First 90 Days: Exploring the CISO Role

The first 90 days in any new role are critical, but for a Chief Information Security Officer (CISO), they can be make-or-break. This period is your opportunity to understand the organization, build relationships, and set the foundation for a successful security program. Here’s a breakdown of how to strategically approach your first 90 days as a CISO based on a STRONGER 2024 session.

The Pre-Work: Setting the Stage for Success

Before you even officially start, take time to prepare. Understand that compliance and security go hand-in-hand. Use compliance as a carrot to encourage stakeholders to adhere to security requirements, highlighting the business benefits of certifications and adherence. Conversely, use non-compliance as a stick, emphasizing the potential financial, strategic, and PR consequences of neglecting security protocols.

Breaking Down the First 90 Days

Instead of viewing the first 90 days as a single, overwhelming block, divide it into three 30-day periods. This approach allows you to set short-term goals and manage your time more effectively. By breaking down the period, you'll avoid spreading yourself too thin and ensure more efficient progress.

Month 1: CISO Partnership and (Necessary) Firefighting

The first 30 days should be heavily focused on building partnerships and understanding the organizational landscape.

• Prioritize Relationships: Identify and connect with key stakeholders across the organization. Aim to understand their roles, priorities, and perspectives on security.
• Connect with Stakeholders: Aim to connect with stakeholders. This can include the CFO, CRO, CTO, CPO, VP of Marketing, Head of Compliance, Head of People Ops, VP of Legal, Head of Sales, Industry Experts, Law Enforcement Officers, External Auditors, Distinguished Architects, and Senior TPMs.
• Limit Firefighting: Avoid getting bogged down in tactical execution unless necessary. Focus on addressing critical incidents that pose immediate threats, such as major system crashes or data breaches due to MFA failures.

Month 2: CISO Cyber Risk Review and Assessment

With relationships established, the next 30 days should be dedicated to reviewing and assessing the current state of the organization's security program.

• Assess current budget allocations for the security team.
• Understand headcount costs and vendor expenditures.
• Review critical vendor contracts, especially those up for renewal.
• Consider implementing a chargeback model for security services provided to internal teams.

• Evaluate the skills and roles of existing team members.
• Analyze the effectiveness of managed service providers (MSPs).
• Assess open roles and determine if they align with current needs.

• Review the current security stack and its effectiveness.
• Identify gaps in the tech stack and areas for improvement.
• Conduct a deep-dive assessment with the CTO and distinguished architects to understand past technology decisions and future plans.

• Review past cyber risk assessments to understand what risks have been mitigated, eliminated, or transferred.

Review and Assessment - Where CyberStrong Shines

This is where a platform like CyberStrong can provide significant value. This period is dedicated to reviewing and assessing the current state of the organization's security program across several key areas:

• Financial Review: Understand budget allocations, headcount costs, and vendor expenditures. CyberStrong can help track security spending, analyze ROI on different security investments, and manage vendor contracts effectively.
• Technology Review: Review the current security stack and identify gaps. CyberStrong allows you to centralize and visualize your existing security controls, identify redundancies, and pinpoint areas where new investments are needed. It can also facilitate deep-dive assessments with the CTO and architects by providing a clear, data-driven overview of the current technology landscape.
• Risk Review: Review past cyber risk assessments. CyberStrong can help automate and streamline the risk assessment process, providing a comprehensive view of the organization's risk posture, and tracking mitigation efforts.

Learn more about how CyberStrong empowers the CISO to strategically drive risk management in cyber here. 

Month 3: Planning and Risk Prioritization

The final 30 days should be used to consolidate your findings and develop a strategic plan for the future. Use the insights gathered during the review and assessment phase to prioritize initiatives and define objectives for the coming months. This will involve:

• Identifying key areas for improvement
• Developing a roadmap for implementing changes
• Communicating your plan to stakeholders and the Board. 

Download our CISO report template here to transform your Board reports. 

CyberStrong and the CISO Role: A Deeper Dive

Here's how CyberStrong specifically supports the CISO in those critical first months and beyond:

• Centralized Visibility: CyberStrong provides a single pane of glass view of your entire security program, bringing together data from various sources to give you a comprehensive understanding of your organization's security posture.
• Automated Risk Assessments: Streamlines the risk assessment process, saving time and resources while ensuring consistent and accurate results.
• Compliance Management: Helps map controls to various frameworks (SOC 2, ISO 27001, GDPR, NIST 800-53, etc.) and track compliance progress, simplifying audits and demonstrating adherence to regulatory requirements.
• Reporting and Communication: Provides customizable reports and dashboards to communicate security status and progress to stakeholders, fostering better collaboration and decision-making.
• Improved Decision-Making: By providing data-driven insights, CyberStrong enables CISOs to make more informed decisions about security investments, resource allocation, and risk mitigation strategies.

Expanding the CISO Role in Cybersecurity

To succeed as a new CISO, it is essential to prioritize building strong relationships within the organization. Understanding the business's objectives, culture, and priorities is crucial for aligning security initiatives with overall goals. Demonstrating capabilities through impactful projects can establish credibility and build trust. Active listening and learning from stakeholders are more valuable initially than immediate changes. Leveraging compliance requirements can be an effective way to drive security improvements. Additionally, utilizing technology platforms like CyberStrong can streamline risk assessments, manage cyber risk, and enhance decision-making with flexible cyber risk quantification and easy-to-use reports, ultimately contributing to a successful tenure as a new CISO.

By following these guidelines, new CISOs can confidently navigate their first 90 days, establish a strong foundation for their security program, and position themselves for long-term success.