Navigating the First 3 Months: 5 Steps to a Successful Career as a New CISO

You’re about to start as a CISO in a new company. Exciting! The following 5-step program will help you navigate your first 3 months with 5 steps to a successful career as a new CISO.

In today’s world, information security should be considered a business issue. Security-related risks may jeopardize your business, which is why you need to get a good insight into your new company’s business. Not only the website, articles, and internal documentation give you an insight into how the company is organized. Meet key stakeholders – the CEO, CFO, CIO, CTO, Enterprise Risk Manager, Legal officer, DPO, Internal Audit, HR, the Unions, and maybe even the Physical Security Officer – and listen to their concerns, so they know you’re there to help them securely conduct business. Try to find out what they expect from you, but also explain what you expect from them.

Get a feel for what they think security is about and explain what you expect from them. Introduce your plan to assess, prioritize, plan, present, and execute!

Talk to the techies to understand the technical IT and security set-up. Get their view on maturity, priorities, and budgeting; check if a security improvement roadmap or IT roadmap is in place; define notions of risk assessment and management, etc. Find out what the biggest roadblocks are.

Bridge the gap between the IT department and the business by understanding both sides.

Select a framework to assess your maturity against, both technically and from a governance perspective. A good choice for a technical framework would be the CIS Controls; for the governance aspects, the ISO27001 or NIST CSF (mainly for American companies). In Belgian companies, check out the brand new Cyberfundamentals framework created by the CCB.

Do interviews, score the framework controls, and conduct penetration tests.

Create an action plan based on the assessment findings and stakeholder feedback. The span of the action plan should not extend to three years, which is already quite a stretch for any company. Focus on low-hanging fruit for high returns. Prioritize actions according to short-, medium-, and long-term goals, in line with actual business risks and aimed at mitigating business risks. Provide ballpark figures to make up a tangible budget and execute a realistic and fitting improvement plan!

Engage the required stakeholders for the budgeting and the execution of the plan.

Provide a high-level overview – short and to the point – of major findings and a roadmap of improvements, with business context (remember the low-hanging fruit!). Address technical and governance challenges and provide an indication of the required budget.

Build trust, show a realistic roadmap that fits into the organization’s business and culture, and get approval for a security improvement budget to lower business risks as a result of cyber events.

Easy, right? Of course, it’s not; you will always face challenges. But if you follow these guidelines and adapt them to your context, you can make the most of your first 90 days as a new CISO!