Five moves for every new CISO’s playbook

CISOs are pulling up roots and moving to new companies at a rapid pace as demand grows for leaders with cyber and information security expertise and salaries skyrocket. Many seasoned infosec professionals are also joining the CISO ranks for the first time as companies add the position to their C-suites.

CISOs are pulling up roots and moving to new companies at a rapid pace as demand grows for leaders with cyber and information security expertise and salaries skyrocket. Many veteran infosec professionals are also joining the CISO ranks for the first time as companies add the position to their C-suites.

Four years ago, 20 percent of CISOs had less than two years on the job, according to Gartner. Today it’s closer to 30 percent, according to analyst estimates. “You’ve also got all of these open positions where there is no CISO but there is funding, and they’re trying to hire,” says F. Christian Byrnes, Gartner managing vice president. “If there were enough people to fill those positions, it would be 50 percent.”

Short tenures put added pressure on the company and the CISO because it takes at least two years for a CISO to learn the job and be comfortable with it, Byrnes adds. CISOs have little time to formulate a course of action, make connections, establish a management style, and win over stakeholders – let alone see their plans come to fruition. Successes and failures in the first year can also affect how others buy into their security strategies going forward.

“A new age CISO must think big, act small and go fast,” says James Christiansen, who has served as CISO at Visa, General Motors and Experian.

Veteran CISOs who have successfully made the transition to a new company, along with industry experts, offer five security moves that should be part of every new CISO’s playbook.

1. Understand the company, learn the culture, find allies – fast.

In the first two weeks at the helm, a CISO must sit down with senior leaders in every sector of the organization and listen to their goals and concerns, Christiansen says. Then they must adjust their own value proposition to meet those leaders’ goals. For instance, “instead of conveying how you’re going to stop something from happening, tell them how you’re going to keep things moving,” he says.

“This is your one shot while you’re in your honeymoon period to open up and say here is where we need to improve things,” says Christiansen, who is now vice president of information risk management at cyber security solution provider Optiv Security.

When these leaders understand the value proposition that the CISO brings to the company, they become allies. As a new CISO at Experian, Christiansen remembers walking into the marketing group president’s office. “She was concerned that I was going to bring a lot of cost to her organization with encryption and other security measures on all the data. When I started talking to her about matching risk with the level of data and that we didn’t have to do all of it, suddenly she was one of my biggest allies on the executive board and could tell them ‘he understands,’” he recalls. With allies in place, plans will move more quickly.

2. Stop the bleeding

Once a CISO has assessed the current security environment, he can assess the risk exposure, then set priorities carefully and avoid overcommitting, according to Gartner. Identify the five most pressing issues that you have to deal with, and then select two of these that you will focus on during your first three months.

“Getting a handle on cyber security and making sure you have the right protections in place is one of the core things you can do to really improve an organization quickly as a new CISO,” says Michael Eisenberg, former CISO at Aon plc. and global information security director at McDonalds.

There are aspects of security programs that are traditionally not good, Eisenberg says. Companies traditionally struggle with vulnerability management, not just with critical system but all of their systems across the board. “You’ve got to to do it, and you’ve got to be good at it,” Eisenberg says. He recommends getting outside help until the CISO can build the technology and talent to protect the company’s own assets.

Tuning up company-wide security awareness programs can also have an immediate impact on security, he adds.

3. Skip the technical details for now

The most common mistake a new CISO makes is trying to immediately exert technical control, Byrnes says. They may become locked into those early decisions and “can almost never break free to where they should be in terms of being business-facing.” Even worse, “they’ll probably get such incredibly negative reaction that they’ll probably never recover,” Byrnes adds. “Unfortunately I see that fairly often.”

4. Step up communications skills

One looming change affecting CISOs after the Target and Sony breaches is the Securities and Exchange Commission’s growing pressure on publicly held companies’ boards of director to be aware of cybersecurity plans and perhaps in the future be held liable if a breach occurs.

“Their liability is in their oversight of their cybersecurity. That means that every board is asking ‘what are you doing about security?’ They all want very clear and meaningful reports on the security program,” Byrnes says.

CISOs need to learn how to communicate with board members, which requires “a new level of abstraction and business orientation above what they’ve ever had to deal with before,” Byrnes says. He reviews about three security reports to the board every week for CISO clients. A few months ago, he would only review one every couple of months.

5. Build a long-term security strategy based on business goals

Beyond solving the immediate security concerns of business, the CISO must lay out a business aligned security strategy that also supports future business objectives, Eisenberg says.

If the company is privately held but thinks it might to be going public in next two to five years, for instance, the security program that a CISO must build in that company would be an IPO enablement program, he says. “Not only would I want to protect the assets of the company but I would also want to build out the regulatory environment that you would be required to have for a public company,” Eisenberg says.

When it comes to business alignment, if a company is transforming to an ecommerce environment, for example, “the security program you would build for a company doing the majority of its business on the Internet is a lot different from a brick and mortar” security program, he adds.

There is no way to know what security challenges await a CISO until they actually enter the job, even if they’re promoted from within the company, Byrnes says. The CISO must get inside, assess the security landscape, realize that security risk can’t be completely eliminated, and figure out how much security is enough.

“The CISO is a translation point of gathering business-related information and translating it into technical requirements,” Byrnes says. “It’s about understanding acceptable levels of risks.”

Join the CSO newsletter!

Error: Please check your email address.

More about CSOGartnerPayPalSecurities and Exchange CommissionSonyVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts