The new CISO’s playbook: 5 rules to follow

When Michelle Stewart was hired in August 2017 as the CISO at RentPath, a digital marketing company for the real estate rental industry, she knew she had to add some new rules to her CISO playbook. Times had changed since she last took over a new security leadership role. Once considered primarily a technology job, today’s CISO must be a business enabler who can communicate in business terms the value of their security initiatives.

Many of the fundamental first steps and best practices that a new CISO should take to quickly become an effective security leader haven’t changed much over the last several years. First, they must assess the security situation, then develop a good security team and build relationships and credibility with business leaders and executives. But some of these traditional rules now come with caveats.

“Now CISOs are having to flex different muscles, work with a broader set of stakeholders and build an increasingly diverse team to handle different areas of concern,” including regulatory and privacy issues, product security and shadow IT, says Jamey Cummings, a senior client partner who co-leads Korn Ferry’s global cybersecurity practice.

They’ll also need the business acumen to communicate with the board. By 2020, 100 percent of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually, up from 40 percent of organizations in 2018, according to Gartner.

What’s more, cyber and information security needs are growing more diverse by industry. In today’s environment, “you have to spend more time understanding the industry you’re in and the strategic direction and business priorities of the company,” says Aileen Alexander, a senior client partner who co-leads Korn Ferry’s global cybersecurity practice with Cummings.

CISOs who have successfully made the transition to a new company, along with industry experts, offer five rules that should be part of every new CISO’s playbook.

1. Conduct a security maturity assessment

The caveat: Don’t let ‘perfect’ get in the way of ‘good enough’.

One of the first tasks for any new CISO is to assess the state of the organization’s security efforts. This entails first determining the organization’s cybersecurity state and existing risk, and then taking inventory of the organization’s critical assets and determining how they should be protected.

When Stewart started her CISO job at RentPath, she took the first 60 days to do a current-state assessment and maturity assessment to identify security gaps and then prioritize them. “It really does give you that big picture,” she says, but it can become overwhelming when you think it all needs to get done in the first year, she says.

“Make sure that ‘perfect’ doesn’t end up being the enemy of ‘good enough,’” she says. This year, she was able to rationalize why some items didn’t get completed in 2018 and manage her expectations given the investment and resources that are available.

2. Deliver quick wins to establish credibility

The caveat: Sometimes it’s required even before laying the relationship groundwork.

New CISOs usually spend their first few months getting to know colleagues, holding department meetings and “letting people know you exist,” writes Justin Fimlaid, a former CISO and now founder and CEO of NuHarbor Security, an information security services firm. “Use this time to build political capital by listening to your colleagues, displaying empathy, and most importantly gather their goals and objectives so you can help them be successful.”

Taylor Lehmann envisioned a similar scenario when he took over the CISO position at Wellforce in June 2017, but he learned that sometimes you can’t have thoughtful conversation about cybersecurity threats until you solve “the major outstanding technical issues that make working there miserable,” he says.

In his first 90 days at Wellforce, Lehmann tackled three security-related issues that were creating fire drills in the IT department, including patching two-factor authentication and remote access. “Nobody wanted to talk about security until those things were addressed,” Lehmann says. “The reality is, when you go into that meeting with the CEO, he asks. ‘Why isn’t this fixed yet?’ Not ‘Tell me about the strategic direction of the company and why your role matters.’ Try to find the quick wins that create value immediately and then use that momentum” to move your agenda forward, he says.

3. Build relationships with lines of business and key stakeholders

The caveat: Add human resources, legal, compliance, privacy and risk officers to the list.

As new privacy laws and regulations take shape in the European Union and United States, the CISO’s role is evolving to include privacy, information risk and enterprise risk. “HR has to be at the forefront of protecting employees’ privacy, and legal is looking at compliance and (the EU) General Data Protection Regulation [GDPR]. Those are a couple of really key stakeholders that in the past wouldn’t have been as prominent, but you have to be pretty interconnected with them to make sure you’re balancing risk, security and privacy,” Cummings says.

Two-thirds of the 250 CISOs and IT security heads surveyed by Kaspersky Labs work closely with the legal department as a result of new compliance regulations. Some 43 percent of CISOs say their relationship with HR is important as well, especially on identity and access management issues. A few companies also have chief privacy officers, which would be another key relationship for CISOs, Cummings adds.

This is also a great opportunity for new CISOs to become the expert on legal and compliance issues in their industry as they relate to cybersecurity, says John Cunningham, CISO and CIO at Docupace Technologies in Los Angeles. “If you have a compliance office, make them your new best friend. Learn everything you can, but then break those regulations down into language people, executives and board understand. Build a priority list and focus on the most important thing on the list.”

4. Seek support and collaboration from outside 

The caveat: Share your strategies with industry competitors.

The role of a new CISO is broad, complex and stressful. Having someone with experience who you can go to for support or advice early on can prove invaluable in terms of your professional development. In his previous CISO position, Cunningham built a support network of CISOs from his industry competitors. He set up regular meetings and working group for information sharing, knowledge transfer and collaboration. “For CISOs it’s not really a competition,” Cunningham says. “We shared threat information, talked about our budgets and discussed our (security) strategies.”

5. Understand your place in the organization

The caveat: Prepare leaders for the bad actors you may have to deal with

As a new CISO, understand your role and where your authority stops and starts, Cunningham adds. “Inevitably in the course of being a CISO, you will discover someone very important doing something very bad, and you want to have an understanding worked out ahead of time when that happens,” he says. “Meet early with senior management and human resources. Discuss scenarios related to potential employee issues and work out how you will respond together.”

Each organization is different, Stewart says, and that will drive your methodology.