The First 100 Days in A CISO’s Life — Biggest Mistakes and Best Quick Wins

Published in

Magda On Cyber

9 min readNov 4, 2021

Landing the position of a Chief Information Security Officer job can be quite thrilling, and at the same time, overwhelming. The first three months of a new security chief’s life are highly significant. Like any leadership position, how you begin can make or stain your position within the company.

When you approach your new role with a strong strategy, you’re bound to enjoy success.

This topic was supposed to be discussed at COMMAND CONTROL 2020, GERMANY.

The Role of a CISO

Though information and communication technology are one of the core aspects of cybersecurity, the role of the CISO goes beyond just managing technology. The CISO wears several hats, with communication being a crucial skill. An effective CISO must be a good communicator, a manager, and an effective leader.

The fist 100 days in a Chief Information Security Officer (CISO) is often considered the “honeymoon” period. Having a solid strategy, then a plan will lay the foundation for a robust security program and the foundation for a personal brand of credibility and leadership. There’s no way to avoid this: if you must last in this new position beyond the first 100 days, you must manage the daily emergencies and meet the organizational expectations.

According to Tom Scholtz, the vice president at analyst firm Gartner, it is during this period that you establish your credibility and the perception that others will associate to your subsequent actions and plans. The first step is to set up and preserve relationships with the major partners and influences. The next step is to express and communicate your agenda for security effectively. Later, you identify two essential projects that you can complete or start in the first three months. You can then specify other projects that you can take on in the next twelve months.

Reality Vs Expectations

There is a major disconnect between the expectations that many people have for the role of CISO and the realities of the job. Many organizations seem to think that hiring a CISO is a silver bullet for solving all their security problems. In reality, the role of CISO is much more complex and difficult than most people realize.

The responsibilities of a CISO include: developing and implementing security policies and procedures, overseeing risk management, conducting vulnerability assessments, developing incident response plans, conducting training and education programs, and monitoring compliance with security regulations. It’s a daunting task to oversee all of these areas effectively, and it’s virtually impossible to do so without adequate resources.

Most often, the reality a new CISO finds on arrival usually differs from his expectations. Most CISOs complain that, what they see upon starting the new role and what they were promised during their recruitment processes are two different things. Several factors may be attributed to this disconnection and misalignment, both from the organization and the CISO.

Thus, it is expedient that both parties attempt to clarify misunderstandings and engage in some healthy self-evaluations focusing on “broken promises”.

Bad Moves

There are a lot of potential bad moves that a CISO can make, but here are some of the most common and damaging ones:

Failing to understand the business.

A lot of CISOs come into an organization with a purely technical background and failing to take the time to understand the business they’re now protecting is one of the quickest ways to become ineffective. You need to understand not only what your company does, but also how it makes money, what its key assets and vulnerabilities are, etc. Without that understanding, you’ll be hard-pressed to make decisions that align with business goals and objectives.

Reliance on technology over people.

Technology is obviously a critical part of security, but it is not enough. CISO’s reliance on technology over people is bad because it can easily lead to a false sense of security.

When relying too heavily on technology, organizations often forget the most important part of their security plan: the people. Technology can only do so much, and human error is often the biggest security risk an organization faces. Security solutions that rely too heavily on technology can be easily circumvented if employees are not properly trained or if they do not understand the importance of following security protocols.

Additionally, when something goes wrong with technology-based security solutions, it can be difficult to fix quickly. This leaves the organization open to attack for longer periods of time and increases the chances that confidential data will be compromised.

Trying to do too Much

One mistake to avoid, is trying to do too much at once. The role of a CISO is naturally demanding without you adding to it. A CISO has to build and oversee the wide-ranging security function of an organization such that the organization is shielded from internal and external threats, demonstrate measurable ROI, and incorporate strategies that align with the priorities of key stakeholders and the business cycle.

The CISO title has been abused and overused to the point where it’s becoming meaningless. Attempting to do everything makes you a bottleneck. Information security is a team sport, and the CISO should be primarily focused on strategic vision and leadership, rather than being bogged down in the operational details. It’s important to have someone who understands the technical aspects of security, but that person should report to the CISO, not be the CISO themselves.

Having a Negative Mindset

Avoid having a fatalistic mindset, as this will weigh you down. Thinking that technical issues will always win out will reduce your role to a mere firefighting approach. Having a defensive mindset will only breed defensive attitudes, which are difficult to overcome once started.

CISOs with a negative mindset can be a huge liability for their organization. A negative mindset can lead to tunnel vision, pessimism, and fear-based decision making.

All of these things are detrimental to good security practices. Tunnel vision leads to a lack of understanding of the big picture, which can make it difficult to see potential risks and vulnerabilities. Pessimism breeds a culture of doubt and insecurity, which can lead to hesitancy when it comes time to make decisions that could potentially improve security posture. And fear-based decision making can often result in knee-jerk reactions that do more harm than good.

