So You're a New CISO!?

   There are plenty of articles out there about becoming a new CISO.  And what elements you should have in an enterprise security program.

   I'm about to become a new CISO... again.  It's not an entirely unique situation.  I've been a CISO for over 10 years.  I'm starting as a new employee of an organization that has newly created the CISO position.  So I am new, and the CISO position is new, to this organization.

   I read this interesting article entitled 68 Great Ideas for Running the Security Department.  It's a great article, but even as a mathematician, I just can't count that high!  I also love top 10 lists.  But sometimes 10 is too high a number as well.

   Here are the 3 key things I'm going to do as a new CISO:

1. Learn the Business - this is a critical step that many security and IT professionals miss.  You must understand the business of your organization.  What is the industry? What is the niche? What is the mission? What do they do? Why do they do it? How does it happen? What are the different divisions, units, verticals? What is important to these groups?  You can't design a good security or IT program if you don't understand the business.
   
2. Create a Culture of Security - if people don't understand what you do it will be very difficult to succeed.  Similarly, the security group can never do it all alone.  We rely on the "kindness of strangers".  When people understand that security is part of their job, what/where critical assets and data are, and why/how they need to protect these - then you have a culture of security.  I've written about this before.  This takes time and it's important to set that tone from the beginning.
3. Baseline the Organization - by this I mean figuring out the: assets, security architecture, controls and organization.  It's important to understand what exists now, before you can make any decisions about where to go.  At some point in the near future you'll need to show that you've added some value to the organization.  So you'll need to know where things are now, to be able to show what you've added.

   There's always more to it. Here are 2 other lesser, but still important, priorities I'll keep on the front burner:

• Low hanging fruit - sometimes there are some quick wins available.  If there are some short projects - ones for which you can add value and complete in no more than a few weeks - it may be worth your while to jump on these.  What you don't want to do is stack up too many of these.  The idea is to approach your work strategically.
• Other duties as assigned - Well, yes, that's everyone's job.  When you work for an organization, projects and tasks will be assigned to you.  Your goal as a new CISO should be to build the framework, strategy and program, but you must also juggle some projects that may be: in progress; of particular interest to management, and/or; required, for instance because of an audit finding.

   Note that there is something key that's not on my list... Change.  I'm not a fan of change for change sake.  You have to know what makes sense for the organization before you can decide if change makes sense or is needed.  Unless you have a very good reason to make immediate changes, it's important to observe what's going on before making changes.

   How does that compare to your list or priorities?  What might you do differently?

   Oh, and... wish me luck!