Check Point Software’s cyber security evangelist Ashwin Ram shares a framework and crucial must-do’s for CISOs in their first 100 days to set them up for success.
Escalating privacy breaches in Australia highlight that existing cybersecurity safeguards are not sufficient and the bar needs to be raised by both businesses and the government to protect organisational data. Chief Information Security Officers (CISOs) are being hired to spearhead efforts to limit the cyber threats, but what does it take to be an effective data protection expert?
Beyond technical knowledge, successful CISOs need to master two main skills. The first is understanding the business they are working for, and the second is strong communication and credibility.
When starting a new role, preparation is key. Learn as much as possible about the organisation before day one. The company’s annual report is a great starting point, however, also allow time to research who its customers are and the lines of business that generate revenue.
Most importantly, ensure an understanding of the key business goals the organisation is striving towards. A clear picture of where the company is heading, and its previous results, will determine how much financial support is received.
It would be wise to understand if the business has made the news in recent times and if they have experienced any breaches.
Strong communication and credibility plays an important part in achieving successful outcomes. According to Deloitte, the “Majority of CISOs have to invest a lot of time to get buy-in and support for security initiatives.” In other words, clearly communicating cyber risk to business outcome has become a critical success factor for CISOs.
The CISO role is arduous at best. However, without support from the top, success may be unattainable. Therefore, understanding the organisation’s goals and stakeholders’ pain points must be a priority, so that you may strategically tie your cyber strategy to key business objectives. As as a safety measure, establish prior relationships with external Incident Response teams in the event you need to engage them quickly should cyberattacks happen in your first 100 days.
Step one – Start-up phase: Days 0 – 15
For a strong start, spend time with your direct report manager to align on key challenges and opportunities and discuss the vision for information security. Get acquainted with organisational structure and reporting lines, particularly within the legal, security, risk, compliance, HR, operations and governance teams. This is the time to start building relationships with key stakeholders to coordinate efforts to build and manage the business’ information security program.
During the first couple of weeks, analyse the cyber strategy to understand current maturity. This means analysing previous risk assessments, threat hunting reports, gap analysis and security roadmaps if they exist. You should also request the organisational security policies and audit reports, and access to any risk management tools.
While deep diving to understand the cyber maturity status of the company, make time to set up meetings and introduce yourself to key stakeholders. Lock in regular risk management meetings with appropriate stakeholders to discuss the business’ risk profile, laying the foundations to discuss the status of any open or untreated risk.
Within this time frame, identify your key security vendors and establish communication. Your key security vendors can assist with gap analysis. At Check Point for example, we offer free Cyber Security Risk Assessment that can be leveraged by CISOs for an evidence-based discussion.
Cyber does not exist in a bubble. If you have not already done so, seek like-minded people trying to solve the same challenges you are – find your ‘tribe’. Chances are someone has either already dealt with, or is currently dealing with, the challenges you are. Collaboration with industry peers can be a powerful approach.
Step 2 – Understand phase: Days 0-45
In the first month and a half, focus on understanding security and compliance-specific projects and initiatives. Identify which tasks need to be prioritised based on overall current state maturity, existing security program, critical control deployment and top risks. Spend time understanding your business’ incident response capability, the top 10 business-critical applications and their respective threat models.
Sound cyber security programs are underpinned by effective information security governance, so start by understanding the roles and responsibilities for your organisation’s information security governance. Be sure to clearly understand which roles are responsible and accountable for decision-making, who should be kept informed and who within your network should be consulted. Validate that sound security practices are in place, to support strategic organisational objectives and risk management. Review the company’s information security charter to understand its security vision, security mission and cyber security scope, as well as which departments must comply.
One of your key tasks must be to identify the business’s mission critical data or “crown jewels” — such as information about customers, intellectual property, product designs, and finance — and the current security controls around them. Keep a register and prioritise the non-negotiable controls to keep all critical assets secure — for example, ensuring all databases are encrypted.
With supply chain and 3rd party risk at the forefront of many recent breaches, spend time understanding if third parties are hosting your organisation’s critical assets, review contracts to familiarise yourself with their responsibilities and how well they meet their security obligations.
