6 First Steps for a New CISO

December 14, 2020  Jeremiah Gibber

Congratulations on your new CISO job. More than a job, it’s a calling to defend the organization on the front lines of cybersecurity, in one of the greatest struggles of our time. You’ll have an opportunity to rebuild the security infrastructure organization, be a respected member of the management team consulted by the board of directors, and most likely, get the budget you need. Oh, and at any time you could lose your job for a major security failure – and perfect security is impossible to achieve.

At RiskLens, we’ve had the good fortune to work with many successful CISOs, and here’s what we’ve heard are some first steps you can take to lay the groundwork for a great experience as a Chief Information Security Officer:

1. Understand the key sources of business value

It sounds obvious, but security priorities ultimately fall out of the need to keep the cash flowing. What are the applications, platforms, customer databases, intellectual property or other crown jewels that are critical to the continuing profitable operation of the business? To put it another way, your job is to protect the business from material harm from a cyber event – so know where a cyber event would cause the most harm.

2. Understand the top cyber risks

Whether from high frequency of occurrence, high magnitude of impact, vulnerability of controls, or other factors, there’s a pack of more probable, more expensive risks lurking out there in cyberspace that you need to know because they will help shape your security strategy. RiskLens can help here: In a few days, our crack services team can organize a data-gathering risk-identification workshop, then run a Rapid Risk Assessment on our platform to generate a ranked list of risks customized to your organization.

Read more: How to Quickly Assess Your Organization’s Top Infosecurity Risks

3. Understand the threat environment 

Yes, the threat history feeds into point #2 but more than a data point, the organization’s previous experience with cyber events – and what they read about cyber events at their peers -- will condition their current expectations. Get well-informed on what’s going on internally, within your industry and globally and be ready to report on:

  • Global cyber-related financial and data losses
  • New cyber breaches and lessons learned
  • Trends in ransomware, zero-day attacks, and new attack patterns
  • Cyber threat trends from ISACs (information sharing and analysis centers)

 Read more in the NACD Board Talk blog.

4. Understand the current portfolio of cybersecurity controls and other investments

Chances are your new company is following a framework or controls checklist – NIST CSF, CIS, NIST 800-39, ISO 27001, HITRUST --  that explain how the security program has been run historically and will continue to guide to some extent how you prioritize your program.  So, a good early step is a security rating or maturity assessment of current controls by an auditor or consultant. As we like to preach at RiskLens, it’s a necessary but not sufficient step—ultimately, you’ll want to evaluate controls for their capacity to reduce risk in financial terms, through quantitative FAIR analysis.

5. Understand how cybersecurity and risk management fit into the broader organization

Direct and dotted lines of reporting, of course, tell you a lot: How does your job connect to the CEO, CFO, CIO, Chief Risk Officer, Chief Compliance Officer, etc. How has cyber risk management been incorporated into enterprise risk management (or not). Who gives direction on risk appetite and other policies and governance?  What about board reporting – Audit Committee, Risk Oversight Committee, IT Oversight Committee? What are the regulatory requirements that will often jump to the head of the line for your project list?

 6. Understand what’s coming around the corner 

Every large enterprise is undergoing rapid change and disruption, whether via digital transformation, competitive shifts, etc, and you need to quickly get on board with the initiatives and investments that disruption has triggered before they accelerate out of reach – they could be new products or platforms or even M&A. Can you say “DevSecOps”? You should establish early “security as an enabler,” advised Shelley Leibowitz, Board Member E*TRADE and MassMutual, at the recent FAIR Conference, “rather than security as a hindrance… security has to be embedded in the front end of everything you do and you have to think of it as a core part of your strategy or it will be the business ploughing ahead and security saying ‘no’ and that’s a losing proposition.”

Learn more about how RiskLens and quantitative cyber risk analysis power CISO success.