I'm about to become a new CISO... again. It's not an entirely unique situation. I've been a CISO for over 10 years. I'm starting as a new employee of an organization that has newly created the CISO position. So I am new, and the CISO position is new, to this organization.
I read this interesting article entitled 68 Great Ideas for Running the Security Department. It's a great article, but even as a mathematician, I just can't count that high! I also love top 10 lists. But sometimes 10 is too high a number as well.
Here are the 3 key things I'm going to do as a new CISO:
- Learn the Business - this is a critical step that many security and IT professionals miss. You must understand the business of your organization. What is the industry? What is the niche? What is the mission? What do they do? Why do they do it? How does it happen? What are the different divisions, units, verticals? What is important to these groups? You can't design a good security or IT program if you don't understand the business.
- Create a Culture of Security - if people don't understand what you do it will be very difficult to succeed. Similarly, the security group can never do it all alone. We rely on the "kindness of strangers". When people understand that security is part of their job, what/where critical assets and data are, and why/how they need to protect these - then you have a culture of security. I've written about this before. This takes time and it's important to set that tone from the beginning.
- Baseline the Organization - by this I mean figuring out the: assets, security architecture, controls and organization. It's important to understand what exists now, before you can make any decisions about where to go. At some point in the near future you'll need to show that you've added some value to the organization. So you'll need to know where things are now, to be able to show what you've added.
- Low hanging fruit - sometimes there are some quick wins available. If there are some short projects - ones for which you can add value and complete in no more than a few weeks - it may be worth your while to jump on these. What you don't want to do is stack up too many of these. The idea is to approach your work strategically.
- Other duties as assigned - Well, yes, that's everyone's job. When you work for an organization, projects and tasks will be assigned to you. Your goal as a new CISO should be to build the framework, strategy and program, but you must also juggle some projects that may be: in progress; of particular interest to management, and/or; required, for instance because of an audit finding.
How does that compare to your list or priorities? What might you do differently?
Oh, and... wish me luck!