Here are the fundamentals of the newly appointed CISO :
1. Meet with business executives and understand business stakes
Meet with the Executive Committee to understand where the company is going and what the current and future business plans are.
Meet with Business Executives to introduce yourself and understand their activities. Let them speak and take notes of their shopping list concerning IT issues.
Don’t forget to meet with risk executives and Internal Audit to gain an understanding of past issues and challenges as well as Legal to understand the regulatory environment.
Meet weekly with the CIO to keep him posted about your actions and gather his own priorities.
Meet daily with your staff and learn to know them. Ask them for their own feedback of the situation. Take care of them. Cybersecurity resources are scarce.
2. Meet with IT key players
At the same time, make sure to bond with key IT players and understand their own challenges.
3.Think about getting an executive coach if you are new in the position
Cybersecurity is complicated. You need to make sure you have all the means to understand what is being explained to you by your techy guys and make sure you are taking informed decisions. It is easy to spend the money at the wrong place and to give priority to the louder business executives. Gaining a skilled cybersecurity executive advisors that can challenge you or educate you in one on one meetings can be your best asset. Even if you are knowledgable (s) he can be your double and replace you in a number of meetings where you need trusted ears while you attend other ones, more important.
4. Assess the cybersecurity posture
Hire a consulting firm to gain an objective view of the IT risks and associated business stakes. Even if you have been newly appointed, third-party reports always get more attention. The assessment should encompass IT issues, associated business risks and action plan and be aligned with the enterprise risk framework if existing.
5. Develop and communicate the strategic cybersecurity programme
Discuss the cybersecurity programme with the CIO and the Risk Committee. Adapt and finalize the planning and funding of the programme. Identify the quick wins that will allow you to show progress easily and key indicators that should not be ignored.
6. Measure and report
The CISO position is tricky. You often bring bad news and vulnerabilities to the table. Make sure you always keep some good news to show remediation you have implemented and demonstrate you have indeed reduced the level of risk. Be ready to argue for your budget. Get a sense of how much you should spend on remediating each issue and bring a perspective of how much need to be invested against how much it would cost should the risk happens. Don’t be too ambitious but ambitious enough to be willing to change things.
7. Never forget to get allies and have good news
Seek for allies with your CIO but outside as well, with independent third-parties that can help you keep the heal cold. Make sure you have key contacts in the industry (RCMP, peers, . . .). Find some time to participate in peer-to-peer cybersecurity events and subscribe to cyberthreat watch services.