To gain a fresh perspective on your approach and secure advice on navigating stakeholder politics, identify and build relationship with at least one internal and one external executive mentor. One of the primary roles of a CISO is information security risk management, so spend time understanding how risk is classified (risk taxonomy) and ranked within the business.
Step 3 – Prioritise phase: Days 15-60
It is time to focus on prioritising activities, developing a vision to share with your manager, team and key stakeholders, and getting feedback to refine your plan.
Start by building an Information Security Strategy that is business-aligned, risk aware and holistic, enabling you to clearly communicate the company’s information security risk profile. Consider putting together a controls framework that satisfies multiple compliance requirements by testing a single control.
From a controls perspective, a holistic approach is better executed with a consolidated security architecture that includes the protection of cloud, network, endpoints and comprehensive user access, all empowered by a single management and security operations platform. That means having all the logs speak the same language, providing visibility and situation awareness from a single dashboard that generates reports in an automated fashion. This approach is a game-changer and addresses many of the hurdles CISOs and security teams face.
Align with your direct report and stakeholders on at least three key issues to close out over the next two months. These will be your quick wins — projects that significantly impact the cybersecurity program with minimum effort. Quick wins will help gain credibility early on, ensuring CISOs gain support from above for their initiatives.
Another quick win is prioritising customised security awareness and education training throughout the enterprise. This activity can be easily outsourced; an important first step in forging an awareness-driven culture where everyone in the company understands that cyber security is everyone’s responsibility. Be sure to use the results of security awareness trainings to demonstrate maturity of the cyber security awareness culture.
To execute an information security program, you will need funding. In this phase, plan your operational security budget for the next couple of months and get an early indication of required headcount.
Step 4 – Execute phase: Days 30-80
By now, you should be actively making progress towards closing out quick wins – focus on the top three urgent issues, addressing them with established enterprise security architecture principles — integrated by design, rather than bolted on.
This is the time to get a tabletop exercise executed. As part of your tabletop exercise , ensure engagement of all key stakeholders, including executives, PR team, HR team, legal team and SOC team. This is an opportunity to demonstrate and educate executives on the potential impact of a successful cyberattack. Tabletop exercises are best delivered via an experienced third-party Incident Response team with a track record of working complex APT cases.
In this phase, you should also lead security-related governance forums and cyber steering committees
focused on eliminating waste, addressing critical blind spots, maximising cybersecurity investments’ value, and ensuring you deliver value quickly. The cyber steering committee should comprise of cross-functional teams with domain expertise and business stakeholders, all with clearly defined roles, responsibility and scope.
With a sound understanding of current state and gap analysis completed, focus on executing a game plan to achieve the desired state, taking into consideration controls and processes that must be prioritised to meet current and emerging risks with high likelihood and business impact.
Step 5 – Results phase: Days 45-100
You are approaching your first 100 days. If implemented, this framework will start delivering results and showing progress. And the best way to do that is by using metrics tied to business goals. It is not necessary to jump into highly technical metrics right away. A lot can be gained from metrics that track behaviours; such as the percentage of employees completing security awareness training.
Measure progress against the top five outcomes for the 100-day plan, as this will help you and the business identify which tactics are and are not working, so ineffectiveness can be address quickly.
When reporting to executives and the board, be sure to highlight any project risks as part of your regular exercises because executives do not like surprises. Clearly outline risk scenarios, likelihood, impact, risk mitigation plan and potential additional costs.
By the end of your 100 days run, aim to report on the following questions:
- What is our current capability maturity?
- What is the biggest threat to the organisation?
- What part of the security posture requires the most urgent attention?
- What resources are required to address threats that will cause the organisation most harm?
- How does the executive team want effectiveness of cyber investment reported?
- What is the organisation’s risk if nothing changes?
As a final thought, remember that for a CISO to succeed, you must win the hearts and minds of your key stakeholders. Your tenure’s success and cyber strategy hinge on how you are perceived through their eyes. Do not underestimate the importance of forging deep and meaningful relationships with key stakeholders.
Ashwin Ram is Cyber Security Evangelist at Check Point.