The first 100 days as a Chief Information Security Officer will be challenging in developing a security strategy for the organisation.
A successful CISO is responsible for aligning security and technology in protecting and ensuring the business and its customers are protected.
According to the Spiceworks tech career outlook survey 62% of IT leaders see cybersecurity as a key skill to develop for 2017. CIO UK looks at the first 100 days as a Chief Information Security Officer and the steps to implementing a successful security strategy. (See also:Chief Information Security Officer salary and job description)
First 100 days as a CISO: Researching and understanding the business
In some organisations, the CISO sits on the executive board communicating and developing a security strategy to ensure confidential information is protected.
With no clear definition of the Chief Information Security Officer’s job description and organisations having their own requirements of a CISO title; researching the business model can help prepare the employee for the role.
Holding meetings and focus groups are a great way to collect data while offering an insight into the needs of the staff and their customers. Through collaboration this can give the CISO an understanding of what areas need to be improved within the organisation.
Building relationships with staff can help the CISO see what concerns they face in protecting confidential information and the organisation's data.
A CISO should create an agenda of the priorities they want to achieve within the first few months and how they are going to reach them. A 100-day roadmap setting ideas, resources and costs will motivate the CISO, and will shape and encourage their team to meet business expectations.
Making notes and drafting an action plan can be beneficial when presenting a security strategy to the board. This can demonstrate leadership and credibility in a CISO role.
First 100 days as a CISO: Forming a leadership style
The information gathered will develop the CISO’s communication and leadership skills when building relationships with stakeholders.
A CISO demonstrating their leadership skills in communicating security across the workplace has been cited by a number of CISOs, and Richard Spearman has seen his time as a Corporate Security Director start with the board to lead a security initiative at Vodafone.
“I want the board to see it’s their journey as well as ours,” he said. “By getting the culture right in our organization, so that security breaches are not something that happens to us at Vodafone. I need to make sure it’s something everyone in the company knows they can contribute to.”
Corporate Security Director Spearman's time in post has seen him take leadership on running events and sharing knowledge on possible security threats within and outside of the organisation.
When presenting the data, using infographics and multimedia can help engage the team in sharing the security strategy’s vision.
The presentation should outline costs, resources and goals in communicating to the team how information will be secured.
Following an agenda with set dates and business targets will encourage the executives to make investments in ensuring the company is protected from incoming threats.
First 100 days as a CISO: Laying the foundation for a sound security program
In laying the foundations of a security strategy a CISO can use the agenda to work on delivering results.
Chief Information Security Officer Jimmy Bashir has been communicating regularly with the board about the security strategy he plans to develop at DWP.
"If the board is not listening to you, then rolling out your strategy or transformation programme is just a tick-in-the-box,” he said. “You need buy in at the top. Depending on the issue, communicating properly to a level they can understand is essential. They are fed up with scare stories. You don't need large sums of money to get the basics right and ensure the business is engaged."
Incorporating existing programmes with new security initiatives can establish the business is working towards governing a system.
When the strategy is in progress CISOs should regularly schedule meetings with the team, managers and stakeholders highlighting challenges and goals set for the agenda. CISOs should report on the meetings held, making note of any ideas suggested and concerns raised. This can ensure the team is on track to securing the business. (Read next: Cyber security in the boardroom -How CIOs discuss cyber threat with leadership)