The situation often dictates how to approach a new job. Did the company just have a humiliating experience with a data breach? Did they not have a CSO previously and that is why they are looking for security help to lock down their network?If during the job interview, there was a blunt plea for help then most new hires would come in guns a blazin\u2019 to get things under control quickly. But in most scenarios, CSOs interviewed said there is a general time period to examine the culture of the company to help in getting a grasp of what needs to be done."The first thing needed is to review the current state of the information security policy. Getting intimate with this document, as well as the lessons learned in\u00a0creating it, is instrumental in being successful. To do this you must meet with department leads, stakeholders, and business executives to find out its context and history. My main stakeholders at Bugcrowd are the IT and Engineering groups so getting comfortable working with them was priority #1,\u201d Jason Haddix, head of trust and security, Bugcrowd.From here he started to notice any \u201chung-up\u201d initiatives, incomplete policy and fragmented responsibilities. Once he wrapped his head around how the company was set up, he created a plan to address each 30, 60, and 90 days out. At Bugcrowd, quick wins were identified related to business enablement and security architecture.\u201cThere can be varying levels of responsibility in each CISO role, but one could never argue there isn't enough to do,\u201d he said. \u201cOnce you have your battle plan, have reviewed the budget, etc, rally your direct reports and inform them of your plans. Be honest and transparent about priorities and responsibilities. Take constructive criticism\u00a0and compromise\u00a0where necessary, but ultimately break down these plans to quarterly goals as an organization.\u201dHaddix said the next steps are rolling out initiatives in a structured manner. Working at a startup, his role at Bugcrowd is heavy on business enablement, security architecture, and some compliance and audit. Other roles will work more closely with risk management and security operations.Alvaro Hoyos, took much the same approach as Haddix in rallying the troops upon his arrival as chief information security officer at OneLogin. \u201cI reached out to all personnel to introduce myself, describe what my role consists of, and what we wanted to accomplish in the short term. The CISO role is still somewhat uncommon and has been evolving over the last few years. This role works with all departments and you will be enlisting the help of various team members as you roll out various projects, not to mention that you are also responsible for improving your organization's security culture, which is probably one of the toughest items on your to-do list. Therefore, it is critical to get the organization behind you from the start because personnel outside of your own team will be in the critical path of a lot of your activities and your success will be tied to them.\u201dThe next step was to secure an inventory of information assets. He said knowing what you are tasked to secure is one of the first steps you need to take in order to lay down a good foundational framework to build upon. This requires meeting with information owners and being fluent in all the data coming and going out of the organization. Part of knowing the data is determining what compliance and legal requirements you must meet, so you can build a security program that is commensurate to the appropriate risks, and more importantly you can focus your resources efficiently to address them.Hoyos noted that a security data is an ongoing strategy. \u201cA security program is an ongoing journey. Once you have the lay of the land, you need to determine how you will maintain and grow that program effectively. Once you determine what framework(s) you will base your program on, you have to come up with a strategy for what you need to, and more importantly, can realistically tackle in the short term and long term,\u201d he said.A key step in this process is performing a risk assessment to use as a guide to help you prioritize what you tackle. This is especially useful when getting buy-in from management and defining what your budgetary needs will be.\u201cJust as important as knowing what you can tackle in the short term, being able to plan for the long term is equally important,\u201d he said.Knowing the risk"As a CSO, it all begins and ends with risk -- at the end of the day, you have to understand the risk and how to manage and mitigate that risk,\u201d said Malcolm Harkins, chief security and trust officer, Cylance.\u201cSpecifically, there's two battlefields we have to face: one that is external and one that is internal. The external battlefield is made up of threat factors and agents that we read about in the press everyday and the internal battlefield is made up of budgets, bureaucracy and behaviors,\u201d he said.Harkins noted that it's a two-pronged approach of evaluation, and CSOs need to understand what the risks and controls are externally and how to build relationships, rapport and influence internally.Dawn-Marie Hutchinson, executive director, office of the CSIO, Optiv, took the cautionary approach as well when she first settled in.\u201cI met with each leader of the IT divisions to understand what their specific data security concerns were and what data was stored, processed or transmitted through their division. The first 30 days were spent just learning the general IT layout; things like how data moved through it and gain their perspectives on security. The first months of the role was just about learning about the company, the culture and the business,\u201d she said.\tShe doesn\u2019t believe it is security\u2019s job to come in and tell every other department how to do their job. Instead the security team should advise management on the risks to information and technology.