What should CISOs do in their first half year?
The CISO Challenge of establishing yourself as a security leader
This blog furthers the series of articles about what the Chief Information Security Officer should do, be and have. These blogs aim to provide an answer to the many challenges CISOs face on a daily basis. The results are obtained through interviews with CISOs. The blog provides an answer on what a CISO should do first in order to establish himself/herself as a security leader.
Noah Brandwijk - 7 July 2017
The start of a new CISO
As with every new leadership role, the first actions of a leader are crucial to determine their success. With quick success the CISO increases his or her value to the organization. In order to deliver this success, the CISO needs to be a security leader. Therefore it is imperative to the success of the CISO to establish himself/herself as a security leader. However the CISO can fail to deliver value, if he or she makes the wrong decisions during the first half year.
The definition of a security leader
A security leader is someone who is trusted and involved in business decisions. A security leader is able to sell security to the business. The security leader sells security by enabling the business with security in the present and future. Besides, the security leader has the ability to instill and lead security initiatives. These security initiatives contribute to enterprise goals. By contributing to the enterprise goals the security leader secures enterprise support.
According to our CISO challenges research, CISOs often fail, because they didn’t meet business requirements. Likewise CISOs also fail because of non-communication. Even if the CISO met business requirements, this needs to be communicated. The fulfillment of business requirements is bound to be evaluated within a half year of a CISOs career. Therefore it is essential for the CISO to make sure to meet business requirements within the short and long term.
How to establish yourself as a security leader
In order to meet business requirements and establish himself/herself as a security leader, the CISO should first connect with relevant stakeholders in the organization. In order to understand the business objectives and issues of the organization the CISO is advised to connect with the Board of Directors, business unit managers and operational staff. Moreover the CISO ought to assess the current maturity of security by first taking inventory of all security resources in place. After this inventory is made, the CISO can establish what resources contribute to business goals or solving issues. Based on the security maturity and the business issues and goals, the CISO can create a security strategy. By basing the security strategy on business issues and goals, the CISO supports the strategic objectives of the business with security. This creates a business-aligned security strategy which adds understandable value for the business.
During the planning and creating of strategy the CISO should be aware of new risks and or business priorities. The first assessment of security and of the current business issues and goals isn’t permanent. This should be reflected in the security strategy, by constantly evaluating the strategy.
The benefit of a security leader
If the security leader is able to communicate the need and value of information security, the CISO will gain enterprise support. This support is necessary to start and keep driving organizational change with security initiatives. If a security leader is able to effectively communicate the benefit of security during the change trajectory, change will be bound to take place. If stakeholders and especially executive management don’t see the benefit of security, then security projects have higher risk of failing.
By aligning security to the business strategy, security will be able to add understandable value to the future goals of the business. Therefore, the CISO not only gains executive support and is able to secure budget. But the CISO will also be able to more effectively lead change trajectories of security initiatives.
To summarize, the CISO needs to be able to learn stakeholder goals and issues. Moreover, a CISO should use this knowledge in order to create a security strategy that aims to increase the reachability of stakeholder goals and solves stakeholder issues. By communicating the value that security is providing to solving issues and protecting business goals, the CISO will be well on his way to establish himself as a security leader and drive the security strategy.
The CISO Challenge series
This final CISO Challenge examined how a CISO can approach the challenges of today. Former challenges included communicating the value of security and the experience needed for the CISO to be effective. All challenges contain input from CISOs and reflect the current state of cyber security.
As is made clear in our CISO Challenge research the first half year is very important for the CISO. We offer CISO’s the opportunity to setup their 180 day plan through CISO Transition labs.
More information on Chief Information Security Officer Challenges?
Do you want to know more on CISO Challenges? Please contact Noah Brandwijk at +31 (0)88 2885250.