Top 5 Tactical Steps for a New CISO

A CISO must get a strategic and tactical bearing on their new role, company and the security program they are inheriting, leading and developing. This article will focus on the tactical priorities for a CISO that will help lay a strong foundation for success. Previously, we discussed five key steps to lay an initial strategic foundation on which these will rely.

Know the Business’s Operational Surfaces

In the previous article, we introduced the criticality of understanding the why, how and what the business is and does. The business does business or operates on its operational surfaces, such as cyber, facilities, personnel, vendors and informational. These surfaces are often arranged in the order of external (public) facing to more internal (non-public, or business) facing, and are the foundations of security control deployment. Because a larger breach is usually a chain of subordinate breaches (often tunneling across surfaces), it is critical that security controls are deployed in surface-wide and cross-surface, latticework ecosystems. When done well, this can dramatically increase security performance and decrease overall cost to achieve. The better you understand and cover these surfaces, the better your security capability can control breach.

Know Your Business’s Assets

In the previous article, we introduced the importance of business and stakeholder crown jewel assets. It should be security’s goal to protect these from a security breach and associated impact. These crown jewels typically consist of myriad subordinate operational assets such as people, information, devices, applications, networks, facilities and vendors. And these assets lie on—and even across—the operational surfaces discussed in the previous section. In fact, it’s typically these assets that threats seek, or leverage and breach, as part of a breach chain. Further, many security controls are applied directly or indirectly to these assets (to control breach). It follows that to apply controls to these assets, there must be asset inventories that are accurate and complete to both serve as an “in-scope” list as well as to gauge cost to cover the scope. Asset inventory quality and completeness are foundational to right-sizing and justifying budget, security control quality and, therefore, security program performance. Unfortunately, incomplete asset inventories are a top weakness facing most security programs. In fact, mismanagement of asset inventories introduces downstream problems of critical measurement error into all further security performance metrics, KPIs, reporting and executive beliefs and expectations.

Know Your Control Portfolio

A CISO must combine the above, and the strategic elements, to paint a clear picture of the actual impact exposure of the business. You want to understand and answer questions such as:

  1. What security controls have we deployed? The CIS Top 20 is a great starting point because it’s well-aligned to “real world” SecOps deployments, teams and budget allocations.
  1. On what operational/threat surfaces have we deployed them? And are we covering all the surfaces evenly, or are we stronger/weaker in some?
  1. To which assets on these surfaces have we deployed them? And how complete is that coverage?

These will lead to a next set of questions:

  1. How is control deployment aligned to crown jewels?
  2. What controls have we overbuilt, underbuilt or forgotten?
  3. What are our strengths and greatest control development opportunities?
  4. What is our relative ability to predict, prevent, detect, respond, recover from attacks and breaches across the asset surfaces?
  5. How well do our controls work together as a team? What are our team strengths and greatest opportunities?

A fundamental principle of war and sports is to play to your strengths and your opponent’s weaknesses to best maximize your odds at an expected outcome. Ensure you can easily manage the common attacks of the many, before the sophisticated attacks of the few.

Know Your Resources

In the previous article, we discussed the importance of knowing your working and total budget. This is a key starting resource that makes your people, technology and vendor resources possible. From the previous section, we noted you should scope out the quantity and capability level (quality) of resources that you need to [re]deploy to the necessary controls to cover in-scope assets. You will want to calibrate your existing resources to best meet those prioritized needs, but this structured approach simplifies further budget planning and justification. But, to gain these resources, they must be calibrated and justified to a result, or executives will have a difficult time justifying these resources—which are relatively scarce—versus many other business units also pitching for funds.

Know Your ‘Must-Haves’ and Your ‘Nice-to-Haves’

Enumerate your in-scope surfaces, assets, controls, control deployment to surfaces and assets, resources, services, products and projects.

Map these to “must-haves” versus “nice-to-haves” versus, “Why do we have this?”

This will feed into the strategic plan and help prioritize budget and resource requests and reallocations, justify opportunities with current resources and justify opportunities with greater resources—or demonstrate capabilities if resources are reduced.

Ultimately, the better you understand your tactical resources and capabilities as a CISO, the better you can inform your strategic options, pitches and justifications.

Avatar photo

Douglas Ferguson

Douglas Ferguson, a security professional of over 20 years, is the Founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized operations build that to plan and on budget. Prior to Pharos, Ferguson was with Barclays Bank in London, where he was responsible for numerous security programs and initiatives across more than 40 countries. Previously, Ferguson was a Managing Consultant and researcher on the acclaimed X-Force at Internet Security Systems. He delivered security services to more than 200 clients globally and was a co-creator of the breakthrough System Scanner technology.

douglas-ferguson has 2 posts and counting.See all posts by douglas-ferguson