Landing that job as CISO takes a lot of hard work up front: an undergraduate degree — or even better some graduate degrees — cybersecurity certifications, and hands-on experience.
Once the promotion comes, however, the new role can be overwhelming. That’s why anyone aspiring to become a CISO should have a game plan prepared to help them through the first months.
Or, if you don’t have a game plan, at least start thinking about some of the key risks you expect to face, said Tyler Young, CISO for BigID, and use that as a jumping-off point to build your team and identify key stakeholders.
Then, once your team is together, toss out everything you planned to do.
“Priorities are changing all the time, with new vulnerabilities, new tech being developed. Nothing actually works the way you think it will,” said Young.
Remembering how quickly things change in cybersecurity is important to developing a good mindset and approach to the job. CISOs are — sometimes unfairly — looked at as a savior, especially if the organization has historically struggled with its security program.
“Everyone thinks you are to come in on fire and move the needle right off the bat,” said Amanda Fennell, CSO and CIO at Relativity.
Instead, Fennell advises new CISOs to slow down and take the time to learn how security aligns with business needs and find who within the company is best to collaborate with to build a foundation.
“I fell in love with legal, and they love security people because we’re both risk averse,” said Fennell.
Making these connections early are still foundational years later. Many times, these are the people who will play an instrumental role in incident response teams.
Think like a customer
The first few months on the job usually starts with being updated on the current state by the existing team. What the new CISO often finds is an "us versus them" dynamic exists across functions, said Stan Black, CISO at Delinea. That highlights a lack of shared commonality that is standing in the way of success.
“To get a truthful assessment about where your priorities lie, you actually have to start with customers, and that means being a customer first and listening to your own experience,” said Black.
Engineers aren’t usually the target consumer for the products they develop, so they aren’t intuitively aware of user experience or where vulnerabilities are found. Black recommends CISOs not only use the company products like a consumer, but also to build a relationship with customers.
Be a good listener, open up a line of communication with customers and work backwards from there to build partnerships internally, Black said.
CISOs are business managers as much as security pros
Becoming a customer advocate to learn business priorities is one way the CISO’s role takes a sharp turn in an unexpected direction. Even though cybersecurity tech expertise is what elevates someone into the CISO position, the job will quickly focus on business operations.
CISO is a multifaceted job, said Young. Expect to work directly with vendors in a sales position, help develop product ideas, and act as an executive first, security person second to promote and build the business.
This is why building a talented, reliable security team should be a priority in those first months. These are the people who will be focusing on the day-to-day security operations in the company, while the new CISO builds relationships at every level.
Communication is key. The best strategy or framework is meaningless if the people across the company don’t understand it.
“I thought I put together a strategy that people could understand, but nobody understood it,” said Fennell. It took about a year to get it all figured out.
Expect to change the security culture and philosophy and make it your own, and then expect to see it shift and change again in another six months as you gain confidence in your team.
“Security needs to be like the Secret Service,” said Young.
The Secret Service, no matter where the President goes, has to be prepared to protect him at any time.
That’s the goal of the CISO – ensuring that whatever the people in the company are doing online, they are protected. But that approach will shift, depending on the type of threats and the talent of those in charge of defense.
What the CEO wants from the CISO
The CISO may have an idea of how to best hit the ground running in the job, but the CEO may have different goals for those first few months.
“CISOs who are just beginning their new chapter in leading teams can take in the first 45-90 days to help make their new position more purposeful,” said Raj Dodhiawala, CEO of Remediant.
Dodhiawala suggests new CISOs take the following steps to help with that transition period:
- Assess risks by learning what sensitive data needs to be protected, what the attack surface looks like and what team strengths can be built upon.
- Understand the overall costs/spend on IT security — and where the vulnerabilities are.
- Empower teams and demonstrate a commitment to cybersecurity and IT staff.
CISOs are the gatekeepers of the organization’s security. Knowing the internal threat landscape and knowing why the last person didn’t work out will help the new CISO set up goals and develop their program.
“It will take time to be comfortable,” said Fennell.
And that amount of time will be about six months, both Fennell and Young agreed — around the time new challenges will pop up.