The beginning of a new security chief's tenure is critical. From opening lines of communication to creating a strategic plan, here are seven dos — and three don’ts — for successfully navigating a new position.
Let’s say you were just appointed to lead the cybersecurity program within a new government administration — congratulations! You’re likely excited to be a part of a new tech team with a fresh mandate from voters and a group of like-minded professionals. Or maybe you just landed a top job as a chief information security officer (CISO), director of IT security or cybermanager within a new organization.
Regardless of how you arrived at your new role, it’s an exciting opportunity. After reading a ton of material on security leadership, your ideas are set. You’re determined to be successful and fix everything you’ve been told is wrong with the current cyberteam and security culture.
Your checklist includes some “hot actions” from your new boss, an inherited mix of unhappy business clients to schmooze, vulnerability systems to patch and key staff to try to keep despite the odds. (After the first few days, you discover a few on the team must go.)
Just like the new head coach on a sports team, where you begin depends upon a variety of factors regarding your particular situation and your previous experience in similar roles.
The conventional CISO action list includes items such as: clarifying and strengthening your mandate (while assessing available resources and your evaluation metrics), building key relationships, developing your plan, building your team, establishing trust, communicating your vision and continuing your personal journey by networking with external peers.
Early questions for new cybersecurity leaders usually include: How’s the team performing? Are there key roles that must be filled? What audit findings are we committed to close? When are ongoing operational issues or incidents (such as data breaches) promised to be resolved? What projects must be completed immediately? How can unnecessary projects be stopped to focus on new priorities? Who can you really trust and depend upon?
All of these items are certainly important. Sadly, many new CISOs focus exclusively on what their boss requires, while ignoring the 360-degree relationships within security leadership that will determine if they leave a positive legacy.
Here are actions to seriously consider in the first 100 days as a new security leader.
• Assess your organizational, network and system risk status. Where’s your data? What’s encrypted? Is data backed up properly? Run an early penetration test on a key system.
• Deliver low-hanging fruit quickly, produce results in 100 days. Consider adding or improving security awareness training for end users for a quick win that builds confidence and helps the security culture. Also, close a few audit findings.
• Build the right team. Focus on talent and relationships. Surround yourself with security pros that work well together and cover skill set weaknesses.
• Have lunch with key customers and staff. Walk around and meet people on the front lines.
• Run a tabletop exercise to test your incident response plan. Be sure to include business executives.
• Start building your overall security plan, including key cyberprojects. Have an outline or rough draft completed within 100 days. This will help with budgets and buy-in from management.
• Find a good mentor with relevant security leadership experience to guide you. If possible, talk with your predecessor.
Avoid these pitfalls:
• Don’t become “Dr. No.” You’re ready to use your newly acquired security power to shut down all the bad things that are going on in your enterprise, but be careful. Despite the urge to get the hammer out, you don’t want to be known as the party pooper. Set a goal to be known as an enabler of secure technology and innovation.
• Don’t offer only one way to secure systems. Try to offer at least three options to business areas on big projects. Think gold, silver or bronze alternatives.
• Don’t stay focused internally for too long. Reach out to partners in the public and private sectors and build relationships with groups like the Information Systems Security Association, InfraGard or NASCIO to help. The MS-ISAC can even help find a mentor.