Carrying out the mandate of the chief information security officer (CISO) has never been easy, but today’s increasingly fraught digital landscape has made it even more difficult. What’s more, new and complex compliance requirements have opened the door for potential personal criminal liability in the event of a data breach or other cyber incident.
It’s a big job that touches just about every part of the organization, and the ability to hit the ground running can make a big difference. But with so many tasks at hand, just knowing where to start can be a significant challenge.
How a new CISO operates during their first 90 days on the job will set the tone and precedent for the remainder of their term. When I first stepped into my role as a CISO, I established clear goals for myself at the 30-, 60- and 90-day benchmarks because I knew it was important to enter with a plan and a clear vision of what would constitute success.
It was a learning experience, and despite the fact that not everything went according to plan, I look back on those first 90 days with pride and fondness. Here’s what I learned from my initial three months on the job:
Hit the ground running, but don’t try to sprint
Preparation is critical. Before you even set foot in your new office, you should be doing extensive research on the threat landscape of your industry.
The worst thing you can do is hear about a risk and not document it.
What recent threat activity has been in the news? What major (and minor) incidents have taken place over the past year or so? You should also know the relevant costs associated with a breach in your industry based on the attack activity your research reveals. It’s important to know what dangers are out there and the cost of inaction.
One piece of advice has always stuck with me: you’ll never get those first 90 days back. There will never be another time when you can focus purely on research and discovery. As you settle into the role, you’ll become more ingrained in daily activities and begin executing your vision. But during those first 90 days, it’s important to resist the urge to dive in, start working on deliverables or going heads-down on new initiatives. This is your time to watch and listen.
Know who can give you the answers you need
As soon as you can, map out the internal and external stakeholders you need to know and start scheduling meetings with them.
Before I even started, I sent a complete document collection request to each one, asking for recent maturity assessments, organizational charts, recent board decks, and documentation on any relevant processes. Because of that, I had all the documentation I needed on my first day.