\u201cI approached the new role with that in mind and conducted my own assessment of where the organization was relative to others. In hindsight, understanding what the risks were relative to others maybe is a good benchmarking exercise, but it does not align with the business or their risk tolerance. Instead of identifying areas of improvement relative to other organizations, I wished I had been better able to communicate how these risks could impact the business goals of the organization,\u201d she said.There were a lot of "in-flight" projects when she arrived and the IT organization was extremely nimble. The business thrived on being a fast-moving IT organization, but with that comes increased risk to data confidentiality and system availability.\u00a0First day starts at the interview\u00a0Dave Mahon, CSO, CenturyLink, said what you do the first day on the job begins when you are interviewing for the job. You first start to assess the organization and teams you will lead. \u201cUse the job interview process to begin the assessment of the organization. Focus on what are the most significant problems,\u201d he said. \u201cAsk, \u2018Why are they hiring me,\u2019 and, \u2018What will it take to be successful in this organization and other questions that begin to develop what you will do should you be selected for the position\u2019.\u201d\u00a0Getting started from the word goTo help prioritize his time when I came onboard as CSO at Sungard AS, Shawn Burke created a top 10 list.Learn the Business and CultureConduct Assessment of Current State and BudgetReview Existing Policies\/Procedures\/GuidelinesEstablish and\/or Eliminate Review Board and CouncilsDevelop and Finalize Security PlanBuild Team and Cross-Functional RolesAssign Ownership of TasksCreate Framework to Manage Global InitiativeDevelop Metrics and Reporting SystemEducate and Advise on Risk ManagementShawn Burke, Global CSO at Sungard AS, echoes Mahon\u2019s statement. \u201cYou absolutely need to start researching the business prior to your first day on the job. To help me prioritize my time when I came onboard I created a top 10 list (see sidebar). It included everything from understanding the business and culture, to assessing the current state of the technologies, requirements, policies, procedures and much more. In my opinion, security accountability is one of the most important topics to address. A new CSO should never assume fundamentals are in place and find out who owns security discipline for all systems.\u201d\u00a0Once you are on the job, the most immediate things you need to do include meeting with your new boss and developing a road map to assess the company. Then, meet with other key leaders in the organization and obtain their assessment of what needs to be done from their perspective.\u00a0\u201cKey to your success will be to completely understand the corporate strategy approved by the Board of Directors, CEO and other members of the leadership team.\u00a0Remember, your job as the CSO is to enable the achievement of those objectives,\u201d Mahon said.Once you have the strategy, and other leaders\u2019 perspective, begin the tactical assessment of the teams you will lead. Assess the talent, review the last\u00a0three years' accomplishments and future initiatives developed by those teams, and then ask yourself if these accomplishments and initiatives are supporting the corporate strategy.\u201cWhen you meet with your teams, let them know who you are, what you value, that you do not want any politics, and you respect straight shooters. When assessing the teams, look for those who have the will and skill to be in the CSO organization,\u201d he said.[ MORE ON CSO: The 15 best cities for information security pay ]After you have completed your assessment put down on paper what you will accomplish in the next 30 to 90 days, the first year, and begin to develop the long-term.Stan Black, CSO at Citrix, cautions though that hope is not a strategy. Often CSOs are hired because security is perceived as an important business risk. A key indicator of this potential risk is the hiring managers' title or role. Companies with material security risk should not hire CSOs to report to CIOs, he said.The best way to mitigate this risk is to provide a 100-day plan outlining what people, processes, and technologies are needed to manage a company\u2019s security risk. \u201cIf the hiring company can\u2019t internalize, apply, and commit to the plan, don't take the job,\u201d he said.Transform security from a problem into a revenue enabler. In today\u2019s world, products and services are not acceptable or of adequate quality unless they are secure. This is often a foreign concept that requires engaging cross-functional teams including legal, sales, marketing, PR, Internal Audit, R&D, and BoD to effectively transform security from delivery barrier to business enabler, he added.Vendor vs non vendor perspectiveGunter Ollmann, CSO, Vectra Networks, gave the first day answer from two perspectives: vendor and non vendor.From a non-vendor CSO perspective:Measure the current security baseline of the organization. Use of vulnerability scanning services to get that first-pass understanding, and compare to what policies are thought to be in place. Getting that initial baseline helps define the scale and identify key problem areas that need to be tackled. Later on, comparing progress to that baseline is invaluable for showing progress to the executive team and builds overall confidence.Identification and meetings with all stakeholders, and listening to them define in their own words the key risks and threats present within their spheres of influence. This allows the tailoring of messaging and hunt for common problems that can be solved to build both momentum and wider support for security changes.From a vendor perspective:\u00a0Review of SDLC adherence and evaluation of security maturity of engineering and product management teams. Tick-box audit of development processes against SDLC methodology and structure - looking for weaknesses and building a prioritization plan.\u00a0Baseline of product security - from both a software coding and deployment hardening perspective. Understanding and being able to answer \u201cwhat risks do I introduce to a customer\u2019s network\u201d is key.