At the helm of a business’s overarching security strategy is their Chief Information Security Officer – a key C-suite role responsible for assessing, planning, and maintaining the safety and digital growth of the enterprise. With the surge of cyberattacks across all industry verticals, more businesses are hiring CISOs to help step up their offense and defense against threat actors.
CISOs ensure the safety and continuity of a business’s operations and data. CISOs are constantly reevaluating their strategy based on the fluctuations of the threat landscape and, in tandem, adjusting how the business monitors and responds to potential attacks. With such work ahead and so many facets of cybersecurity to consider, new CISOs joining a business need to have a plan in place so they can maximize their resources and effectiveness.
The cybersecurity domain is a vast one, so having the right ramp-up strategy can help a new CISO identify main priorities and get started on achieving their goals. For CISOs joining a business, the first three months are significant in establishing credibility as well as a path forward for the business’s security posture. This post outlines a ramp-up strategy structured in five key phases CISOs can use to ensure their first 90 days are successful.
1. Discover | Get to Know the Organization and People
New CISOs on the job will seek to understand their company, identify key subject matter experts, and most critically, take time to listen and learn to those they speak to. Intel is a new CISO’s best friend – the more information collected about the company, the better. To perform a valuable discovery, CISOs may ask questions like:
- What cybersecurity processes, technology, and teams exist? Where does the cybersecurity program stand, if it exists?
- What cybersecurity-related challenges does the company face currently? Are the roadblocks or reasons for these challenges identifiable? What is the frequency and/or scale of these challenges?
- What is business critical and must be protected first? This may include intellectual property, customer databases, how revenue is generated, and critical project data that fall under regulatory compliance controls.
Each business is going to have a unique mission, vision, and industry-specific security requirements that need to be taken into consideration by a new CISO. Most of the discovery phase will require CISOs to get to know the security leaders and teams. By holding interviews with these key roles, a new CISO can start to understand where they stand in overall cybersecurity strategy itself, learn about the security culture of the company, and develop the scope and expectations of their work.
This ensures stakeholders, leadership, and security staff all see what the tenure of the CISO will look like going forward. Building these relationships early in the onboarding process is invaluable to creating trust and establishing a new CISO’s personal commitment and identification to the business’s security values.
2. Assess | Identify and Measure Processes, Gaps, and Opportunities
In the assessment phase, things will get much more granular for a new CISO. This is when CISOs will need to start understanding the current maturity of the company’s security strategy and identify what is and isn’t working in terms of people, process, and technology. Typically, new CISOs will conduct formal security assessments to measure and review:
- Strengths and gaps in the current strategy and security program activities
- What industry and business-specific risks exist and how they are currently being avoided, transferred, mitigated, or accepted
- Any captured metrics showing data security and privacy practices that are tied to the company’s goals and objectives
- Tools and solutions in use, what the company’s security tech covers, and how well they are deployed and managed
- Past performance and responsiveness to cyber incidents, recorded benchmarks, and any incident response or business continuity plans
When it comes to understanding the organization’s attack surface, CISOs often employ inventory discovery tools capable of scanning entire networks to locate connected IoT devices as well as protected and unprotected endpoints. Tools like this enable a new CISO to work efficiently to start reducing risk – a core responsibility linked to most company’s business goals.
The other aspect for new CISOs to consider in the assessment phase is to take note of recent threat intel gathered by the cybersecurity community. A new CISO will take into consideration new and developing cyber breaches, global and industry-specific threat trends, documented tactics, techniques, and procedures (TTP), indicators of compromise (IoCs), zero-day vulnerabilities, and attack patterns to inform their initial security assessment.
3. Plan | Build the Plan and Prioritize the Goals
After conducting their own security assessment and analyzing the data, a new CISO’s next step will be to draft the strategy or upgrade an existing one based on their findings. A holistic cybersecurity strategy typically showcases:
- A detailed analysis of findings based on data gathered in the assessment phase. This may include year-over-year statistics, security metrics and how they are related to business objectives, as well as overviews describing both sufficient and insufficient areas of the existing security strategy.
- A roadmap including both short-term goals and long-term initiatives. Short-term goals will focus on areas of security that most urgently need to be addressed or remediated. Goals and projects on the roadmap will be accompanied by measurable outcomes, metrics, and a budget.
