What these CSOs did on their first days

There are a million things to worry about but these chief security officers provide advice on how to start off on the right foot.

1 2 Page 2
Page 2 of 2

She doesn’t believe it is security’s job to come in and tell every other department how to do their job. Instead the security team should advise management on the risks to information and technology.

“I approached the new role with that in mind and conducted my own assessment of where the organization was relative to others. In hindsight, understanding what the risks were relative to others maybe is a good benchmarking exercise, but it does not align with the business or their risk tolerance. Instead of identifying areas of improvement relative to other organizations, I wished I had been better able to communicate how these risks could impact the business goals of the organization,” she said.

There were a lot of "in-flight" projects when she arrived and the IT organization was extremely nimble. The business thrived on being a fast-moving IT organization, but with that comes increased risk to data confidentiality and system availability. 

First day starts at the interview 

Dave Mahon, CSO, CenturyLink, said what you do the first day on the job begins when you are interviewing for the job. You first start to assess the organization and teams you will lead. “Use the job interview process to begin the assessment of the organization. Focus on what are the most significant problems,” he said. “Ask, ‘Why are they hiring me,’ and, ‘What will it take to be successful in this organization and other questions that begin to develop what you will do should you be selected for the position’.” 

Shawn Burke, Global CSO at Sungard AS, echoes Mahon’s statement. “You absolutely need to start researching the business prior to your first day on the job. To help me prioritize my time when I came onboard I created a top 10 list (see sidebar). It included everything from understanding the business and culture, to assessing the current state of the technologies, requirements, policies, procedures and much more. In my opinion, security accountability is one of the most important topics to address. A new CSO should never assume fundamentals are in place and find out who owns security discipline for all systems.” 

Once you are on the job, the most immediate things you need to do include meeting with your new boss and developing a road map to assess the company. Then, meet with other key leaders in the organization and obtain their assessment of what needs to be done from their perspective. “Key to your success will be to completely understand the corporate strategy approved by the Board of Directors, CEO and other members of the leadership team. Remember, your job as the CSO is to enable the achievement of those objectives,” Mahon said.

Once you have the strategy, and other leaders’ perspective, begin the tactical assessment of the teams you will lead. Assess the talent, review the last three years' accomplishments and future initiatives developed by those teams, and then ask yourself if these accomplishments and initiatives are supporting the corporate strategy.

“When you meet with your teams, let them know who you are, what you value, that you do not want any politics, and you respect straight shooters. When assessing the teams, look for those who have the will and skill to be in the CSO organization,” he said.

[ MORE ON CSO: The 15 best cities for information security pay ]

After you have completed your assessment put down on paper what you will accomplish in the next 30 to 90 days, the first year, and begin to develop the long-term.

Stan Black, CSO at Citrix, cautions though that hope is not a strategy. Often CSOs are hired because security is perceived as an important business risk. A key indicator of this potential risk is the hiring managers' title or role. Companies with material security risk should not hire CSOs to report to CIOs, he said.

The best way to mitigate this risk is to provide a 100-day plan outlining what people, processes, and technologies are needed to manage a company’s security risk. “If the hiring company can’t internalize, apply, and commit to the plan, don't take the job,” he said.

Transform security from a problem into a revenue enabler. In today’s world, products and services are not acceptable or of adequate quality unless they are secure. This is often a foreign concept that requires engaging cross-functional teams including legal, sales, marketing, PR, Internal Audit, R&D, and BoD to effectively transform security from delivery barrier to business enabler, he added.

Vendor vs non vendor perspective

Gunter Ollmann, CSO, Vectra Networks, gave the first day answer from two perspectives: vendor and non vendor.

From a non-vendor CSO perspective:

  • Measure the current security baseline of the organization. Use of vulnerability scanning services to get that first-pass understanding, and compare to what policies are thought to be in place. Getting that initial baseline helps define the scale and identify key problem areas that need to be tackled. Later on, comparing progress to that baseline is invaluable for showing progress to the executive team and builds overall confidence.
  • Identification and meetings with all stakeholders, and listening to them define in their own words the key risks and threats present within their spheres of influence. This allows the tailoring of messaging and hunt for common problems that can be solved to build both momentum and wider support for security changes.

From a vendor perspective: 

  • Review of SDLC adherence and evaluation of security maturity of engineering and product management teams. Tick-box audit of development processes against SDLC methodology and structure - looking for weaknesses and building a prioritization plan. 
  • Baseline of product security - from both a software coding and deployment hardening perspective. Understanding and being able to answer “what risks do I introduce to a customer’s network” is key.

Copyright © 2016 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)