Four years ago, 20 percent of CISOs had less than two years on the job, according to Gartner. Today it’s closer to 30 percent, according to analyst estimates. “You’ve also got all of these open positions where there is no CISO but there is funding, and they’re trying to hire,” says F. Christian Byrnes, Gartner managing vice president. “If there were enough people to fill those positions, it would be 50 percent.”
Short tenures put added pressure on the company and the CISO because it takes at least two years for a CISO to learn the job and be comfortable with it, Byrnes adds. CISOs have little time to formulate a course of action, make connections, establish a management style, and win over stakeholders – let alone see their plans come to fruition. Successes and failures in the first year can also affect how others buy into their security strategies going forward.
“A new age CISO must think big, act small and go fast,” says James Christiansen, who has served as CISO at Visa, General Motors and Experian.
Veteran CISOs who have successfully made the transition to a new company, along with industry experts, offer five security moves that should be part of every new CISO’s playbook.
1. Understand the company, learn the culture, find allies – fast.
In the first two weeks at the helm, a CISO must sit down with senior leaders in every sector of the organization and listen to their goals and concerns, Christiansen says. Then they must adjust their own value proposition to meet those leaders’ goals. For instance, “instead of conveying how you’re going to stop something from happening, tell them how you’re going to keep things moving,” he says.
“This is your one shot while you’re in your honeymoon period to open up and say here is where we need to improve things,” says Christiansen, who is now vice president of information risk management at cyber security solution provider Optiv Security.
When these leaders understand the value proposition that the CISO brings to the company, they become allies. As a new CISO at Experian, Christiansen remembers walking into the marketing group president’s office. “She was concerned that I was going to bring a lot of cost to her organization with encryption and other security measures on all the data. When I started talking to her about matching risk with the level of data and that we didn’t have to do all of it, suddenly she was one of my biggest allies on the executive board and could tell them ‘he understands,’” he recalls. With allies in place, plans will move more quickly.
2. Stop the bleeding
Once a CISO has assessed the current security environment, he can assess the risk exposure, then set priorities carefully and avoid overcommitting, according to Gartner. Identify the five most pressing issues that you have to deal with, and then select two of these that you will focus on during your first three months.
“Getting a handle on cyber security and making sure you have the right protections in place is one of the core things you can do to really improve an organization quickly as a new CISO,” says Michael Eisenberg, former CISO at Aon plc. and global information security director at McDonalds.
There are aspects of security programs that are traditionally not good, Eisenberg says. Companies traditionally struggle with vulnerability management, not just with critical system but all of their systems across the board. “You’ve got to to do it, and you’ve got to be good at it,” Eisenberg says. He recommends getting outside help until the CISO can build the technology and talent to protect the company’s own assets.
Tuning up company-wide security awareness programs can also have an immediate impact on security, he adds.
3. Skip the technical details for now
The most common mistake a new CISO makes is trying to immediately exert technical control, Byrnes says. They may become locked into those early decisions and “can almost never break free to where they should be in terms of being business-facing.” Even worse, “they’ll probably get such incredibly negative reaction that they’ll probably never recover,” Byrnes adds. “Unfortunately I see that fairly often.”
4. Step up communications skills
One looming change affecting CISOs after the Target and Sony breaches is the Securities and Exchange Commission’s growing pressure on publicly held companies’ boards of director to be aware of cybersecurity plans and perhaps in the future be held liable if a breach occurs.
“Their liability is in their oversight of their cybersecurity. That means that every board is asking ‘what are you doing about security’ They all want very clear and meaningful reports on the security program,” Byrnes says.
CISOs need to learn how to communicate with board members, which requires “a new level of abstraction and business orientation above what they’ve ever had to deal with before,” Byrnes says. He reviews about three security reports to the board every week for CISO clients. A few months ago, he would only review one every couple of months.
5. Build a long-term security strategy based on business goals
Beyond solving the immediate security concerns of business, the CISO must lay out a business aligned security strategy that also supports future business objectives, Eisenberg says.
If the company is privately held but thinks it might to be going public in next two to five years, for instance, the security program that a CISO must build in that company would be an IPO enablement program, he says. “Not only would I want to protect the assets of the company but I would also want to build out the regulatory environment that you would be required to have for a public company,” Eisenberg says.
When it comes to business alignment, if a company is transforming to an ecommerce environment, for example, “the security program you would build for a company doing the majority of its business on the Internet is a lot different from a brick and mortar” security program, he adds.
There is no way to know what security challenges await a CISO until they actually enter the job, even if they’re promoted from within the company, Byrnes says. The CISO must get inside, assess the security landscape, realize that security risk can’t be completely eliminated, and figure out how much security is enough.
“The CISO is a translation point of gathering business-related information and translating it into technical requirements,” Byrnes says. “It’s about understanding acceptable levels of risks.”