CISOs lead the business’s security program by developing and deploying company-wide initiatives that firm up policy frameworks and help spread awareness about the importance of secure work practices. New CISOs coming into a business will usually frame their initiatives around the company’s overall goals. This may include, but is not limited to:
- Improving the customer’s experience – When customers engage with businesses, they trust that their user data and digital records will be secured and handled appropriately. CISOs need to build their strategy with customer needs in mind and ensure that transactions and data management and storage are in line with industry-specific compliance requirements.
- Increasing operational efficiency – Businesses will rely on their new CISO to keep up with new, leading-edge technologies and solutions that may help with automating operations and staying ahead of cyberthreats. CISOs are also expected to embed incoming cyber intelligence into the rolling strategy, keeping the latest threat vectors, attacks, and cyber trends at the forefront of planning efforts.
- Driving growth – CISOs play a significant part in driving consistent business growth. When the business builds cyber resilience and has strong defenses in place, it can focus on other areas of operation. CISOs help their business embrace digital adoption to safeguard networks and sensitive customer and employee data. Any policies, frameworks, and technology a new CISO implements should support other business units in working more efficiently and safely.
- Reducing risk – Threat intelligence helps build secure operations. When developing a new cybersecurity strategy, CISOs will need to factor incoming threat intelligence into their risk management plans and install the right defenses needed for the business to continue operating successfully in the age of hyper connectivity.
A crucial part of this phase is communicating the proposed strategy to stakeholders and obtaining buy-in and agreement on the priorities identified. The strategy’s direction and goals, as well as headcount, financial requirements, and schedule, will need to be approved by the business’s leadership before it is rolled out to the rest of the security directors and managers.
4. Execute | Measure and Communicate Progress and Wins
Successful execution of the new CISO’s cybersecurity strategy requires consistent measurement of the baseline metrics approved in the planning phase. CISOs will lead the effort in setting clear expectations, capturing accurate metrics, and demonstrating progress towards the goals and initiatives.
Regular reporting is a key responsibility new CISOs will need to meet. Reporting should show a portfolio of security metrics and status updates on the development towards all goals on the roadmap. Reports will show evidence of the strategy’s success and highlight any recent wins and emerging challenges while providing an explanation of the tactics or technology used to address obstacles.
As the security landscape evolves, CISOs will also need to adjust their roadmaps at regular intervals and communicate changes to both stakeholders and security initiative leaders. Long-term goals on roadmaps are often subject to changes in business objectives, budget, and both internal and external factors.
5. Maintain | Review the Plan and Iterate for the Future
New CISOs manage their resources to focus on tangible accomplishments – more initial success early in their tenure builds credibility, leading to more buy-in from stakeholders and adoption by directors and managers. This is the positive cycle for improving the security posture across the business. Often, information security is assigned as a responsibility of a few security leads, which creates gaps in knowledge across a business’s various departments. Security is a shared responsibility across all employees in an organization, with the CISO upholding regular awareness campaigns and building support systems.
Once the strategy is put into motion, a new CISO can start to focus on keeping the security of the business as agile as possible. As cyber trends continue to fluctuate and new intel comes in, new CISOs must evolve their plans to meet future requirements of the business. New intel and research give rise to opportunities for improvement and the CISO will spearhead the effort in making the business more adaptable and responsive to the ever-changing threat landscape.
A significant part of this evolution includes enhancing the in-house security team and technology. CISOs will work with other parts of the business to ensure that new hires and promotions are in alignment to the growing cybersecurity strategy and that an appropriate training and ongoing cyber education program are in place to support the growing team.
Chief Information Security Offers are a critical pillar in a business’s defenses. New CISOs transitioning into an organization will have a lot to account for, even if there is already a cybersecurity strategy or program in place. Having a set of clearly defined steps can help new CISOs plan and execute their work in a streamlined manner and make best use of the first 90 days of their tenure.
The ramp up strategy described above can help new CISOs move their company towards a stronger security posture. The five key phases – discover, assess, plan, execute, and maintain – serve as a broad outline that newly appointed CISOs can use to start planning and executing on their vision for security. For more in-depth guidance, SentinelOne offers free ebooks for new CISOs including 90 Days | A CISO’s Journey to Impact – Define Your Role and 90 Days | A CISO’s Journey to Impact – How to Drive Success.
CISOs around the globe have partnered with SentinelOne to augment their security vision and safeguard their critical data. As new CISOs begin to pursue security resilience, shore up urgent vulnerabilities, and implement long-term initiatives such as endpoint protection, cloud security, detection and response capabilities and more, SentinelOne’s industry experts are on hand to assist CISOs as they stand up their new strategies. Contact us for more information, or sign up for a demo today.