In part one of our ongoing informative blog series, “Your Blueprint for Success: The Starter Guide for CISOs,” Phil Beyer, Head of Security at Etsy, provided us with some great insight on steps a new CISO can take prior to the start of their new role. His advice paved the way for a smooth onboarding experience and how to minimize the administrative tasks that can take away from valuable introductory meeting time. Part two of our series picks up where Phil left off and provides new CISOs advice on how to get to know your new team, offers great tips on meeting structures, what questions a new CISO should be asking, and how to familiarize yourself with the department as a whole.

Part 2 – Get to Know Your Team

Security is pervasive across your entire organization, so fostering relationships early by listening to the needs of your team before making changes is critical. Enter with the attitude of “Do No Harm.”

Introductions

Getting to know your individual team members

As you meet your team members, it is important to understand the role each person plays within your team structure, what projects they work on, and their view on the company security culture. This information will help you build a mental picture of how your team is running and where there may be potential gaps.

Key questions you can ask everyone you meet:

• How long have you been with the company?
• What are your primary responsibilities?
• Which security and compliance certifications does the company have in place now? In the future?
• What tools do we have in place? How are they working?
• What tools do we believe we need? Why?
• What does a typical day look like?
• What does a typical week look like?
• Tell me about the company goals and how our team aligns to them?
• How does our team work to achieve these goals?
• What’s working? What’s not?

Tips to Prepare for your Meetings

Time management
Schedule your time accordingly, while you might not be able to meet with everyone in your first 100 days, please try to get to know as much of your immediate team as possible.

Goals for the meeting
Jot down notes for what you hope to get out of each meeting. You can share this with the person you are meeting with at the start of the meeting.

Agenda
Create a rough agenda for your meeting to add in an email or calendar invitation. You can include specific questions you don’t want to forget or give them to prepare for the meeting.

Follow-up notes
Share any notes that you take after your meeting. Ask for clarification anywhere that you might have missed details you think you’ll need later on. Include a thank you as well for taking time to meet with you to establish a good rapport.

Continue the Conversation

As you build rapport with your team, dig deeper to understand your organization’s past incidents, program assessment and audit results

Review previous incidents and ask your team:

• What were the past incidents?
• How did we do with handling them?
• What have we learned from past cybersecurity incidents?
• How have we improved our incident response strategies over time?
• What changes were made with how we communicated the incident to key stakeholders?

Review past risk assessments and develop your own conclusions around your program’s evolution

• Have these past assessments given me a full understanding of changes to my security program to date?
• Do I have a clear understanding of where progress has been made over the past year? Two years?

Consider framing your questions to cover the following areas:

• GRC
• Business & Rev Ops
• Vendor Risk
• IT Ops
• Sec Ops
• Applications
• Eng & SDLC
• Endpoint, Cloud, IoT
• InfoSec
• Databases
• Networks

1×1 Meetings

Get your arms around your own security program – from your team’s perspective

If you haven’t yet, now is a great time to schedule 1:1 meetings with each of your team members. Your conversations will help you understand and evaluate the state of affairs of active security projects and gain valuable insights as to where support is needed.

Remember that your leadership and style make all the difference in your early tenure with your team. It’s important to show your support and understanding of their individual value to the team.

You’ve likely already learned some quick lessons:

• Listen and learn how your team manages projects, works through challenges, and collaborates to solve problems
• Being too vocal too early can stifle the fluid dynamics of the meeting and members may act differently due to posturing with you, the new boss
• This is your opportunity to ask questions to better understand the criteria for how decisions are made, how the team resolves conflict, and how members communicate with each other and their managers

Use this 1:1 time to get a holistic understanding of your team and program needs
Start by keeping the focus on how you can improve things for your team. Open-ended questions can help you know where each person is focusing their energy and what gaps might exist. Try asking the following questions:

• What do you think is working?
• What do you think isn’t working?
• What’s missing from your day-to-day?
• What can be done to improve your job or your ability to perform your job?

After you have an understanding of their individual needs, dig into your program: Where have investments been made across all the different disciplines and capabilities in security?

• What is missing:
  • With documentation?
  • What people are missing from key roles?
  • Which processes do you think are missing?
  • What technology do you think is missing or waiting to be purchased?
• What capabilities are in place across products, business units, or locations?
• How mature are those capabilities?
• How was the program communicated to boards in the past? Executive team? What frameworks were used and why?

Get to Know Your Department

Looking at your department as a whole will help you further connect the dots on everything you have learned so far

Understand Budget and Metrics
Now that you’ve gotten in the weeds with your individual team members, it’s time to look more broadly at your department. Understanding your budget and processes will further support your ability to draw conclusions about the strengths and opportunities for your security program.

• Consider analyzing past assessments, time allocation, and budgets:
  • What type of assessments were performed?
  • How much was budgeted for the assessments?
  • How much budget was allocated for remediation?
  • What is favorable in the budget – CapEx or OpEx?
• Work with your team to understand the project intake process and how to align to finance:
  • Every budget has limitations – what are yours, and what opportunities do you have to change those limits?
  • Solicit input on how best to influence on budget needs, translating technical risks into business risks

Hold the First Security Department Team Meeting
New leadership may bring apprehension to your team. Consider carving out time during your first few weeks to introduce yourself and listen to your team as a whole.

• Share your role and your hope for what you can accomplish together
• Let your team know your process getting up to speed and ask for help continuing to do so
• Share some of your lessons learned you’ve had so far from your 1:1 meetings
• Express how you want to work with the team and preferred methods for communication
• Share your plan for future team meetings and what you want to hear from them – and be sure to ask them what they want to see and expect from you

Stay tuned for Part 3 in the coming weeks. And be sure to follow us on LinkedIn to get a first view of our upcoming blogs, resources and events.

Laz has 30+ years industry experience, is a 3x CISO, the Co-Founder of Blue Lava, and is a globally-recognized authority in Information Security. He welcomes your feedback and can be reached at: laz at bluelava dot io.