CISO’s First 100 Days: Ermetic’s Guide to Getting Started
Everything you need to know about securing your cloud as a CISO.
Congratulations! You’re starting out at a new company as CISO, a critical leadership function that includes your organization’s cybersecurity strategy. You probably have lots of plans and ideas, as well as concerns and questions. With the growing importance of the role, CISO responsibilities are expanding. So it’s more important than ever to position yourself for success during your first 100 days.
Excitement aside, this period can be daunting. CISOs have to deal with the growing scope and sophistication of cyber attacks, as well as pressure from management and IT to introduce digital transformation, public cloud adoption and new modes of remote connectivity. This could easily turn into a recipe for disaster. It’s no wonder that the average tenure of a CISO is (an often stressful) 26 months and that 24% of CISOs leave after only one year.
To help you navigate the waters, we’ve prepared a guide for your first 100 days as a CISO. We hope this read helps you prepare, plan and execute on your vision with corporate leadership, your team and other stakeholders. Coming prepared and constantly communicating your ideas will help you be successful.
While some of you reading this may have already accrued CISO experience and could probably write this article yourselves, you may have never had so much cloud on your plate. That’s why, in addition to general information, we’ve sprinkled in tips for incorporating the acceleration of cloud infrastructure adoption into your plans.
The guide is divided into six actionable steps spanning 14 weeks (98 days):
- Step 1 - Getting to Know the People and the Organization - 2 weeks
- Step 2 - Identifying Current Risks, Processes and Procedures - 2 weeks
- Step 3 - Researching the Latest Threats and Tools - 2 weeks
- Step 4 - Building the Strategy, Goals and Plan - 3 weeks
- Step 5 - Communicating the Plan - 2 weeks
- Step 6 - Execution and Measurement - 3 weeks
Now let’s dive into each one.
Step 1: Get to Know the People and the Organization - 2 weeks
When starting at a new place, an area of huge importance -- and easy to overlook -- is establishing personal relationships and gaining knowledge of the business. During the first two weeks, we recommend focusing on getting to know your colleagues, the business mission and the roles people play in it.
Set up meetings with your team, all key stakeholders and corporate leadership. Use the time to introduce yourself and get to know people. Prepare questions in advance that cover:
- Personal introductions
- Business roles and responsibilities
- Pain points
- Business KPIs
- The relationship with the security department
When speaking with your team, try to identify opportunities for their growth, as well as identifying missing roles, such as in cloud infrastructure security, which is a fairly new domain that is hard to find talent for.
In addition to personal meetings, use this time to gain a wider understanding of the business landscape. Learn about the company from corporate communications, reports, podcasts, articles, board reports and additional content assets. But don’t stop there - to gain a complete understanding, read about competitors and other industry players.
Later on, when you get to the stage of building your plan, this information will help you establish where you fit in and how your domain can have the most impact.
Step 2: Security Risk Assessment, Auditing Processes and Procedures - 2 weeks
Now that you’re familiar with the business, you next want to assess the state of the organization’s security program. Like the first step, this step is also geared toward collecting information. Don’t be tempted to put out any fires just yet. Your goal is to find out what’s operating well, what challenges need to be addressed -- and where the opportunities lie.
Analyze the company’s security posture by studying the IT architecture and auditing, and taking an inventory of implemented tools and policies, and by speaking with the vendors the company has partnered with. Examine any metrics, results of security tests and audit reports, and understand to what extent cloud accounts are properly managed, monitored and cleaned up. Learn about any previous cyber attacks and what was done to mitigate risk in the systems afterwards. Explore the scope and granularity of visibility you and your teams have into your cloud infrastructure.
One process to take notice of is any recent or upcoming acquisitions. During M&As, acquiring companies “inherit” the existing cloud infrastructure of the acquired organization, as well as the responsibility for securing it. Merging applications, users, permissions and resources requires special attention, from identity cleanup to implementing digital guardrails. Since this process is time-consuming and labor-intensive, it’s important to make room in your plan for the dedicated resources and attention required.
Finally, identify where the company stands in accordance with compliance regulations and industry best practices. Many CISOs use CIS benchmarks and other standards as part of their strategy for protecting their cloud infrastructure. Assess if your organization’s tools for managing compliance and cloud security posture are effective.
Step 3: Researching the Latest Threats and Tools - 2 weeks
While you’re probably already constantly tracking its trends, the cybersecurity market’s growing granularity requires some degree of specialization in the many different types of threats and solutions. After studying your organization’s architecture and existing gaps for a month, you can now conduct relevant in-depth research into the most pertinent threats to your business, assess risks and find the vendor solutions that can answer them.
For example, if your organization, like most, is rapidly expanding its cloud infrastructure, learn about which new technologies are required to secure it. Securing on-premises infrastructure is different from securing cloud infrastructure and requires a shift in organizational mindset and culture.
By keeping up-to-date, you will be able to properly build your agenda. More importantly, this will help you communicate your agenda across stakeholders, toward achieving buy-in later on.
Sign up to industry newsletters, follow influencers on social media, speak with analysts and do your own online research. When finding vendors, look at the corporate giants as well as up-and-coming startups that can help you overcome your challenges by specializing in your specific needs. Finally, try to identify online forums and groups you can join to continue your learning and consult with in the future.
Step 4: Build Your Strategy, Goals and Plan - 3 weeks
Now is the time to organize all the information you’ve absorbed and the research you’ve done to build your agenda:
- Write down your vision and mission statement
- Determine your goals. Pro tip: Align them with your organization’s business goals. This will help you get organizational buy-in.
- Establish a security charter that fosters governance and control, including reactive and proactive risk mitigation, over your environments
- Prioritize which issues you will focus on in the upcoming months. It is recommended to choose three to five issues to tackle first, with at least one that will enable you to showcase immediate success. This will help you establish yourself in the organization.
- Determine the department structure. Be sure to include responsibilities for existing needs as well as future plans, like accelerated cloud adoption.
- Build an execution plan with your team. Include points for cross-team collaboration with IT and DevOps.
- Identify metrics and create a framework for establishing success.
- Choose any tools you are lacking. It is recommended to involve your team in the process, like this VP at Aidoc, as they will be the tools’ most active users.
Step 5: Communicate Your Plan - 2 weeks
Having a plan is half the battle. In today’s era, CISOs also need to invest thoroughly in communication and alignment to raise awareness and be able to execute their plans. Go on a company-wide roadshow with your plan. Present your goals to leadership and relevant stakeholders, while explaining how they align with the business goals. Get feedback and make any required adjustments to the plan. Become the security leader the company needs. Instead of waiting for approval, show the board how you will be securing fast-paced technologies in the company’s future, like cloud adoption.
Lack of communication and alignment can contribute to high turnover, so don’t skip this phase.
Step 6 - Execution and Measurement - 3 weeks
The past two and a half months have been focused on learning, planning and contemplating. You can now hit the ground running by beginning to act on the decisions you’ve made. Identify and manage your first assignments with your team and get involved in any existing processes that began before you joined.
Start presenting the metrics of your progress to leadership and stakeholders while highlighting quick wins. If progress isn’t being made as expected, try to identify if the cause is expectations, resources or execution. Adjust, optimize and forge ahead.
Starting out at a new company is never easy and starting out as a CISO with today’s tall order of rapid cloud expansion has its own set of unique challenges. By understanding what you have and what is needed, planning thoroughly, communicating constantly and establishing trust, you will be able to land on your feet and protect the business by improving your company’s cybersecurity posture.