Published on September 9th, 2020 📆 | 1719 Views ⚑0
New CISO? Top 5 Things You Need to Know
Starting in a new role is always a challenge, and if it’s the position of a CISO, it’s likely that you have concerns. As a new CISO, early performance will be critical to success in your new role. In the first few months, you’ll be assessed by colleagues and staff, judged as to your effectiveness, and tested as you present to your C-Suite peers.
The precedent you set and first impressions you make will dictate how your organization and leadership perceives you, and this will determine how quickly you will be accepted as the captain of your enterprise’s security ship. Understanding your organization’s top two or three security related issues in your first few weeks is key as these are top-of-mind from the CEO on down and delivering quick wins will establish your initial credibility.
Here are 5 steps that will help you assume your new CISO leadership role with confidence as you start to build cyber-resilience within your organization:
1. Conduct a baseline security posture assessment
As a new CISO, one of the first tasks to tackle is getting an understanding of what the ground reality is. What does your attack surface look like and what is your current security posture?
Assessing your breach risk will involve the following steps:
- Start with getting real-time visibility into your breach risk by getting an accurate and comprehensive inventory of all IT assets used across the enterprise.
- Categorize all assets – on-prem or cloud, site, managed or unmanaged, traditional or non-traditional, IoT, BYOD, mobile and based on business criticality
- Monitor all assets across different types of attack vectors like unpatched software, password issues, misconfigurations, weak or missing encryption, expired certificates etc. and prioritize vulnerabilities based on business criticality and potential breach risk.
- Understand your cyber risk and how it is changing by business unit, by site, by risk owner, and by attack vector
- Get insight into your current security controls by first discovering everything that has been deployed and then understanding their effectiveness
While you are getting an understanding of your threat landscape, in parallel, focus on understanding the risk appetite of the CEO and the board.
2. Assess team skills and identify gaps
CISOs rely on their technical teams to help maintain and optimize the enterprise security posture. Infosec teams need to continually evolve to stay aligned with the continuously shifting threat landscape and also, they need to periodically evaluate their existing security tools to ensure that they are still effective and in use. A new CISO brings a fresh set of eyes and is in a position to spot development opportunities, skillset gaps, security personnel – tools alignment and perhaps better ways to organize for success.
3. Build key relationships, especially with IT
This is true when you start any high-level job and it’s particularly true for CISOs. Just like no single tool can solve all your cybersecurity challenges, the security team alone cannot optimize and improve the security posture. All the various business units and segments need to work together to proactively address security issues that arise. Build relationships with all risk owners in the organization and get their help with the cybersecurity mission.
4. Communicate your vision across the enterprise
Your cybersecurity approach needs to be designed to enhance the organization’s overall cyber resilience and for that, you need to focus on what matters most from both a business and technology risk perspective. Understand what the business’ security goals and risk appetite is and communicate it down to your team. Also, communicate your teams’ initiatives and projects across department lines and to other stakeholders. Start to lay out your vision and a framework for keeping the enterprise safe. What governance will be in place to keep everything and everyone on course (funding, corporate leadership, people, skillsets, integration, alignment) Communicate all this to the enterprise to keep everyone aware of your vision and operational plan.
5. Deliver key wins and spread the word
With a few early wins, you can set yourself up for longer term success. But these “wins” need to be selected carefully. Are they important to company leadership? Are these projects doable in your first six months? And will the impact of these wins be widely felt (e.g., by customers, by department heads, and/or up and down the organizational structure)? Spreading the word and reporting on the key wins is also important.
Balbix – Your Partner in Success
Balbix uses specialized AI algorithms to discover and analyze the enterprise attack surface to give a 100x more accurate view of breach risk. Balbix enables a broad set of vulnerability and risk management use cases that help to transform your enterprise cybersecurity posture. The platform also provides a prioritized set of actions that you can take to transform your cybersecurity posture and reduce cyber-risk by 95% or more, while making your security team 10x more efficient. Balbix offers you the ability to baseline your current security posture and create an operational plan to succeed in the first six months of your new job.
Following the steps outlined above will give you the headroom you need to settle into the “nuts and bolts” of your job (getting to know key players, holding meetings, building political capital, nurturing relationships, and providing effective leadership that starts to make a difference right out of the gate) and build momentum with early results.