Top 5 First Strategic Steps for a New CISO
A CISO starts a new role every 17 months. Each time, the CISO must get a strategic and tactical bearing on their new role, company and the security program, and, more importantly, build credibility with the board and C-suite. This article will focus on the strategic priorities that will help lay a strong foundation for success.
Understand the Business
The CISO’s job is to understand the business and its crown jewel assets: How it generates revenue, what gives it a competitive advantage, how it makes and keeps customers happy, and how it keeps control of its operations and regulatory commitments. These are central to the security strategy. If a CISO doesn’t align protection goals and security strategy to these, they will have a very challenging time relating to and influencing the board. The security story should start with protecting these assets, starting with the most basic and ratcheting up security capability to protect against more and more capable threats. Since that protection costs more, the CISO will be able to pitch cost calibrated and justifiable budget options to executives. That, as it turns out, enables executives to choose a risk appetite—and, in turn, for the CISO to get on with building out to an executive-chosen and -funded protection outcome. An excellent source of initial crown jewel discovery are annual reports of theirs and their competing companies; internet research often uncovers analyst and investor reports. This is the foundation of the protection strategy—it’s what we want to prioritize the protection of by applying security controls.
Know Your Stakeholders
A CISO has numerous stakeholders, from the board and executives to operations and customers. To be successful, a CISO must align their protection goals and strategy to solve their stakeholder’s challenges—or, at least, not to make their objectives more expensive or challenging. Once you have a good understanding of the business from initial discovery, it’s time to engage stakeholders. A bottom-up approach is strong as it allows you to gain more granular knowledge that becomes more valuable as you later engage more senior stakeholders. That way, it’s clear you have done your homework and can be a good partner. First, understand the challenges from the view of risk, compliance, audit and business continuity. Then, engage IT, HR, Finance and Facilities. Then Legal and the executives. Link these perspectives into the crown jewel model of the organization. This way, you can develop a top-level crown jewel protection strategy for the board and executives and an interlinked set of challenges and concerns from the operational stakeholders. Next, we’ll want to link this to what our opportunities are to apply security to gain protection.
Know the History of Your Role and Associated Roles
Engage your predecessor (if possible) or ask HR about your predecessor and their challenges. In addition, ask your team and, most importantly, ask your stakeholders. You want to discover without being subjective or overt what was perceived as positive and negative, as a success or failure and the key challenges and opportunities. What can we learn and leverage to make the best outcomes possible? You want your stakeholders to know that you want to understand their needs and that you wish to focus on helping solve their challenges and not be an obstruction. You want to show that you understand, care and can be pragmatically engaged at any time to solve business problems and do so in a way that doesn’t disrupt business outcomes and operations or personal agendas. In fact, you want to be perceived as advantageous to them achieving their business and personal objectives.
Know Your Working and Total Budget
Security budgets are very often nebulous. It’s not clear what the current working budget is, what is tied up and what can be repurposed. And that’s just the tip of the iceberg; what often goes undiscovered is the iceberg under the waterline. This is the historic “run” or operational budget, the rolling snowball that accumulates year over year. You want to get a handle on that. It’s not necessarily easy at first glance, but there are a few approaches you can take to at least sketch it out. Approach the lead for each control and have them approximate how much human, technology, vendor and peripheral (e.g. travel, pizza parties) time is spent and the costs. As they typically won’t know, ask them for a floor and a ceiling number. You can aggregate this for estimates of total security costs. A chunk of this spend may be wasteful—perhaps a big slice of it—and you’ll want to include this in your larger budget plan to be repurposed potentially. You want to show that you don’t just want more money, but you want to take control of all investments, easily visible or not. You can run security with a zero-sum budget and justify every bit of it.
Know Your Commitments and Requirements
Your security plan is going to include what you want to do as well as what you have to do. These aren’t always the same thing. But, if we can strongly link the two, particularly with spending and resource utilization, then we can show shrewd use of investment and resources as a sort of 1+1=3. Commonly, there will be security framework or regulatory commitments. Even though these often are more a distraction toward delivering actual protection of business assets, the CISO is still accountable to deliver the security tasks that are necessary to achieve these. Let’s call this the compliance strategy. Previously we introduced the protection strategy. It’s beneficial for all to link protection strategy and the compliance strategy strongly into the security strategy. That is, the CISO is going to pitch, and leverage, investment to achieve quantifiable levels of protection of crown jewels from levels of threat capability. Further, the CISO is going to pitch, and leverage, investment to achieve framework and regulatory commitments. Collectively, this budget can be blended to a unified security budget to achieve both and eliminate duplication of effort and maximize economy of scale.
First Steps for a CISO
By pulling these strategic dimensions together, the CISO can socialize, justify and defend a robust security strategy that solves board-level problems, gain and maintain the support of key business stakeholders, and achieve results cost-effectively. This is the foundation of the modern CISO.