When Michelle Stewart was hired in August 2017 as the CISO at RentPath, a digital marketing company for the real estate rental industry, she knew she had to add some new rules to her CISO playbook. Times had changed since she last took over a new security leadership role. Once considered primarily a technology job, today\u2019s CISO must be a business enabler who can communicate in business terms the value of their security initiatives.Many of the fundamental first steps and best practices that a new CISO should take to quickly become an effective security leader haven\u2019t changed much over the last several years. First, they must assess the security situation, then develop a good security team and build relationships and credibility with business leaders and executives. But some of these traditional rules now come with caveats.\u201cNow CISOs are having to flex different muscles, work with a broader set of stakeholders and build an increasingly diverse team to handle different areas of concern,\u201d including regulatory and privacy issues, product security and shadow IT, says Jamey Cummings, a senior client partner who co-leads Korn Ferry\u2019s global cybersecurity practice.They\u2019ll also need the business acumen to communicate with the board. By 2020, 100 percent of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually, up from 40 percent of organizations in 2018, according to Gartner.What\u2019s more, cyber and information security needs are growing more diverse by industry. In today\u2019s environment, \u201cyou have to spend more time understanding the industry you\u2019re in and the strategic direction and business priorities of the company,\u201d says Aileen Alexander, a senior client partner who co-leads Korn Ferry\u2019s global cybersecurity practice with Cummings.CISOs who have successfully made the transition to a new company, along with industry experts, offer five rules that should be part of every new CISO\u2019s playbook.1. Conduct a security maturity assessmentThe caveat: Don\u2019t let \u2018perfect\u2019 get in the way of \u2018good enough\u2019.One of the first tasks for any new CISO is to assess the state of the organization\u2019s security efforts. This entails first determining the organization\u2019s cybersecurity state and existing risk, and then taking inventory of the organization\u2019s critical assets and determining how they should be protected.When Stewart started her CISO job at RentPath, she took the first 60 days to do a current-state assessment and maturity assessment to identify security gaps and then prioritize them. \u201cIt really does give you that big picture,\u201d she says, but it can become overwhelming when you think it all needs to get done in the first year, she says.\u201cMake sure that \u2018perfect\u2019 doesn\u2019t end up being the enemy of \u2018good enough,\u2019\u201d she says. This year, she was able to rationalize why some items didn\u2019t get completed in 2018 and manage her expectations given the investment and resources that are available.2. Deliver quick wins to establish credibilityThe caveat: Sometimes it\u2019s required even before laying the relationship groundwork.New CISOs usually spend their first few months getting to know colleagues, holding department meetings and \u201cletting people know you exist,\u201d writes Justin Fimlaid, a former CISO and now founder and CEO of NuHarbor Security, an information security services firm. \u201cUse this time to build political capital by listening to your colleagues, displaying empathy, and most importantly gather their goals and objectives so you can help them be successful.\u201dTaylor Lehmann envisioned a similar scenario when he took over the CISO position at Wellforce in June 2017, but he learned that sometimes you can\u2019t have thoughtful conversation about cybersecurity threats until you solve \u201cthe major outstanding technical issues that make working there miserable,\u201d he says.In his first 90 days at Wellforce, Lehmann tackled three security-related issues that were creating fire drills in the IT department, including patching two-factor authentication and remote access. \u201cNobody wanted to talk about security until those things were addressed,\u201d Lehmann says. \u201cThe reality is, when you go into that meeting with the CEO, he asks. \u2018Why isn\u2019t this fixed yet?\u2019 Not \u2018Tell me about the strategic direction of the company and why your role matters.\u2019 Try to find the quick wins that create value immediately and then use that momentum\u201d to move your agenda forward, he says.3. Build relationships with lines of business and key stakeholdersThe caveat: Add human resources, legal, compliance, privacy and risk officers to the list.As new privacy laws and regulations take shape in the European Union and United States, the CISO\u2019s role is evolving to include privacy, information risk and enterprise risk. "HR has to be at the forefront of protecting employees\u2019 privacy, and legal is looking at compliance and (the EU) General Data Protection Regulation [GDPR]. Those are a couple of really key stakeholders that in the past wouldn\u2019t have been as prominent, but you have to be pretty interconnected with them to make sure you\u2019re balancing risk, security and privacy," Cummings says.Two-thirds of the 250 CISOs and IT security heads surveyed by Kaspersky Labs work closely with the legal department as a result of new compliance regulations. Some 43 percent of CISOs say their relationship with HR is important as well, especially on identity and access management issues. A few companies also have chief privacy officers, which would be another key relationship for CISOs, Cummings adds.This is also a great opportunity for new CISOs to become the expert on legal and compliance issues in their industry as they relate to cybersecurity, says John Cunningham, CISO and CIO at Docupace Technologies in Los Angeles. \u201cIf you have a compliance office, make them your new best friend.\u00a0Learn everything you can, but then break those regulations down into language people, executives and board understand. Build a priority list and focus on the most important thing on the list.\u201d4. Seek support and collaboration from outside\u00a0The caveat: Share your strategies with industry competitors.The role of a new CISO is broad, complex and stressful. Having someone with experience who you can go to for support or advice early on can prove invaluable in terms of your professional development. In his previous CISO position, Cunningham built a support network of CISOs from his industry competitors. He set up regular meetings and working group for information sharing, knowledge transfer and collaboration. \u201cFor CISOs it\u2019s not really a competition,\u201d Cunningham says. \u201cWe shared threat information, talked about our budgets and discussed our (security) strategies.\u201d5. Understand your place in the organizationThe caveat: Prepare leaders for the bad actors you may have to deal withAs a new CISO, understand your role and where your authority stops and starts, Cunningham adds.\u00a0\u201cInevitably in the course of being a CISO, you will discover someone very important doing something very bad, and you want to have an understanding worked out ahead of time when that happens,\u201d he says. \u201cMeet early with senior management and human resources. Discuss scenarios related to potential employee issues and work out how you will respond together.\u201dEach organization is different, Stewart says, and that will drive your methodology.