Ebook First 90 Days As CISO 9 Steps To Success
Ebook First 90 Days As CISO 9 Steps To Success
Ebook First 90 Days As CISO 9 Steps To Success
You’re the Chief Information Security Officer for your organization. What you do in the
first 90 days will lay the foundation of your success, or failure. It is easy to choose wrongly
from the list of competing priorities and regardless of the organization, there will be
emergencies that you will need to handle.
Having clearly defined steps laid out for you can help you seize the opportunity and put
into place a cyber security capability that will enable the success and growth of the
organization that has trusted you with the CISO role. In the contemporary business environment,
a well-run cyber security program will enhance the earning power of the organization.
The following steps will also allow you to take advantage of the willingness of the business
to undergo a digital transformation, taking full advantage of how digital technology can
both accelerate a business plan and reduce the cost of running the business. You’ll have a
lot of research and questions up front, so roll up those sleeves and get ready to dig in!
If your organization has a Chief Privacy Officer, spend some time with them to understand how your organization meets the
needs of current and emerging privacy regulations - otherwise your Chief Legal Counsel is likely the best person to inform you
on these matters. If your organization has a Chief Risk Officer, or internal audit function, spend sufficient time with them to
understand the risks that your business faces as it operates, and the challenges it has from existing laws and regulations.
Try to arrange a meeting with the members of the Board of Directors’ audit committee if a publicly traded organization. If not,
a meeting with your Chief Financial Officer will be extremely important to understand the organization’s finances and cashflow.
Meet with your Chief of Human Resources to understand the employee life cycle and how the organization manages disciplinary
issues. Lastly, meet with your Chief Information Officer, and begin to work with this person to lay out the separation of duties
and responsibilities that your two organizations will have as the basis of their governance. Get an understanding of the technology
stack. This person will be a key partner in your success, and it is essential that you re-assure them that you want to help them
succeed too.
“
Does the business sell to the US government, and if not, is that in the plans?
Does the business have a digitalization strategy, and if so, has it begun to execute on it? Boards all want quantitative risk
Does the business track custom customer requirements? If not, why? If so, how? measurement in dollars, like the
”
How aggressive is the business in pursuing trademark infringement? Why?
other areas in the company.
Has there been a data breach in the last five years? If yes, get details on what happened and how it was handled.
Other than the pandemic, has the business needed to execute either its disaster recovery plan or business continuity plan? IBM recommends the following
If so, what were the lessons learned, and how much has been done to address them? approach in their cost of a data
What does the business view as its critical assets, and how are they valued? breach report.
Is the business the custodian of its customer’ personal and private information?
Has there been a formal risk assessment performed, and if so, can you see both the report and the inputs to the report?
When you sit down with your team, spend more time listening than talking.
Ask them about their understanding of their roles and responsibilities, and how they relate to other teams in the organization.
Find out from them their perspective on how those relationships are working and what they think can be improved.
Ask them for their critical assessment of each capability and tool they use in their jobs.
Ask for both performance and effectiveness metrics.
Meet with your peers in Engineering and IT to discuss processes and technology that overlap with your team's scope. Get a good
understanding of the Software Development Life Cycle and how engineering projects are managed. Get a good understanding of
how inventory is managed through the technical life cycle. Make certain that you understand how each evaluate third party vendors.
Ask for documentation and pay careful attention to both gaps in documentation and to lapses in keeping documentation current.
Sit down with each member of your staff and discuss their career goals. Ask them how they think you can help them achieve
those goals. Discuss desired training, and what opportunities they’ve had for training in the past. Take the time to explain to
them how cyber security is essentially a problem of time, and discuss opportunities for automation across the organization.
Meet with human resources to learn about career paths that are set up for your team’s growth. If this doesn’t match the goals
of your staff, ask human resources what kind of flexibility they have to redefine those career paths.
All of these strategic choices on where to outsource and where to insource expertise allows you to focus on building business value.
The Gartner Market Guide for Managed Detection and Response Services recommends:
“ Use MDR services to add remotely delivered modern 24/7 security operations center functions in a turnkey approach when
there are no existing internal capabilities, or when the organization needs to accelerate or augment existing capabilities.
Assess how the MDR provider’s containment approach can integrate with your organization’s policies and procedures. ”
Ensure the MDR providers technology stack fits well with your existing security controls and IT environment, from on-premises
to cloud.
Use MDR providers that have experience with use cases appropriate to your organization’s size, location and industry
vertical. Use any unique challenges in your industry vertical to differentiate potential providers.
Consider managed security service providers that offer MDR services when security technology and device management,
and compliance use cases are required. Data residency requirements may also drive consideration of an MSSP over an
MDR service provider.
Prioritize projects that bring automation and intelligence into the organization. Consider a modern XDR solution that includes
extensive Response Automation that greatly reduces the manual effort and burden of ongoing threat protection, or consider
outsourcing this to an MDR provider.
Also begin a regular cycle of educating and communicating about cybersecurity to your entire organization. Don’t focus on the
problem, but encourage partnership, engagement, and the fact that you all succeed together.
Look for security champions within other parts of your organization. If none exist, create a security champions program where
you reward people for their engagement. Never focus on the mistakes but do encourage everyone to report when things go wrong.
You have built an organization that is empowering the growth of the enterprise and
partners with your peers within the organization to help them achieve their goals and
objectives through integrating security into their own organizations. You measure your
successes and failures and use those measurements to drive improvements within your
organization. While you still have both strategic and tactical goals ahead of you, selection
of good partners to augment capabilities leveraging the skills of an industry will help you
do more than achieve your goals and objectives. You'll be helping the business achieve
their goals and objectives.
Congratulations, you are a CISO that is well on the way to being the
trusted business advisor for cyber risk management!
ESPONSE AUTO
R MA
visibility and protection, regardless of the security team’s
size, skill or resources and without the need for a
multi-product security stack. It does so by natively Automated Investigation T User Behavioral Analytics Rules (UBA Rules)
ION
consolidating the essential security technologies needed
to provide organizations with comprehensive threat
protection into a single, easy-to-use XDR platform; Network Detection Rules
Automated Remediation
automating the manual process of investigation and
remediation across the environment; and providing a
Autonomous Breach Protection
24-7 proactive MDR service - monitoring, investigation,
Deception
on-demand analysis, incident response and threat
Custom Playbooks
hunting - at no additional cost.
Incident Engine
Learn More
7M
24/
DR
Attack Reports