Part one of our ongoing informative blog series, “Your Blueprint for Success: The Starter Guide for CISOs,” Phil Beyer, Head of Security at Etsy, provided us with some great insight on steps a new CISO can take prior to the start of their new role. Part two picked up where Phil left off and provided new CISOs advice on how to get to know their new team. Today, in part three, we will discuss the critical need to not only understand the business goals of other executives in the company but how to build working relationships with your co-workers in order to have a successful security program.

Part 3 – Understand the Business and Build Cross-Departmental Relationships

It’s time to reach beyond your immediate team and get to know the other members of the organization that will be critical to a successful security program

Increase your Influence

Security is a shared responsibility

Set up time with your boss and the supporting Executive Team members (and potentially one step down) to understand the business. Focus on learning about the working environment, company culture, current issues, and most importantly, the other executives’ specific goals. Having this knowledge will help you prioritize your security investments and potentially provide additional budget support by spreading the required budget across different teams.

Some key questions you can ask everyone as you meet them:

• What are the company goals?
• How does your team work to achieve these goals?
• What are your goals?
• How do you measure success for yourself?
• How do you measure success for the organization?
• How do you like to receive reports and updates?
• Are there any upcoming deadlines or goals you will need my help with?

Beyond the broader questions, it’s important that you have strong working relationships with other department heads by understanding security’s impact on their specific area of the business.

The checklist below provides a starting point for you in understanding security’s impact for each department.

CEO
Goal: Understand the company’s business, operations, strategic goals, and current initiatives.

• Learn about how the organization is structured and what functional areas of the business are domestic and/or international and what areas are centralized versus decentralized
• Uncover what success looks like from the CEO and the role that security plays in the organization
• What is the Board composition and who on the Board has a technical background?
• Understand who represents how, what, and when security efforts are presented to the Board

CIO
Goal: Learn about strategic planning and upcoming initiatives.

• Ask about past incidents, events, or breaches
• What happened?
• What was the response moving forward?
• What other initiatives are upcoming that your team should know about?
• How is security and technology working together?

CFO
Goal: Understand how the security needs of the organization enable the financial goals of the organization.

• Understand how IT Audit and the security team have worked together in the past.
• What is working? What’s not?
• Understand who what, how, and when security presents the status of its program and the supporting GRC function to the Audit Committee, Board, and/or Risk Committee
• Learn about the budget cycle and how budget is determined for security.
• Understand how budgets are requested and approved
• What type of cyber liability insurance does the company have in place

CTO
Goal: Gain a thorough understanding as to the future of the product, its security needs; and the technologies that are in place now and in the future, and how they will influence security needs.

• What does the two-year product roadmap look like?
• What types of technologies are being used today?
• What types of emerging technologies do they see the company using in the future?

Human Resources
Goal: Understand HR’s approach to hiring employees and fostering an organizational culture of security.

• Ask about background checks and how they are conducted for employees and contractors
• Ask which security procedures are in place for onboarding/offboarding employees and contractors
• Determine the process for security awareness and training

Legal
Goal: Understand the alignment with organizational security risks.

• Ask about the security events over the past year – how were the CISO and the security team involved?
• How are data governance and privacy managed with the company?
• How are security controls included in contracts with third parties?
• How are data privacy and data governance included in contracts with third parties?

CMO
Goal: Learn how security is factored into the marketing plans, processes, and with third-party marketing vendors.

• How many customers are in the company database?
• How does the company communicate with its customers?
• What types of social media tools are being used today?

VP of Product
Goal: Gain an understanding as to the product’s feature roadmap and any upcoming projects that may have security implications.

• How is security integrated into the product (architecture, technical design, through the release schedule?)
• What type of IP is in place today, and how is it protected?

VP of Engineering
Goal: Understand tactically how the engineering team is using tools and the level of security awareness and preparedness they have; determine to what extent there is a culture of security among the engineering team.

• Is real data used in pre-production environments?
• What type of security issues have been found through source code reviews, scanning or pen testing?
• How is company IP protected?

Customer Support
Goal: Learn what the security workflows and issues are within the Customer Support team.

• How are support teams educated about security?
• What security access (i.e., resetting passwords, customer data) does the Customer Support team have?
• What are the common security problems seen by customers, and what metrics exist around them?
• Is Customer Support run by internal employees or outsourced?
• Is Customer Support run by domestic or international teams?

CISO Community Tips

Don’t pass judgment
These sessions are designed to listen, empathize, and garner insight into past goals and decision-making processes without passing judgment on the things you hear. Ask questions that can get to the core of a particular problem without placing blame.

Keep it friendly
Try to keep your 1-on-1 meetings casual: take direct reports to lunch or go for a walk and talk. If you’re meeting virtually, try to make it a video call so you can put a name to a face and vice versa. Use this time to establish trust within your team.

In our upcoming final portion of this series, we will summarize what we have learned so far and offer some additional resources to further assist you in this CISO journey. And be sure to follow us on LinkedIn to get a first view of our upcoming blogs, resources and events.

Laz has 30+ years industry experience, is a 3x CISO, the Co-Founder of Blue Lava, and is a globally-recognized authority in Information Security. He welcomes your feedback and can be reached at: laz at bluelava dot io.