New CISOs Top 3 Strategies for Success
The true story of a CISO in trouble
At the conclusion of his first year running a security team; a team which he inherited as a new responsibility through a company merger, my client, Rick, was expecting to receive glowing praise from his boss, the CIO. After all, Rick had managed to keep his small team of engineers from falling behind on their support of IT-wide initiatives while keeping up with their security operations duties.
That wasn’t all. Rick did all of this while also being willing to tackle additional tasks that should have belonged to an under-performing compliance group that didn’t even report to the CIO. Sure, he had to drive his team hard and roll-up his sleeves to help out, working additional hours himself; but it felt rewarding and he was sure it would be worth the time.
As you’re probably guessing, this wouldn’t be noteworthy if the story ended with a glowing review. Rick was stunned to learn that the CIO, Brenda, wasn’t pleased with his performance and was further dismayed to learn that his bonus was in jeopardy. The CIO gave Rick credit for keeping security afloat and was happy that he was willing to take on additional responsibilities to take up slack from the compliance group; but that wasn’t nearly enough.
How could he have avoided the pitfalls that snared him?
As an advisor to security and risk leaders, I’ve worked with new Chief Information Security Officers who’ve risen to this position from backgrounds as varied as you can imagine. Some are promoted from the ranks of security analysts, some move to security after successfully running other technology functions and some even come from outside of IT. No matter where they start or in what industry they work; my advice seldom strays from these 3 key strategies:
1. Focus on your customers’ needs
As the CISO, start thinking of security in terms of the services that you provide to IT and to the business. When you manage upwards to the CIO and the board and outwards towards the business lines, it clears the way for your team to focus on delivering the goods. Through ensuring that leadership understands the business value that can come from safeguarding data and IT infrastructure, you can help your team prioritize their work and communicate their needs.
It’s easy to think you’re helping by lending a hand to solve a patching problem or run a network scan; but as a leader, recognize that might not be the best way to contribute. If you come from a technical security background, fight the inclination to dive into every project and security challenge. If you’re new to the security field, avoid becoming mired in the jargon and technical details.2. Be an agent for change
2. Be an agent for change
As a new leader, it’s likely you’ve inherited a security program that could use some maturing. Whether your concerns relate to the security architecture and tools, policies and procedures or your team’s skills and resources; chances are pretty good that you’ll discover at least a few weaknesses, [cough, cough] ahem, I mean opportunities for serious improvement. You’ll only be thought of as part of the solution for so long, after which you’ll be thought of as part of the problem.
As someone coming in with a new perspective, don’t be afraid to point out these weaknesses. You’ll be viewed as an agent of change, which I promise is a good thing. Just be prepared to back up your concerns with recommendations supported by a business case highlighting the risks offset and the costs.
3. Define what success means
Too often, security teams become the dumping ground for responsibilities that should fall within the scope of other groups. This stems, at least partly, from poorly defined guidance on the role of security and a weak understanding of how it supports the business.
You’ll only be thought of as part of the solution for so long, after which you’ll be thought of as part of the problem
As a CISO, it’s crucial that you establish clear boundaries and scope for your program. This should be formalized in a security program charter that describes, at a high level, your:
- Contribution to the goals of the business,
- Main functions and primary roles,
- Key interactions with other groups, and
- Reporting relationships and oversight.
The charter should focus on how you’d ideally like to operate, not necessarily on how you function today. It should also tie into metrics that communicate success by aligning the performance of security functions to business goals and objectives.
The triumphant conclusion to the story
I’m happy to report that Rick’s less-than-stellar review was the wake-up call he needed to implement these strategies. Rick took a step back to:
- Evaluate the maturity and gaps in his program, and
- Define a long-term strategy improvement roadmap.
Rick is still willing to take-on additional responsibilities, but not without specifying the resources he would need to avoid impacting current priorities. At the end of his second year, Rick was praised and rewarded for a job well-done. BRAVO RICK!