In infosec as in any job it is always a good idea to ask your direct manager or HR what their expectations for you are. If you have done your hiring due diligence correctly you probably have a proper understanding but get it up-to-date is crucial to your success. To avoid looking “amateurish”1 (or worst not remembering what was told to you during your – probably numerous – hiring Interviews or – even worst! – having no clue about what you were hiring for), ask the question in a way of getting hierarchy in stakes. For instance “What should get done in 30/60/90 days?”, get prepared to gently but firmly challenge unrealistic expectations.
As you probably understood by now (this article already being the ninth article of this blog, time surely flies…) I am a firm believer in CISOs standing on both legs, be it governance and SecOPS. As such – unless specific conditions force you otherwise (hello infosec crisis followups… 👋) – you should kickstart things on both sides. This article will explore what to kickstart regarding our first leg.
Regarding governance I sort of agree with this link2 in that you should aim at tying relationship early on. However depending on your seniority on the job I would not encourage you to go upfront to the CEO office3. It might be best to get an understanding of the context of your new environment to strenghten your footing either with Legal (regulatory, compliance & reporting/subsidiaries composition concerns) or Finance representatives (cash/money/business flow4). These insights are crucial to your success as a CISO because the general rule of thumb applies blindly here: you cannot protect what you don’t know. Moreover it would be rather awkward to ask these questions to senior executive (be it General Counsel or Group CFO) after your first quarter/semester/year owning the CISO position, don’t you think? At the minimum it would undubitly not help you make them see you as an asset for the company / assist or even sponsor you getting a seat at the EXCO table. On the other hand if the previous guy never dare to ask them this type of questions – hence didn’t clearly understand the basic of how this company makes and reports money – you will have scored points, big times!
Now that you have a – despite brief – sufficient introduction to the business you are tasked to protect, you might turn to your SecOPS leg to ensure that basic5 infosec hygiene practices are in place… I am talking PIMMS [Patch Identity (/admin) Malware protection MFA Safeguard your backups] here. ==> Link to next article will be added when it will get published
Sources: this serie of articles is bound to be loosely inspired by the following materials that I read when firstly becoming A CISO, circa 6 years ago. Considering I didn’t reread them since the inspiration could be either vague or substantial depending on the impact they had on the CISO I became:
- https://www.linkedin.com/pulse/how-effective-accepting-ciso-role-gary-hayslip-cissp-/
- https://www.goodreads.com/book/show/41076244-90-days
- https://www.goodreads.com/book/show/52403130-90-days
- https://www.goodreads.com/book/show/36433149-why-cisos-fail
- https://www.goodreads.com/book/show/63138677-secur-what
- https://www.goodreads.com/book/show/8155661-the-art-of-war-for-security-managers
- As one of my most recent boss loved to recall his subordinates… First impression matters and you only get one chance to make a good first impression so prepare yourself, rehearse your speech, sharpen your PowerPoint. ↩︎
- https://www.linkedin.com/pulse/how-effective-accepting-ciso-role-gary-hayslip-cissp-/ ↩︎
- Cf. first footnote. ↩︎
- On this particular point it might be smart to point to the CEO that some material part of the cash flow are not part of your de facto scope of operations. It might be the case even if you are the group CISO for instance if you are reporting to the CIO and some subsidiaries/entities rely on their own information systems (most common example being franchisees and non majority share joint-venture). Could be a clever way to propose to extend your scope or change your direct manager (at minimum in a dotted line). ↩︎
- I strongly encourage you to stress the basic Nature of PIMMS, basic not meaning trivial to implement or to get internal (i.e. financial/budget) buy-ins (see dedicated article for more insights: https://theinfosecotter.com/?p=72) but in the sense that any and every orginsation that does not at the very least include each and every letters in it’s close roadmap (let’s say 18 months max) is basically asking for an infosec crisis to occur. ↩︎
Leave a Reply