CISOs with a positive mindset, on the other hand, are much more likely to be proactive.

Blaming Others

One of the biggest mistakes a new CISO can make is to place blames on his predecessors. Avoid the blame game as much as possible as this sets a negative tone for your security program.

On the other side, CISOs happen to blame employees for data breaches, but the reality is that bad employees are a small minority of the workforce. In fact, research has shown that the vast majority of employees are honest and trustworthy.

Things to Consider to Realize Big Wins in the First 100 days

A CISO should prioritize the establishment of good cyber security hygiene within their organization in the first three months. The following are tips for securing big wins in the first 100 days of being a security leader.

Make Preparations

There are a few things that a CISO should do in order to prepare for a new role. Firstly, it is important to understand the company’s business model and industry.

The more information you have about your current position, the better equipped you are to tackle challenges and emergencies. You don’t have to wait till you officially resume before you prepare for that job. Never approach your new role with impromptu attitudes. Find out which security initiatives have worked in the past and which ones haven’t, and if there have ever been cybersecurity breaches.

Assess the Organization and Risk Status

A CISO’s primary responsibility is to mitigate an organization’s cyber risks, in alignment with the company’s risk appetite. In order to do this effectively, a CISO must have a deep understanding of cyber risks and how they can impact the organization.

There are many different ways to gain this understanding, but one of the best is to simply get hands-on experience with as many different types of risks as possible. This can be done by taking on additional cybersecurity roles within the organization, or by working with other CISOs and security professionals to learn from their experiences. In addition to gaining experience, a CISO must also stay up-to-date on the latest threats and cybersecurity trends. This can be done by reading industry news, attending

Take an inventory of the overall security status of the company with a digital footprint and run an early penetration test on the key systems. Implement direct communications to build strong relationships. Find out what is working and what isn’t working for the security program of the organization. By gaining information about the vulnerabilities and threats of the organization, the CISO can take proactive measures to assess and tackle security challenges.

Start Developing your Security Strategy

A CISO’s job is to develop a security strategy for an organization. This involves understanding the organization’s business, its risks, and developing policies and procedures to mitigate those risks. A CISO also needs to be able to communicate with senior management about security issues and how they may impact the business.

One of the very first things a new CISO should do is craft a detailed, achievable security strategy. This will be your roadmap for realizing big wins in the first 100 days and beyond. Without a well-defined plan, it will be difficult to measure success or allocate resources effectively.

Make a rough draft or outline your agenda for your fist 100 days and implement all the information you have gathered. Share your knowledge with your team and hire additional resources if necessary. Ensure you have a team of expert who can cover up your weakness. This is the time to strategize and establish your credibility as a security officer.

Engage Executive Sponsors and Key Stakeholders

It’s critical to get buy-in from senior leadership on your security strategy. They need to understand the risks and value of the investments you’re proposing. Once you have their backing, engage other key stakeholders across the organization — including business leaders, IT, legal, and HR — to ensure everyone is on board.

You can engage your executive sponsors and key stakeholders by providing them with a cyber risk summary that is tailored to their level of understanding. The summary can include statistics on the frequency and severity of cyber incidents, as well as the potential business impacts.

You can also highlight specific cyber risks that are relevant to your organization, such as the loss of customer data or the disruption of business operations. And you can describe how your organization is addressing these risks through preventive measures and incident response plans.

Executive sponsors and key stakeholders will appreciate having a concise overview of your organization’s cyber risk posture, and they will be more likely to provide support for initiatives that improve cybersecurity resilience.

Make intelligent decisions and act on them. This is the time to implement all that you have learnt to deliver visible results. Get the board’s support by actively engaging in board discussions with a view of providing the information needed to ensure success. Underline early wins and challenges, ensure the participation of key partners and influencers, participate in existing projects, set budgets, and redefine your team.

Furthermore, a CISO can get a mentor with relevant security leadership experience to guide him or communicate with his predecessors for guidance.

Act and Measure

KPIs (key performance indicators) for a CISO vary depending on the specific security needs and priorities of the organization. However, some potential KPIs for a CISO could include measures such as:

The number of successful attacks prevented or mitigated
The number of vulnerabilities discovered and fixed
The percentage of systems that are compliant with security policies
The amount of data lost or compromised as a result of cyberattacks
The time it takes to detect and fix Security incidents
The ROI (Yes, the ROI !)

Conclusion

The first 100 days of a CISO’s job can make or mar his success. As a new CISO, it is important to remember that the first three months are highly significant. Like any leadership position, how you begin can make or stain your position within the company. If you approach your new role with a strong strategy, you’re bound to enjoy success. Remember, set yourself up for long-term success by taking things slow in the beginning and building relationships with other departments. Do not try to do everything at once — that will only lead to burnout. Focus on developing your security strategy and implementing changes gradually; this way you’ll be able to make an impact and stay in your new role for years to come!

Follow Magda on Twitter: https://twitter.com/m49D4ch3lly