Your Blueprint for Success: The Starter Guide for CISOs (Part 1)
Demetrios Lazarikos (Laz)
April 18, 2022
With, by and for the CISO Community
We are excited to introduce you to our latest series of educational blog posts directly aimed at new CISOs. Our bi-weekly Blueprint series isn’t trying to be prescriptive. What we’re offering you are some lessons learned, experiences, and a proven approach to the CISO role. Each guide in this series has been developed with, by, and for the CISO community leveraging our years of experience as security leaders. There is no silver bullet for what we do as security leaders; however, these proven strategies have been battle-tested.
Business drivers will always dictate the speed that we move, and in today’s world, this is usually at the speed of innovation. As a result, we wanted to ensure you have the support you need to effectively navigate the critical CISO role, particularly as it relates to your information security program. These guides will provide a pragmatic approach that outlines things to consider as you’re building or supporting your security program. Please consider leveraging them in your role.
Part 1 – Before you Start
By Phil Beyer, Head of Security at Etsy
Congratulations on your new role as Chief Information Security Officer! You made it through the gauntlet of interviews, asked insightful questions, decided this was the next best step for your career and accepted the offer. Give that a moment to settle in… ok, now let’s get started.
There’s no time to waste. It’s tempting to relax and celebrate, but you may miss a golden opportunity to set yourself up for success as a security leader. Take advantage of the interim period between when you accept your offer and your start date to do the kind of work that may be harder to accomplish on or after day one. When you arrive for your first day, please keep this in mind: every hour you spend on administrative tasks is an hour you could’ve spent with people or on understanding them. Administration is unavoidable, AND it can be minimized. Your pre-arrival objective is to maximize your time for meeting, listening, and getting to know your new colleagues and company. The objective of a new leader prior to their first day should be to initiate and/or complete as many of those administrative tasks as possible.
Consider submitting requests, scheduling meetings, collecting research notes, reading background information, and even setting up trusted vendor relationships. Doing this work now will help you optimize your onboarding to understand the business, supporting teams and making a lasting impression on your new colleagues. Here are some things you can accomplish before your first day in your new role:
Submit a list of requests for items, resources, and access you want ready when you arrive. These can be mundane and rudimentary or complex and nuanced, and anything in between. Anything you can think of that you need to get working right away is potentially in scope. Hopefully most of the things you have on your own onboarding list are already on your team’s onboarding list and therefore redundant. However, many of us know from personal experience that something is always missing. Work with your company before you start to get you the following:
- Work necessities: laptop (and/or desktop, preferred make/model/size/color), screen(s), cable(s), adapter(s), phone (mobile, office, preferred make/model/size/color), desk (sitting, standing, unconventional), corporate card (t&e, opex), and badge(s)
- Resources, including policies, procedures, organization charts, assessment reports, compliance certifications, audit findings, penetration test results, and data flow diagrams. If any of these can’t be shared before you start, do what you can to have them ready for you to review on day one
- Company access, such as shared folders, source code repositories, intranet sites, and chat rooms
Ask for a series of meetings to be scheduled prior to your first day. In addition to everything else you’ll have going on, it can be quite overwhelming to try to navigate calendars and availability. If you can shift that burden to another, you’ll be able to focus on the task at hand. If you don’t already have a plan for how to schedule all these meetings, here’s a recommendation:
- In your first week, prioritize individual meetings with your boss and direct reports as well as a meeting with your entire team
- In your second week, prioritize individual meetings with your direct peers (your boss’s directs) as well as small group meetings with your team members (we’ve found limiting the meeting 2 to 4 at a time is ideal)
- In your third week, prioritize individual meetings with your boss’s boss, your boss’s peers, and other executive leaders
Consider conducting a SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis and risk assessment of your prospective employer prior to even scheduling the first interview. If you’ve done this, please skip this step. If not, consider spending some of your available time before you start in your new role. Exercise your open-source intelligence (OSINT) skills and learn as much as you can. This knowledge will streamline your onboarding and ensure you are efficient with your time.
- For publicly traded companies, regulatory filings provide a wealth of information. All the time you can spend reading through investor reports and listening to quarterly call recordings will be worthwhile
- For privately held companies, learn as much as possible about the founder(s), owner(s), and largest investor(s)
- Familiarize yourself with your new employer’s competition and market Space. Know your company’s competitive advantage and unique selling proposition, and read up on the news, commentary, presentations, and blog posts of your own company. This background will help you better understand the decisions your company makes, the goals they set, and why
Trust Advisors & Vendors
Consider proposing 1-2 trusted advisors and vendors you want to engage in your first 90 days that may help you jumpstart your program.
Finally, I wish you all the best in your new role. Your company needs someone like you, an effective security leader. If you’re reading this Blueprint guide, then I know that’s exactly what you are. Be confident. Be bold. Enjoy yourself!
Stay tuned for Part 2 of our series where we will discuss ways to get to know your new team. And be sure to follow us on LinkedIn to get a first view of our upcoming blogs, resources and events.