October 2024 | 5 minute read
From CISO to business leader: A field guide for cybersecurity success
From CISO to business leader: A field guide for cybersecurity success
In the fast-paced field of cybersecurity, new CISOs have a small window to demonstrate their credibility, formulate their strategy, and ultimately demonstrate business value. CISOs should be prepared for the assumption that they are proficient in the day-to-day skills required for running a cybersecurity department, including managing operations, architecture, vendors, compliance, and risk, as well as keeping up with the latest technology.
To help you succeed in your role, we created a field guide based on insights gathered from 50 years of combined cyber experience and more than 20 CISO executive transition labs conducted across major industries, including banking, consumer, public sector, and energy and resources.
Success in your first 180 days will largely depend on your ability to manage three key resources effectively: time, talent, and relationships. We’ll examine each area in the coming months, starting with a focus on time in this issue.
Quick take: Top priorities for the first 180 days
Part 1: TIME
CISOs face a multitude of challenges that demand their attention. These challenges may include securing outdated IT systems, addressing disunity among staff within the cyber organization, and improving relationships with internal clients. CISOs may also need to focus on enhancing critical technologies that protect the company or managing vendor-related issues. It's crucial to note that the extent of these demands may not be immediately evident when considering a CISO position.
The first 30–90 days
The first 30 days are critical to getting to know your business. Act as a customer yourself and ask questions about your own purchasing behavior. Would you change anything as part of that experience? Talk to customers, store managers, and employees to gain insights into how your company makes money and why certain decisions are made.
In addition, meet with internal stakeholders across corporate functions such as IT, internal audit, human resources, and privacy. Show empathy for stakeholders, especially if you are joining an organization that may have underinvested in security in the past. Ask what is working well related to the protection of their data, what can be improved, and what is most important to them. This is a time to build relationships and learn; it’s not yet the time to make recommendations and educate stakeholders on controls. Building trust relies on your credibility, reliability, understanding of their business, and customer relationships (internal and external).
Show empathy for stakeholders, especially if you are joining an organization that may have underinvested in security.
Next, meet your team for insights into the current culture. A high-performing team is diverse, highly capable, motivated to achieve a central purpose, and operates in an environment where they can thrive. Meet with your team to understand their current roles, capabilities, motivations, and career aspirations.
Through these discussions, you will learn about unneeded meetings, underfunded projects without defined value outcomes, time-consuming reports that go unused, and underutilized technology that is expensive to license and run. This exercise can also help you identify a few quick wins that will drive immediate value to the business with minimal costs.
As a new CISO, it is crucial to develop an initial framework of priorities and create a plan within the first 90 days. It is also essential to know your team and identify their strengths, weaknesses, and level of awareness about the business. It is here where you will identify your stars, your underperformers, and even those with sparkles of brilliance.
Meet with your team to understand roles, capabilities, and career aspirations.
Days 90–180
Focus on delivering initial projects and quick wins and, if required, rearchitect the CISO organization. During this period, it is important to conduct strategic and functional reviews to assess the strengths and weaknesses of the cybersecurity function. Take the time to review the organizational structure and determine if the function is aligned to the organization’s strategic plans. Assess if the team can lead that growth, and work with stakeholders to focus on what is most important.
Days 180–365
During this period, the focus should be on resolving organizational issues that can be addressed within a year. This includes defining a strong three-year cybersecurity strategy and roadmap to deliver cybersecurity in the future, enabling the business, and establishing new organizational and governance models for security oversight. As a CISO, it is important to delegate tasks and empower team members to assume greater responsibility so you can focus on strategic initiatives and ensure the organization is well-positioned to manage risks.
Next up
In our next issue, we’ll focus on the topic of talent, its challenges, and the crucial role it plays in early CISO success.
Recommended reads
Cyber solutions
Deloitte offers a unified approach to help you tackle obstacles and build new capabilities fast. Leverage our breadth of solutions and cybersecurity leading practices that can help you transform your organization and achieve success, wherever you are on your journey.