A successful chief information security officer (CISO) is primarily a leader, a manager and a communicator, not a technologist. Most CISOs who fail do so because they don’t understand or meet business requirements and expectations, or they don't effectively communicate how they’ve met the expectations.
Your first 100 days as a CISO constitutes a “honeymoon” period. Within this brief timeframe, you must formulate a course of action, make connections, and establish and communicate a personal management style.
Those who approach the role with a strong plan for the first 100 days are likely to enjoy success. This will depend on two complementary achievements:
(1) Establishing a foundational personal brand of credibility and leadership; and
(2) Laying the foundation for a sound security program.
It is within this critical period that you establish yourself and create the basic perceptions that others will, for better or worse, associate with your subsequent plans and actions.
100 day roadmap
Gartner breaks down the CISO’s objectives into a 100 day roadmap. Each phase includes critical target outcomes, actions and resources, as well as some optional ideas to consider as time and resources allow.
Roadmap of a CISO’s First 100 Days
Source: Gartner (July 2016)
Don't wait until your first day on the job to prepare. Take some key actions before you start to inform yourself, learn about your colleagues and staff, draft communications to make a great impression on day 1 and set up meetings with your team and key business and IT leaders. Do not make the mistake of approaching your new role with ad hoc communications and plans. A few hours of investment in planning before you start will ensure critical preparations are completed. Demonstrating that you understand “how things work around here” is crucial.
Use this period to gain a comprehensive insight into the current state of the security program in the organisation; what's working and what isn't; as well as the top five challenges that you will prioritise for the first three to six months. During your first week, try to spend most of your time creating an inventory of the resources you will need to manage the security organisation: people, reports, available metrics and financial parameters. Use face-to-face meetings to build a strong understanding of the business and rapport with key stakeholders.
This phase turns what you’ve learned into a blueprint for action. Share your security program vision with your team, line managers and business stakeholders. This is your chance to design and refine your new security organisation. By now should have a reasonably accurate picture of your monthly security operations budget, so now is the time to plan your budget for the next two to three months.
Now is your opportunity to deliver visible results, such as changes in the security program. This is when you redefine your team, get involved in existing projects, set budgets, establish (or re-establish) the security governance processes and forums, and ensure senior management commitment for the security charter you developed.
This is your chance to start providing evidence of your impact. Develop an executive reporting framework and process, monitor program and project progress, and highlight early wins, successes and challenges. Schedule meetings with your line manager, team leaders and key stakeholders to gather their thoughts on the progress made and challenges encountered during the first 100 days of your tenure.
By following this roadmap, you will put yourself in a great position to succeed in your new role. Set your priorities carefully, and avoid overcommitting. Stay as far away from technical details as possible, and focus on the relationship of security to the business. While you’re doing this, it is also best to assume some inevitable portion of your time will be spent handling unpredictable security events.
About the author
Tom Scholtz is a research vice president and Gartner Fellow at Gartner. He is also the chief of research for security and risk management, advising clients on security management strategies and trends. Tom will be speaking at the Gartner Security & Risk Management Summit in Sydney next week, 22-23 August.