Becoming a company's Chief Information Security Officer (CISO) is a big responsibility. With a range of information security issues to tackle and business objectives to align with, the task of making an impact in the first 90 days might seem daunting. However, by taking a clear and structured approach to the role, it is possible to achieve a strong set of security results in the initial period and lay the foundation for future success.
Assessing your Information Security Posture and Resources
The first step for any new CISO is understanding the company's current security posture. To get an insight into existing security tools and processes, it is important to spend time talking with cybersecurity and IT teams, review existing policies and procedures and conduct a risk assessment. Once the current security posture is understood, it's then necessary to create a clear vision strategy that meets the needs of the business.
Assessing the available resources is also essential in the first 90 days as a CISO. Questions to ask include: Is there an adequate budget to implement the necessary security initiatives? Does the organization have the staff it needs to bring the security strategy to life? Answering these questions will provide a baseline understanding of the resources available and allow a CISO to plan accordingly.
Creating a Clear Vision
A successful Chief Information Security Officer (CISO) will develop a vision of what they want to accomplish during their tenure. A vision should be based on the organization's business goals, including:
- Becoming more agile and nimble
- Optimising operational efficiency
- Enhancing security controls
The goal is to align the organization's overall cybersecurity vision with the business objectives and risk appetite. This will help the CISO understand where their organization is currently, where it would like to be and what strategies need to be implemented to get there.
Developing Strategies
Once a CISO has established a vision for their organization's cybersecurity program, they can start developing strategies for achieving their goals. These strategies must be tailored to the organization's specific needs and align with the business objectives outlined in their vision.
The CISO should also consider how their strategies will help the organization address key security issues. This will include identifying the organization's most significant risks, assessing existing security controls, and developing plans to address deficiencies.
Communicating the Information Security Strategy
Once the security posture and available resources have been established, it is necessary to communicate the security strategy to all levels of the organization. A vital element of a CISO's role is creating a culture of security throughout the company, and this must start with senior management. To achieve this, it is important to emphasize why the security strategy is essential, how it ties into broader business objectives, and any value it contributes to the organization's operations.
Regular training and awareness sessions should be put in place to ensure that everyone, from the CEO to the most junior team members, understands exactly what is expected of them. It is also essential to ensure that all employees are familiar with the organization's security policies and procedures. By having a comprehensive security education program, an organization has a greater chance of preventing and responding to security incidents effectively.
Thought Leadership
The CISO should also use external channels, such as industry events and trade publications, to start placing themselves as a thought leader. This will ensure their vision and strategy gets noticed by others in the industry, as well as give the organization more credibility and trust.
Conclusion
In the first 90 days of a CISO's role, it is important to take a clear and structured approach to put an effective security strategy in place. Investing the time to understand the current security posture, assessing the resources available, communicating the security vision, and arranging necessary initiatives in place will help the CISO make an impact on the organization's security and provide a solid foundation for future success.
