job or your ability to perform your job?

After you have an understanding of their individual needs, dig into your program: Where have investments been made across all the different disciplines and capabilities in security?

• What is missing:
  • With documentation?
  • What people are missing from key roles?
  • Which processes do you think are missing?
• What technology do you think is missing or waiting to be purchased?
• What capabilities are in place across products, business units, or locations?
• How mature are those capabilities?
• How was the program communicated to boards in the past? Executive team? What frameworks were used and why?

Get to Know Your Department

Looking at your department as a whole will help you further connect the dots on everything you have learned so far.

Understand Budget and Metrics

Now that you’ve gotten in the weeds with your individual team members, it’s time to look more broadly at your department. Understanding your budget and processes will further support your ability to draw conclusions about the strengths and opportunities for your security program.

• Consider analyzing past assessments, time allocation, and budgets:
  • What type of assessments were performed?
  • How much was budgeted for the assessments?
  • How much budget was allocated for remediation?
  • What is favorable in the budget – CapEx or OpEx?
• Work with your team to understand the project intake process and how to align to finance:
  • Every budget has limitations – what are yours, and what opportunities do you have to change those limits?
  • Solicit input on how best to influence on budget needs, translating technical risks into business risks

Hold the First Security Department Team Meeting

New leadership may bring apprehension to your team. Consider carving out time during your first few weeks to introduce yourself and listen to your team as a whole.

• Share your role and your hope for what you can accomplish together
• Let your team know your process getting up to speed and ask for help continuing to do so
• Share some of your lessons learned you’ve had so far from your 1:1 meetings
• Express how you want to work with the team and preferred methods for communication
• Share your plan for future team meetings and what you want to hear from them – and be sure to ask them what they want to see and expect from you

It’s Time to Execute Your New CISO Plan

Finally, I wish you all the best in your new role. Your company needs someone like you, an effective security leader. If you’re reading this Blueprint guide, then I know that’s exactly what you are. Be confident. Be bold. Enjoy yourself!

And be sure to follow us on LinkedIn to get a first view of our upcoming blogs, resources and events.

Hear more from Phil Beyer, Head of Security at Etsy, about the Future of Managing the Business of Security in our webinar.