The situation often dictates how to approach a new job. Did the company just have a humiliating experience with a data breach? Did they not have a CSO previously and that is why they are looking for security help to lock down their network?
If during the job interview, there was a blunt plea for help then most new hires would come in guns a blazin’ to get things under control quickly. But in most scenarios, CSOs interviewed said there is a general time period to examine the culture of the company to help in getting a grasp of what needs to be done.
"The first thing needed is to review the current state of the information security policy. Getting intimate with this document, as well as the lessons learned in creating it, is instrumental in being successful. To do this you must meet with department leads, stakeholders, and business executives to find out its context and history. My main stakeholders at Bugcrowd are the IT and Engineering groups so getting comfortable working with them was priority #1,” Jason Haddix, head of trust and security, Bugcrowd.
From here he started to notice any “hung-up” initiatives, incomplete policy and fragmented responsibilities. Once he wrapped his head around how the company was set up, he created a plan to address each 30, 60, and 90 days out. At Bugcrowd, quick wins were identified related to business enablement and security architecture.
“There can be varying levels of responsibility in each CISO role, but one could never argue there isn't enough to do,” he said. “Once you have your battle plan, have reviewed the budget, etc, rally your direct reports and inform them of your plans. Be honest and transparent about priorities and responsibilities. Take constructive criticism and compromise where necessary, but ultimately break down these plans to quarterly goals as an organization.”
Haddix said the next steps are rolling out initiatives in a structured manner. Working at a startup, his role at Bugcrowd is heavy on business enablement, security architecture, and some compliance and audit. Other roles will work more closely with risk management and security operations.
Alvaro Hoyos, took much the same approach as Haddix in rallying the troops upon his arrival as chief information security officer at OneLogin. “I reached out to all personnel to introduce myself, describe what my role consists of, and what we wanted to accomplish in the short term. The CISO role is still somewhat uncommon and has been evolving over the last few years. This role works with all departments and you will be enlisting the help of various team members as you roll out various projects, not to mention that you are also responsible for improving your organization's security culture, which is probably one of the toughest items on your to-do list. Therefore, it is critical to get the organization behind you from the start because personnel outside of your own team will be in the critical path of a lot of your activities and your success will be tied to them.”
The next step was to secure an inventory of information assets. He said knowing what you are tasked to secure is one of the first steps you need to take in order to lay down a good foundational framework to build upon. This requires meeting with information owners and being fluent in all the data coming and going out of the organization. Part of knowing the data is determining what compliance and legal requirements you must meet, so you can build a security program that is commensurate to the appropriate risks, and more importantly you can focus your resources efficiently to address them.
Hoyos noted that a security data is an ongoing strategy. “A security program is an ongoing journey. Once you have the lay of the land, you need to determine how you will maintain and grow that program effectively. Once you determine what framework(s) you will base your program on, you have to come up with a strategy for what you need to, and more importantly, can realistically tackle in the short term and long term,” he said.
A key step in this process is performing a risk assessment to use as a guide to help you prioritize what you tackle. This is especially useful when getting buy-in from management and defining what your budgetary needs will be.
“Just as important as knowing what you can tackle in the short term, being able to plan for the long term is equally important,” he said.
Knowing the risk
"As a CSO, it all begins and ends with risk -- at the end of the day, you have to understand the risk and how to manage and mitigate that risk,” said Malcolm Harkins, chief security and trust officer, Cylance.
“Specifically, there's two battlefields we have to face: one that is external and one that is internal. The external battlefield is made up of threat factors and agents that we read about in the press everyday and the internal battlefield is made up of budgets, bureaucracy and behaviors,” he said.
Harkins noted that it's a two-pronged approach of evaluation, and CSOs need to understand what the risks and controls are externally and how to build relationships, rapport and influence internally.
Dawn-Marie Hutchinson, executive director, office of the CSIO, Optiv, took the cautionary approach as well when she first settled in.
“I met with each leader of the IT divisions to understand what their specific data security concerns were and what data was stored, processed or transmitted through their division. The first 30 days were spent just learning the general IT layout; things like how data moved through it and gain their perspectives on security. The first months of the role was just about learning about the company, the culture and the business,” she said.