How to get a head start as a new CISO

CISOs are often ambitious individuals that have originated from working in IT in some capacity, maybe operations, risk analysis, or an IT administrator. They have been responsible for routine tasks and activities. Suddenly, as a CISO, they are being asked to lead, which can be daunting.

Richard Jones, the CISO at Orange Cyberdefense, believes the first step a new CISO should take is “to leave behind their role of functional responsibility and see themselves as strategists.”

Strategists are not responsible for doing. They are responsible for planning, evaluating, setting goals and objectives. CISOs are there to develop security strategies aligned with what an enterprise is trying to achieve as a business.

“A CISOs vision is no-longer today, tomorrow, or this week. It is about appreciating the past and anticipating the future. This requires a significant shift in mindset, which doesn’t happen overnight,” explains Jones.

Any new CISO needs to understand the current maturity and components of an enterprise’s security posture. Examine internal and external audit records, any security certifications the enterprise might hold, and what interested parties may have said about its security practices.

In addition to stakeholder engagements, these formal security assessments will help shine a light on any glaring security gaps in the security program. If there are no audits or assessments available, the CISO must prioritise one.

“It is a cliché, but you cannot plan where you are going, if you don’t know where you are.  This background information is vital to planning cybersecurity efforts going forward,” says Jones.

A CISO in any organization is there to define the cybersecurity stragey. Ultimately, that strategy starts with information technology systems, so it is crucial the CISO builds a strong relationship with the CIO and wider IT team to implement productive and secure initiatives.

As a strategist, CISOs need to look at the involvement of security in IT projects, both current, and past and how it features in overall lifecycles.  Risk management and security are at the top of enterprise agendas. CISOs and CIOs need to work together to balance business needs with risk. This includes appreciating and understanding each other’s environments.

One of a CISO’s key roles is to protect an organization’s digital assets, including business-critical data and intellectual property. But before this can be done, it is imperative to know what data the organization holds and where it lives. Is it on-premises, stored in the cloud, or with third parties?

Any new CISO must understand data flow and know exactly what users are doing with data. It is strongly recommended that CISOs have visibility into who is accessing which applications and an overview of which data is sent to applications or downloaded.

Security is not just technical competence. It touches every corner of the enterprise. Any new CISO must be seen as a leader and fully understand how cybersecurity and risk management fit into the broader organization.  Many CISOs struggle with this. The best way forward, advises Jones, is to assemble a forum from all departments, from HR and marketing to finance. Find out what their pain points are in terms of regulatory and data privacy requirements, for example.

“The CISO is there to create a security program that enables the business to be more agile and navigate its course safely. If the CISO isn’t connected to the business departments and their objectives, it will be impossible to improve the enterprise’s security posture,” explains Jones.

At the same time, the new CISO needs to look at the security culture across the organization. Is it one of high awareness or a click on anything culture?  The CISO must nurture an organization-wide mindset that recognizes that every employee contributes to a secure organization.

In a connected world where no organization can be totally protected from an attack, an effective incident response strategy is central to the role of a CISO.  A cybersecurity breach is an organizational crisis, so it is imperative to have a cross-functional team to carry out the plan. “It is important that the CISO spends time on the incident management capability and makes sure that it is strong,” explains Jones.  As well as containing the breach, it is also essential to have plans in place to manage the fallout. Communicating effectively with all those that the breach may have impacted, for example, reduces the risk of the brand, regulatory and legal damages.

As Gartner points out, CISOs are now vital enablers in digital business. CISOs are accountable for helping the enterprise balance the associated risks and benefits.[1]  “The security program is making the business more agile and navigate its course safely. The CISO is there to advise and guide. If the CISO is not connected to the business, they end up implementing processes for process sake, which may not suit business initiatives”.

“Today’s CISO must focus on today and understand the concept of business enablement, and the future will be better and brighter,” concludes Jones.

_{[1] CISOs for Digital Business https://www.gartner.com/en/information-technology/role/security-risk-management-leaders}