Chief Information Security Officers (CISOs) are an essential pillar of an organization’s defense, and they must account for a lot. Especially for new CISOs, this can be a daunting task. The first 90 days for a new CISO are crucial in setting up their security team, so there is little time to waste, and much to accomplish.
By George Tubin, Director of Product Strategy at Cynet
A new guide by XDR provider Cynet (download here) looks to give new and veteran CISOs a durable foundation to build a successful security organization. The challenges faced by new CISOs aren’t just logistical. They include securing their environment from both known and unknown threats, dealing with stakeholders with unique needs and demands, and interfacing with management to show the value of strong security.
Therefore, having clearly defined steps planned out can help CISOs seize the opportunity for change and to implement security capabilities that allow organizations to grow and prosper. Security leaders can also leverage the willingness of organizations to undergo digital transformations to deploy smarter and more adaptive defenses. This is critical, as a good security team can enhance an organization’s ability to scale and innovate. The question is where to start.
9 Steps for New CISOs
The eBook explains how new CISOs should tackle their first 90 days to ensure that each passing week builds on the last, and lets security leaders understand both their current reality, and what they need to improve. Before building a security stack and organization, new CISOs need to comprehend the status quo, what works, and what needs to be upgraded or replaced.
These are the nine steps to new CISO success, according to the guide:
- Understanding business risks – The first two weeks of a new security leader’s new job should be spent not doing but learning. New CISOs should familiarize themselves with their organization, how it operates, its security strategy, and how it interacts with the market. It should also be a time to meet with other executives and stakeholders to understand their needs.
- Comprehending organizational processes and developing a team – Next, it’s time to look at processes and teams, and how they interact. Before implementing new protocols, CISOs and security leaders should know the processes already in place and how they work or don’t work for the organization.
- Building a strategy – Then, it’s time to start building a new security strategy that meets the organization’s business strategy, goals, and objectives, as well as the staff’s career goals and objectives. This will include thinking about automation and how cyber-risks are detected and met, as well as how to test your defenses.
- Finalizing strategies and implementation – With a strategy built, it’s time to put rubber to road and get going. Before finalizing your strategy, it’s important to get critical feedback from other stakeholders before bringing a final plan to the board and the executive committee. With final approval, it’s time to start building tactics and plan how to implement the new strategy.
- Becoming agile – Once strategies are put into practice, security teams can focus on finding ways to become more responsive, more adaptable, and agile enough to meet any challenge. This includes finding the right project management tools and methods.
- Measuring and reporting – Now, it’s time to ensure that the plans that were implemented are properly working. Once things are in place, it’s time to begin regular measuring and reporting cycles to show both the security team and the executive committee that the strategy is working.
- Pen testing – This is a critical step and should be an important evaluation of a strategy’s effectiveness. Any good plan should always include rigorous testing to help teams find places where defenses are not working or vulnerabilities that might not have appeared on paper but do in practice.
- Building a ZTA plan – Now, it’s time to do away with outdated identity and access management (IAM) paradigms and upgrade to multi-factor authentication (MFA). This also includes upgrading SaaS application security posture, as well as network defenses that can prevent common attacks.
- Evaluate SaaS vendors – Finally, and with the goal of using SaaS applications wherever possible, a new CISO must carefully consider existing vendors to find a solution that can cover as many services as possible without requiring complex and potentially risky security stacks.
You can learn more about how CISOs can get started successfully here.
About the Author
George Tubin is the Director of Product Strategy at Cynet and a recognized expert in cybercrime prevention. He was previously VP of Marketing at Socure and Senior Research Director at TowerGroup where he delivered thought leadership and insights to large enterprises on cybersecurity as well as identity and fraud management.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.