CISO Series - The Fortnight Foundation

As I prepare to embark on my next assignment, I thought I would share how the initial fortnight in a CISO role is vital for understanding your team, establishing relationships, and setting the stage for long-term success. As an independent consultant, my strategies might be dramatically condensed compared to when you are assuming the role for a longer term as a permanent team member.

These are the foundational steps I initially take in understanding each role; this is how I’ve approached new assignments in the past across financial, governmental and retail sectors. I’ve also referred to the advice and mentorship I’ve received from successful CISOs, combining their approach to their initial days with mine to create my method, which I refer to as the ‘fortnight foundation.’

By now, we all understand that comprehending the business you’re safeguarding is paramount. Phil Venables, whom you should follow on LinkedIn, a former CISO at Goldman Sachs and currently the CISO at Google Cloud, emphasised the importance of CISOs functioning as business leaders, not merely security leaders. It’s crucial to understand the business first and foremost. Spend your time before commencing on day one to understand your new organisation’s core business, its objectives, market dynamics, and the culture that drives it. Browse through news articles, blog posts, and social media to learn how the organisation portrays itself in the public domain.

Week 1: Mapping the Terrain and the Team

Step 1: Immerse Yourself in the Organisation’s Business and Culture

Continue the work you began before day one; the first few days will be dedicated to successfully onboarding you to the organisation. You will gain access to internal communications to help with understanding the business from the inside. Dedicate time to understand your organisation’s core business from this new perspective, its objectives, and its culture. You can do this by reading information normally available on the intranet, leadership communications, strategic plans, and internal newsletters, and by having casual conversations with colleagues from various departments.

  • Read through the leadership communications, high-level project plans, security strategic plans, and recent internal newsletters.
  • Hold informal discussions with colleagues across departments.
  • Look for opportunities to attend meetings outside of your department, and if possible, project meetings, to gain a holistic understanding of the organisation.

Step 2: Assess Your Team’s Skills and Competencies

Renowned security leader Patricia Titus, former CISO at Markel Corporation, emphasised the importance of understanding your team’s strengths and areas for growth. In the first week:

  • Schedule time with each team. These conversations will give you insight into their core skills and scope, their view of the company’s cybersecurity posture, and their ideas for improvement.
  • Encourage open discussions about the challenges they face and their suggestions for enhancing security protocols.

Step 3: Begin to Understand the Cyber Risk Environment

At this stage, gaining a high-level understanding of your organisation’s cyber risk landscape is crucial.

  • Request briefings or risk register reports from your team members about the current state of cybersecurity in the organisation.
  • Begin to schedule meetings with technical leads for an overview of key systems and risk areas.
  • Start reviewing risk analysis procedures, and the technical and application architecture to familiarise yourself with the systems in place.

Week 2: Forging Relationships with Stakeholders

Step 4: Identify Key Stakeholders

In your second week, your focus should be on identifying and understanding your key stakeholders outside the security department. These individuals or groups can significantly influence or be influenced by your cybersecurity strategy.

  • Review organisational charts to identify the key players.
  • Ask your team members and colleagues to help you identify these individuals and understand their roles better.

Step 5: Engage with Stakeholders and Understand Their Projects

Stakeholder engagement is pivotal in your role as a CISO. Tim Callahan, CISO at Aflac, stresses the importance of earning stakeholder buy-in for effective cybersecurity.

  • Schedule introductory meetings with stakeholders. Use this time to understand their projects, the role they see for cybersecurity, and their concerns or challenges related to security.
  • Ask about their past experiences with cybersecurity teams. Understanding their perceptions can help you identify areas for improvement.
  • Show interest in their projects and ask how you can assist in advancing their goals while maintaining robust cybersecurity.

Step 6: Identify the Challenges and Opportunities for Cybersecurity

Having gleaned insights from your discussions with stakeholders, identify the key challenges and opportunities for cybersecurity within the organisation.

  • Identify the common themes from your stakeholder conversations. These will often point to areas that need immediate attention.
  • Start formulating initial ideas about how security can serve as a business enabler. For example, enhanced security measures might instil more confidence in customers or streamline operations by reducing the potential for disruptive breaches.
  • Always maintain a balance between proactive and reactive security measures. You need to address existing issues while also laying down a roadmap to prevent future threats.

Building the Foundations for a Collaborative Team and Strong Relationships

In your role as a CISO, fostering an empowered team and robust relationships is as vital as managing cybersecurity risks.

1. Encourage Open Communication: Foster a culture where the security team members feel comfortable sharing their ideas and concerns. For example, Jason Witty, CISO at JP Morgan Chase, facilitated open communication by establishing regular team meetings and dedicated communication channels for cybersecurity discussions. This might be a dedicated teams or Slack channel, somewhere where the security team feel safe to discuss concerns and ideas without wider scrutiny.

2. Begin to Establish Trust with Stakeholders: Building trust with your stakeholders early on is crucial. Make it a point to demonstrate understanding of their projects and challenges, and express commitment to supporting them. Show empathy and validate their concerns to foster stronger relationships.

3. Foster a Learning Mindset: Advocate for continuous learning from day one. This principle, emphasised by Suzanne Spaulding, former Under Secretary at the US Department of Homeland Security, can significantly enhance your team’s ability to stay ahead of evolving cyber threats. Share relevant articles, webinar links, and training resources with your team. Encourage them to dedicate part of their work week to learning or skill-building activities.

Your first fortnight as a CISO is a golden opportunity to set the tone for your tenure. These proven strategies and real-life examples will guide you in laying a strong foundation for future success.

Remember, effective cybersecurity is not about quick fixes but about developing sustainable, risk-based strategies that align with and support business goals. Best of luck on your journey!

This is the first in the CISO Series blogs. In the next blog, we will look beyond the fortnight foundation. Now that you have set some solid foundations, what comes next and how can you better understand the business, your team, and your stakeholders?

We will begin in the next blog by examiningskills.