At the helm of a business’s overarching security strategy is their Chief Information Security Officer – a key C-suite role responsible for assessing, planning, and maintaining the safety and digital growth of the enterprise. With the surge of cyberattacks across all industry verticals, more businesses are hiring CISOs to help step up their offense and defense against threat actors.
CISOs ensure the safety and continuity of a business’s operations and data. CISOs are constantly reevaluating their strategy based on the fluctuations of the threat landscape and, in tandem, adjusting how the business monitors and responds to potential attacks. With such work ahead and so many facets of cybersecurity to consider, new CISOs joining a business need to have a plan in place so they can maximize their resources and effectiveness.
The cybersecurity domain is a vast one, so having the right ramp-up strategy can help a new CISO identify main priorities and get started on achieving their goals. For CISOs joining a business, the first three months are significant in establishing credibility as well as a path forward for the business’s security posture. This post outlines a ramp-up strategy structured in five key phases CISOs can use to ensure their first 90 days are successful.
New CISOs on the job will seek to understand their company, identify key subject matter experts, and most critically, take time to listen and learn to those they speak to. Intel is a new CISO’s best friend – the more information collected about the company, the better. To perform a valuable discovery, CISOs may ask questions like:
Each business is going to have a unique mission, vision, and industry-specific security requirements that need to be taken into consideration by a new CISO. Most of the discovery phase will require CISOs to get to know the security leaders and teams. By holding interviews with these key roles, a new CISO can start to understand where they stand in overall cybersecurity strategy itself, learn about the security culture of the company, and develop the scope and expectations of their work.
This ensures stakeholders, leadership, and security staff all see what the tenure of the CISO will look like going forward. Building these relationships early in the onboarding process is invaluable to creating trust and establishing a new CISO’s personal commitment and identification to the business’s security values.
In the assessment phase, things will get much more granular for a new CISO. This is when CISOs will need to start understanding the current maturity of the company’s security strategy and identify what is and isn’t working in terms of people, process, and technology. Typically, new CISOs will conduct formal security assessments to measure and review:
When it comes to understanding the organization’s attack surface, CISOs often employ inventory discovery tools capable of scanning entire networks to locate connected IoT devices as well as protected and unprotected endpoints. Tools like this enable a new CISO to work efficiently to start reducing risk – a core responsibility linked to most company’s business goals.
The other aspect for new CISOs to consider in the assessment phase is to take note of recent threat intel gathered by the cybersecurity community. A new CISO will take into consideration new and developing cyber breaches, global and industry-specific threat trends, documented tactics, techniques, and procedures (TTP), indicators of compromise (IoCs), zero-day vulnerabilities, and attack patterns to inform their initial security assessment.
After conducting their own security assessment and analyzing the data, a new CISO’s next step will be to draft the strategy or upgrade an existing one based on their findings. A holistic cybersecurity strategy typically showcases:
CISOs lead the business’s security program by developing and deploying company-wide initiatives that firm up policy frameworks and help spread awareness about the importance of secure work practices. New CISOs coming into a business will usually frame their initiatives around the company’s overall goals. This may include, but is not limited to:
A crucial part of this phase is communicating the proposed strategy to stakeholders and obtaining buy-in and agreement on the priorities identified. The strategy’s direction and goals, as well as headcount, financial requirements, and schedule, will need to be approved by the business’s leadership before it is rolled out to the rest of the security directors and managers.
Successful execution of the new CISO’s cybersecurity strategy requires consistent measurement of the baseline metrics approved in the planning phase. CISOs will lead the effort in setting clear expectations, capturing accurate metrics, and demonstrating progress towards the goals and initiatives.
Regular reporting is a key responsibility new CISOs will need to meet. Reporting should show a portfolio of security metrics and status updates on the development towards all goals on the roadmap. Reports will show evidence of the strategy’s success and highlight any recent wins and emerging challenges while providing an explanation of the tactics or technology used to address obstacles.
As the security landscape evolves, CISOs will also need to adjust their roadmaps at regular intervals and communicate changes to both stakeholders and security initiative leaders. Long-term goals on roadmaps are often subject to changes in business objectives, budget, and both internal and external factors.
New CISOs manage their resources to focus on tangible accomplishments – more initial success early in their tenure builds credibility, leading to more buy-in from stakeholders and adoption by directors and managers. This is the positive cycle for improving the security posture across the business. Often, information security is assigned as a responsibility of a few security leads, which creates gaps in knowledge across a business’s various departments. Security is a shared responsibility across all employees in an organization, with the CISO upholding regular awareness campaigns and building support systems.
Once the strategy is put into motion, a new CISO can start to focus on keeping the security of the business as agile as possible. As cyber trends continue to fluctuate and new intel comes in, new CISOs must evolve their plans to meet future requirements of the business. New intel and research give rise to opportunities for improvement and the CISO will spearhead the effort in making the business more adaptable and responsive to the ever-changing threat landscape.
A significant part of this evolution includes enhancing the in-house security team and technology. CISOs will work with other parts of the business to ensure that new hires and promotions are in alignment to the growing cybersecurity strategy and that an appropriate training and ongoing cyber education program are in place to support the growing team.
Chief Information Security Offers are a critical pillar in a business’s defenses. New CISOs transitioning into an organization will have a lot to account for, even if there is already a cybersecurity strategy or program in place. Having a set of clearly defined steps can help new CISOs plan and execute their work in a streamlined manner and make best use of the first 90 days of their tenure.
The ramp up strategy described above can help new CISOs move their company towards a stronger security posture. The five key phases – discover, assess, plan, execute, and maintain – serve as a broad outline that newly appointed CISOs can use to start planning and executing on their vision for security. For more in-depth guidance, SentinelOne offers free ebooks for new CISOs including 90 Days | A CISO’s Journey to Impact – Define Your Role and 90 Days | A CISO’s Journey to Impact – How to Drive Success.
CISOs around the globe have partnered with SentinelOne to augment their security vision and safeguard their critical data. As new CISOs begin to pursue security resilience, shore up urgent vulnerabilities, and implement long-term initiatives such as endpoint protection, cloud security, detection and response capabilities and more, SentinelOne’s industry experts are on hand to assist CISOs as they stand up their new strategies. Contact us for more information, or sign up for a demo today.
90 Days | A CISO’s Journey to Impact