Check Point Software’s cyber security evangelist Ashwin Ram shares a framework and crucial must-do’s to set CISOs up for success in their first 100 days.
In today’s climate of widespread data breaches and heightened cyber security threats, the role of a Chief Information Security Officer (CISO), or any executive responsible for cyber resilience, is extremely challenging. In fact, the average tenure of a CISO tends to be 26 months; less than half of the 4.9 years of other C-suite colleagues, according to a study. Why does this happen?
According to a Heidrick & Struggles 2022 Global CISO survey, 59% of CISOs globally say stress is the most significant personal risk relating to their role, while 48% cite burnout and 21% feel underpaid. Furthermore, there is the pressure of the position: one in four CISOs believe their employment would be in jeopardy if their enterprises were impacted by a breach.
The fact is, no company is exempt from cyber attacks. According to Check Point’s most recent Threat Intelligence Report, an Australian organization was being attacked an average of 925 times per week in the last six months.
Still, it’s not all doom and gloom. The role of a CISO has become more strategic, extending beyond compliance and technical metric monitoring to create and champion a culture of shared cyber risk ownership. Today, CISOs must have a game plan that takes a balanced approach to stakeholder management and firm stance against cyber threats.
So what can an incoming CISO do in their first 100 days to create the foundation for success?
While there is no one-size-fits-all in cyber or business strategy, the Cyber Leadership Institute provides a great framework, which has been refined over time through hard lessons learnt in the trenches by industry veterans. Here we will expand further on this foundation to help provide new CISOs and cyber executives with a greater understanding of key activities that need to happen to maximize success.
Beyond technical knowledge, successful cyber security leaders need to master two main skills. The first is understanding the business. In that sense, preparation is key. CISOs should learn as much as possible about the organization before day one. The company’s annual report is a great starting point, however, also allow time to research who its customers are and the lines of business that generate revenue. Most importantly, ensure an understanding of the key business goals the organization is striving towards. A clear picture of where the company is heading, and its previous results, will determine how much financial support is received.
It would be wise to understand if the business has made the news in recent times and if they have experienced any breaches.
The second set of skills to master consist of strong communication and credibility. According to Deloitte, the “majority of CISOs have to invest a lot of time to get buy-in and support for security initiatives.” In other words, clearly communicating cyber risk to business outcome has become a critical success factor for CISOs.
The CISO role is arduous at best. However, without support from the top, success may be unattainable. Therefore, understanding the organization’s goals and stakeholders’ pain points must be a priority, so that you may strategically tie your cyber strategy to key business objectives.
An additional thought to consider before taking on a new CISO role is that there are no guarantees your company will not suffer from a successful cyber attack within the first 100 days. Establish prior relationships with external Incident Response teams in the event you need to engage them quickly.
Start-up phase: Days 0 – 15
For a strong start, spend time with your direct report manager to align on key challenges and opportunities and to discuss the vision for information security. Get acquainted with the organizational structure and reporting lines, particularly within the legal, security, risk, compliance, HR, operations and governance teams. This is the time to start building relationships with key stakeholders to coordinate efforts to build and manage the business’ information security program.
During the first couple of weeks, analyze the cyber strategy to understand current maturity. This means analyzing previous risk assessments, threat hunting reports, gap analysis and security roadmaps, if they exist. You should also request the organizational security policies and audit reports, and access to any risk management tools.
While deep diving to understand the cyber maturity status of the company, make time to set up meetings and introduce yourself to key stakeholders. Lock in regular risk management meetings with appropriate stakeholders to discuss the business’ risk profile, laying the foundations to discuss the status of any open or untreated risk.
Within this time frame, identify your key security vendors and establish communication. Your key security vendors can assist with gap analysis. At Check Point for example, we offer a free Cyber Security Risk Assessment that can be leveraged by CISOs for an evidence-based discussion.
Cyber does not exist in a bubble. If you have not already done so, seek like-minded people trying to solve the same challenges you are – find your ‘tribe’. Chances are someone has either already dealt with, or is currently dealing with, the challenges you are. Collaboration with industry peers can be a powerful approach.
Understand phase: Days 0-45
It is often said that if you do not know where you are going, you will not know when you have arrived. Without a strategy, it is not possible to develop a meaningful plan of action and enterprises will continue to implement ad hoc tactical point solutions that inhibit overall integration.
In the first month and a half, focus on understanding security and compliance-specific projects and initiatives. Identify which tasks need to be prioritized based on overall current state maturity, existing security programs, critical control deployment and top risks. Spend time understanding your business’ incident response capability, the top 10 business-critical applications and their respective threat models.
Sound cyber security programs are underpinned by effective information security governance, so start by understanding the roles and responsibilities for your organization’s information security governance. Be sure to clearly understand which roles are responsible and accountable for decision-making, who should be kept informed and who within your network should be consulted.
At a very high level, validate that sound security practices are in place to support strategic organizational objectives and risk management, and that the enterprise is suitably geared towards preventing attacks effectively and efficiently.
