The First 100 Days in A CISO’s Life — It is All about the Business
Landing the position of Chief Information Security Officer can be quite thrilling and, at the same time, overwhelming. There are various considerations to think of and several mistakes to avoid. Regardless of how the new position is secured, the first three months in the life of a newly appointed security chief are highly significant.
This article aims to provide a quick overview of significant considerations, quick wins to address, and big mistakes to avoid when you accept your first CISO position.
Before accepting the offer and starting your new journey, it is crucial to understand role attribution challenges. Therefore, thorough preparation and due diligence are essential.
The Company
Often, when applying for a new position, we are not exposed to the company’s culture, and we do not have visibility about its habits and customs. A potential CISO should take this point seriously and consider some in-depth research.
The culture of the company will define the CISO’s success.
If the company doesn’t care about cybersecurity and is hiring a CISO to fill in a compliance requirement or a board mandate without an apparent belief in its importance, it often leads to failure. While a CISO will be required to support culture change, there must be a top management buy-in and proper investment in the topic for it to succeed.
Ask yourself the right questions:
Did the company take prior data breaches and cyber attacks seriously? I believe this is an excellent indication. If the company’s management response is not aligned with your beliefs, and the management is the same, it might be challenging for your career.
Does the company consider cyber risk as a business risk? Is it part of the company’s reports? Note — Those are public for publicly traded companies and disclose further about the company’s security posture.
Does the company have a bug bounty program? In Asia, for example, bug bounties are not expected. However, social media platforms help you understand the company’s approach and attitude towards hackers. #hackingisnocrime
Does the company understand the CISO’s role, or is the management expecting a superhero to do everything by themselves around security?
The Role of a CISO
CISO or Chief Information Security Officers are key stakeholders supporting and enlightening the business about their cyber risks.
Though information technology and cybersecurity are among the core aspects of the role, the CISO does not just manage technology. The CISO wears several hats, with communication being a crucial skill. The position is not equivalent to a chief technical officer (CTO) or Chief information officer (CIO).
An effective CISO must be a good communicator, a manager, and an effective leader with an understanding of the business.
A CISO needs to present cyber risks to the top management and the board in a business-oriented manner, providing key indicators and relevant information. A lengthy discussion about cybersecurity, including technical jargon, will be a no-go and might be a career killer. This is one of the most challenging tasks for a CISO. It is always about the business and how to minimize cyber risks in alignment with the business risk appetite. While some of us — security professionals — would like to implement every single control possible, this is not a CISO’s role or objective. The CISO needs to have a clear understanding and experience in ensuring a proper cyber risk management strategy, to define the most optimal and cost-efficient initiatives for the associated risks while maintaining business goals.
An exciting approach or methodology is to familiarize yourself with the current business risks and the business risk appetite. Then, try to take a reverse-engineering approach and analyze plausible cyber threats that might lead to some business risks, already defined, and add new ones that you identify.
A good example might relate to a product recall. A product recall is potentially the most risk-laden situation a company can face. With the current increase of connected devices and “smart” products, a manufacturer might be exposed to a potential risk for product recall. A lack of proper secure coding practices and security frameworks might lead to a mass cyber attack on the sold devices to consumers, leading to physical damage and product recall. Traditional business risk is materialized and linked to cyber risk. This, of course, is easier to discuss with the business stakeholders and is potentially defined in financial losses.
The first 100 days in a Chief Information Security Officer (CISO) life
The first 100 days are critical for a CISO. A solid strategy will lay the foundation for a robust security program and ensure credibility and positive leadership. According to Tom Scholtz, the vice president at analyst firm Gartner, it is during this period that you establish your credibility and the perception that others will associate with your subsequent actions and plans.
While establishing a strategy is the goal, it is impossible to start the task without understanding the business, clarifying the business’s risk appetite and posture, and defining the expectations or future state.
Ask yourself the right questions:
What does the business do? What is the most important for the company?
What is the current risk appetite?
What are their current posture and security controls?
Where do they want to be in the next few months/years?
Who are the sponsors, and who are the challengers within the firm?
The first step is to start building relationships with the sponsors and influencers. Those will support your initiatives and have your back in the boardroom.
The second step is to understand the significant gaps that might lead to an immediate incident/data breach and address those as soon as possible.
The third step is to proceed with your plan to build your cybersecurity strategy, supporting the business goals.
The last step is to express and communicate your security schedule effectively with a clear and tangible roadmap.
Reality Vs Expectations
Most CISOs complain that what they see upon starting the new role and what they were promised during their recruitment processes are two different things. The initial research about the company is an excellent approach to align expectations.
Trying to do too much.
One common mistake is trying to do too much at once. A CISO has to build and oversee the wide-ranging cybersecurity function of an organization across people, process, and technology. Addressing quick wins empowers the CISO to do more with the top management’s support. This requires carefully chosen initiatives and sponsors within the organization.
Having a Negative Mindset
Having a defensive mindset will only breed defensive attitudes, which is difficult to overcome once you start. Fear is not the best solution either. While it might bring short term results in some cases, the most important remains to change the company’s culture and embed security as a vital critical fundamental by default within all operations and functions.
Blaming Others
Avoid the blame game as much as possible, which sets a negative tone, and take a pragmatic approach. Define what is likely to achieve, and communicate it.
Conclusions
The first 100 days of a CISO’s job can make or end their career. A CISO is supposed to support the business, and if you want a seat in the boardroom, remember a company doesn’t exist without customers. Thus, making it all super secure but unusable is not the solution. You must ensure that you align your security plan with the key stakeholders’ priorities, business goals, and budgets. In parallel, you need to prepare for a fire and address the crisis. It’s no longer a question of ‘if’; it’s a matter of ‘when’. A successful cyber attack or a data breach might happen during your first 100 days.
Meaningful change may not necessarily begin in the first 100 days, but it will happen over time with proper planning, healthy relationships, hard work, and the right business acumen.
Who am I ?
I am a keynote speaker, a serial entrepreneur and a senior cyber security expert. I am currently leading the cyber business for an international Fortune 500 insurance-broking firm in Asia.
I am a strong activist for women in security, and I founded the Women of Security Singapore Chapter (WoSEC), supporting female professionals in the industry.
I am a member of the Advisory Board for the Executive Summit at Black Hat Asia, and I am the co-founder of Responsible Cyber Pte. Ltd., a Singapore-based start-up with NUS Enterprise, the entrepreneurial arm of the National University of Singapore, and Singtel Innov8, the venture capital arm of the Singtel Group, as its shareholders. The company has been valued at 7 Million SGD in May 2020.
I have a PhD in Telecommunication Engineering issued by Telecom SudParis and speak fluently 5 languages.
My research topics have been focusing on Cyber Security, the future of localisation and positioning, education and more. My writings around cybersecurity have been featured by IEEE, RSA Conference, CYBERSEC, World Congress on Internet Security (WorldCIS-2016), CYBER RISK LEADERS Magazine, among others.
I speak about cybersecurity in general with a focus on cyber risk management, hacking and diversity and inclusion in the field.
I welcome you to watch some of my insights on Channel News Asia for a Documentary on the Dark Web (at 18:09mn approx): https://www.channelnewsasia.com/news/video-on-demand/the-dark-web
Follow me on Social Media:
- LinkedIn: https://www.linkedin.com/in/m49d4ch3lly/
- Facebook: https://www.facebook.com/m49d4ch3ly/
- Twitter: https://twitter.com/m49D4ch3lly
- Instagram: https://www.instagram.com/m49d4ch3lly/
