Embrace the Change
This article covers part 1 of a four-part series about a Chief Information Security Officer’s (CISO) journey through their initial 365 days. It is based on collective experiences documenting the CISO’s role and can be treated as a playbook for a practicing CISO. This journey is generic enough to be applied across industry verticals or the private/public sectors. They have similar cyber challenges and opportunities. It is an industry saying that C-level executives (Chief information officers (CIOs), chief technology officers (CTOs) or CISOs) have about 12 to 18 months to deliver their vison and the transformational changes.
No Two Journeys are the Same, but the Footprints are Different although the Paths are the Same
The immediate task is to become familiar with the landscape by reaching out to the stakeholders, customers and team members about their challenges and opportunities. You will be pleasantly surprised by the information that is shared. It is also advised to reach out to your network of fellow CISOs, mentors/coaches and cybersecurity experts within your ecosystem to seek advice and suggestions to be successful in this role. I also call this a 4/10 plan (ten points/tasks to score in each quarter). Figure 1 below illustrates a simple Gantt chart view of the suggested tasks for the first 90 days.
Figure 1: The 4/10 Plan for the first 90 days
First 90 Days Goals – Framework/Policies in Place, Assessment/Roadmap for Board Narrative
The first 90 days are crucial for establishing credibility as a cybersecurity leader. Planning, communicating and establishing a vision/goals are the key objectives for this period. Please note that the actions in this period will lay a solid foundation for the actions and accomplishments of the future.
The 30-60-90 day plan is a critical tool. It is a valuable tool to be used for alignment, expectation setting and realizing the short and long-term goals. There is no prescribed format and it can be iterative. This is extremely helpful in aligning with the IT leadership vision and starts the position on the right footing. This also assists with upward and downward organizational communication.
Self or vendor assisted cyber assessment is the right way to build a cybersecurity program. It helps to focus on the high priority gaps and channels investment for the best return on investment. Please note that you need to remove the political impacts of the assessment results and seek candid results.
In my case, NIST 800 was the underlying framework and basis of all the policies. Having a framework helps with consistent policies that can be used for the programs evolving from the assessment results and for security awareness for the organization. Relying on a proven framework allows you to leverage the collective best practices already built into it.
Deliver Cybersecurity Strategy/Roadmap for Year 1-3
After the Cyber Risk Assessment, this is the most significant task/deliverable which helps with the CISO journey for the first 90 days on the job. It culminates into a road map for at least three years based on the assessment, risks and gaps and lays out a plan which needs to be reviewed periodically (quarterly) and adjusted/reported. The roadmap helps in organizational alignment and with the C-suite/board narrative.
Business Continuity/Disaster Recovery/Incidence Response Validation
The current COVID-19 pandemic has again proven the importance of having these plans and testing. The creation and testing of these plans will only provide an insight to the organizational cyber/IT vulnerabilities which can be rolled into the roadmap for resolution improving the cybersecurity posture.
Resource Evaluation for Roadmap and Needs Analysis
The cybersecurity domain has huge resource gaps. Based on the draft roadmap, a critical resource evaluation process such as assessing the current resource skills set, creating a demand pattern and active recruiting is extremely important to deliver the program portfolio as well as sustain the operations.
Buy-in from Board/Key Stakeholders
One of the major issues CISOs face is board awareness of cyber issues and its impact on business operations. Board awareness of the cyber strategy and issues are extremely critical and should be visited quarterly. Some of the organizations have an enterprise risk committee under the chief risk officer (CRO) and the same communications should be provided to them.
Security Awareness Training and Phishing Campaign
As we all know, a single click by a not so cyber aware employee can result in ransomware/malware issues. We can invest in expensive and sophisticated tools/platforms, but cybersecurity awareness for the staff and leadership is the most critical defense. Operating a cybersecurity awareness program along with a phishing campaign to test the effectiveness is a critical task in the first 90 days. The metrics from the phishing campaign assists in identifying the gaps in the armor.
Top 5 Issues Resolution Path
The CISO should identify the top five issues within the first 30 days and put together a solution path based on the above tasks. Timely resolution will bring relief to the business operations and improve the cybersecurity posture. This should be treated as a test and lessons learned can be funneled into the next 90 days plan.
- Strategize and plan during this phase. Seek counsel from your trusted network. Please check out my Govloop article, “Strategize, Plan, and Operate”.
- Focus on establishing your vision and alignment with c-suite and board. Plan on simple but foundational and effective wins.
- Iterate and revise the strategy based on the feedback and changing landscape. Develop trusted relationship within and outside the ecosystem. Please refer to my article on, “The Importance of Cybersecurity Ecosystem.”
Rajiv has more than 25 years of information technology strategy, operations, large systems integration, cyber security and program management experience. Rajiv is a principal with Plante Moran management Consulting, cybersecurity practice after serving as Chief Information Security Officer (CISO) for the Department of Technology, Management and Budget, State of Michigan.