Review the company’s information security charter to understand its security vision, security mission and cyber security scope, as well as which departments must comply.
One of your key tasks must be to identify the business’ mission critical data or “crown jewels” — such as information about customers, intellectual property, product designs, and finance — and the current security controls around them. Keep a register and prioritize the non-negotiable controls to keep all critical assets secure — for example, ensuring all databases are encrypted.
With supply chain and 3rd party risk at the forefront of many recent breaches, spend time understanding whether or not third parties are hosting your organization’s critical assets, and review contracts to familiarize yourself with their responsibilities and how well they meet their security obligations.
To gain a fresh perspective on your approach, identify and build relationships with at least one internal and one external executive mentor. External mentors from different sectors can provide unbiased advice and outside the box thinking to help navigate stakeholder politics.
One of the primary roles of a CISO is information security risk management, so understanding how risk is communicated within the company should be a top priority within the first month. Spend time understanding how risk is classified (risk taxonomy) and ranked within the business.
Prioritize phase: Days 15-60
It is time to focus on prioritizing activities, developing a vision to share with your manager, team and key stakeholders, and getting feedback to refine your plan.
Start by building an Information Security Strategy that is business-aligned, risk aware and holistic, and that enables you to clearly communicate the company’s information security risk profile. Consider putting together a controls framework that satisfies multiple compliance requirements by testing a single control.
From a controls perspective, a holistic approach is better executed with a consolidated security architecture that includes the protection of cloud, network, and endpoints and that also allows comprehensive user access, all powered by a single management and security operations platform. That means having all the logs speak the same language, providing visibility and situational awareness from a single dashboard that generates reports in an automated fashion. This approach is a game-changer and addresses many of the hurdles that CISOs and security teams face.
Align with your direct reports and stakeholders on at least three key issues to close out over the next two months. These will be your quick wins — projects that significantly impact the cyber security program with minimum effort. Quick wins will help gain credibility early on, ensuring CISOs gain support from above for their initiatives.
Another quick win is prioritizing customized security awareness and education training throughout the enterprise. This activity can be easily outsourced; an important first step in forging an awareness-driven culture where everyone in the company understands that cyber security is everyone’s responsibility. Be sure to use the results of security awareness trainings to demonstrate maturity of the cyber security awareness culture.
To execute an information security program, you will need funding. In this phase, plan your operational security budget for the next couple of months and get an early indication of required headcount.
Execute phase: Days 30-80
By now, you should be actively making progress towards closing out quick wins – focus on the top three urgent issues, addressing them with established enterprise security architecture principles — integrated by design, rather than bolted on.
This is the time to get a tabletop exercise executed. As part of your tabletop exercise, ensure engagement of all key stakeholders, including executives, PR team, HR team, legal team and SOC team. This is an opportunity to demonstrate and educate executives on the potential impact of a successful cyber attack. Tabletop exercises are best delivered via an experienced third-party Incident Response team with a track record of working complex APT cases.
In this phase, you should also lead security-related governance forums and cyber steering committees focused on eliminating waste, addressing critical blind spots, maximizing cyber security investments’ value, and ensuring you deliver value quickly. The cyber steering committee should consist of cross-functional teams with domain expertise and business stakeholders, all with clearly defined roles, responsibilities and scope.
With a sound understanding of current state and gap analysis completed, focus on executing a game plan to achieve the desired state, taking into consideration controls and processes that must be prioritized to meet current and emerging risks with high likelihood and business impact.
Results phase: Days 45-100
You are approaching your first 100 days. If implemented, this framework will start delivering results and showing progress. And the best way to do that is by using metrics tied to business goals. It is not necessary to jump into highly technical metrics right away. A lot can be gained from metrics that track behaviors; such as the percentage of employees completing security awareness training.
Measure progress against the top five outcomes for the 100-day plan, as this will help you and the business identify which tactics are and are not working, so that ineffectiveness can be address quickly.
When reporting to executives and the board, keep in mind that bad news does not get better with time. Be sure to highlight any project risks as part of your regular exercises because executives do not like surprises. Clearly outline risk scenarios, likelihood, impact, risk mitigation plan and potential additional costs.
By the end of your 100 days run, aim to report on the following questions:
- What is our current capability maturity?
- What is the biggest threat to the organization?
- What part of the security posture requires the most urgent attention?
- What resources are required to address threats that will cause the organization most harm?
- How does the executive team want effectiveness of cyber investment reported?
- What is the organization’s risk if nothing changes?
As a final thought, remember that to succeed as a CISO you must win the hearts and minds of your key stakeholders. Your tenure’s success and cyber strategy hinge on how you are perceived through their eyes. Do not underestimate the importance of forging deep and meaningful relationships with key stakeholders.
For more insights from Ashwin Ram, please see CyberTalk.org’s past coverage. Lastly, see more thought leadership articles, analysis, interviews and reports when you subscribe to the Cybertalk.org newsletter.