The situation often dictates how to approach a new job. Did the company just have a humiliating experience with a data breach? Did they not have a CSO previously and that is why they are looking for security help to lock down their network?
If during the job interview, there was a blunt plea for help then most new hires would come in guns a blazin’ to get things under control quickly. But in most scenarios, CSOs interviewed said there is a general time period to examine the culture of the company to help in getting a grasp of what needs to be done.
"The first thing needed is to review the current state of the information security policy. Getting intimate with this document, as well as the lessons learned in creating it, is instrumental in being successful. To do this you must meet with department leads, stakeholders, and business executives to find out its context and history. My main stakeholders at Bugcrowd are the IT and Engineering groups so getting comfortable working with them was priority #1,” Jason Haddix, head of trust and security, Bugcrowd.
From here he started to notice any “hung-up” initiatives, incomplete policy and fragmented responsibilities. Once he wrapped his head around how the company was set up, he created a plan to address each 30, 60, and 90 days out. At Bugcrowd, quick wins were identified related to business enablement and security architecture.
“There can be varying levels of responsibility in each CISO role, but one could never argue there isn't enough to do,” he said. “Once you have your battle plan, have reviewed the budget, etc, rally your direct reports and inform them of your plans. Be honest and transparent about priorities and responsibilities. Take constructive criticism and compromise where necessary, but ultimately break down these plans to quarterly goals as an organization.”
Haddix said the next steps are rolling out initiatives in a structured manner. Working at a startup, his role at Bugcrowd is heavy on business enablement, security architecture, and some compliance and audit. Other roles will work more closely with risk management and security operations.
Alvaro Hoyos, took much the same approach as Haddix in rallying the troops upon his arrival as chief information security officer at OneLogin. “I reached out to all personnel to introduce myself, describe what my role consists of, and what we wanted to accomplish in the short term. The CISO role is still somewhat uncommon and has been evolving over the last few years. This role works with all departments and you will be enlisting the help of various team members as you roll out various projects, not to mention that you are also responsible for improving your organization's security culture, which is probably one of the toughest items on your to-do list. Therefore, it is critical to get the organization behind you from the start because personnel outside of your own team will be in the critical path of a lot of your activities and your success will be tied to them.”
The next step was to secure an inventory of information assets. He said knowing what you are tasked to secure is one of the first steps you need to take in order to lay down a good foundational framework to build upon. This requires meeting with information owners and being fluent in all the data coming and going out of the organization. Part of knowing the data is determining what compliance and legal requirements you must meet, so you can build a security program that is commensurate to the appropriate risks, and more importantly you can focus your resources efficiently to address them.
Hoyos noted that a security data is an ongoing strategy. “A security program is an ongoing journey. Once you have the lay of the land, you need to determine how you will maintain and grow that program effectively. Once you determine what framework(s) you will base your program on, you have to come up with a strategy for what you need to, and more importantly, can realistically tackle in the short term and long term,” he said.
A key step in this process is performing a risk assessment to use as a guide to help you prioritize what you tackle. This is especially useful when getting buy-in from management and defining what your budgetary needs will be.
“Just as important as knowing what you can tackle in the short term, being able to plan for the long term is equally important,” he said.
Knowing the risk
"As a CSO, it all begins and ends with risk -- at the end of the day, you have to understand the risk and how to manage and mitigate that risk,” said Malcolm Harkins, chief security and trust officer, Cylance.
“Specifically, there's two battlefields we have to face: one that is external and one that is internal. The external battlefield is made up of threat factors and agents that we read about in the press everyday and the internal battlefield is made up of budgets, bureaucracy and behaviors,” he said.
Harkins noted that it's a two-pronged approach of evaluation, and CSOs need to understand what the risks and controls are externally and how to build relationships, rapport and influence internally.
Dawn-Marie Hutchinson, executive director, office of the CSIO, Optiv, took the cautionary approach as well when she first settled in.
“I met with each leader of the IT divisions to understand what their specific data security concerns were and what data was stored, processed or transmitted through their division. The first 30 days were spent just learning the general IT layout; things like how data moved through it and gain their perspectives on security. The first months of the role was just about learning about the company, the culture and the business,” she said.
She doesn’t believe it is security’s job to come in and tell every other department how to do their job. Instead the security team should advise management on the risks to information and technology.
“I approached the new role with that in mind and conducted my own assessment of where the organization was relative to others. In hindsight, understanding what the risks were relative to others maybe is a good benchmarking exercise, but it does not align with the business or their risk tolerance. Instead of identifying areas of improvement relative to other organizations, I wished I had been better able to communicate how these risks could impact the business goals of the organization,” she said.
There were a lot of "in-flight" projects when she arrived and the IT organization was extremely nimble. The business thrived on being a fast-moving IT organization, but with that comes increased risk to data confidentiality and system availability.
First day starts at the interview
Dave Mahon, CSO, CenturyLink, said what you do the first day on the job begins when you are interviewing for the job. You first start to assess the organization and teams you will lead. “Use the job interview process to begin the assessment of the organization. Focus on what are the most significant problems,” he said. “Ask, ‘Why are they hiring me,’ and, ‘What will it take to be successful in this organization and other questions that begin to develop what you will do should you be selected for the position’.”
Shawn Burke, Global CSO at Sungard AS, echoes Mahon’s statement. “You absolutely need to start researching the business prior to your first day on the job. To help me prioritize my time when I came onboard I created a top 10 list (see sidebar). It included everything from understanding the business and culture, to assessing the current state of the technologies, requirements, policies, procedures and much more. In my opinion, security accountability is one of the most important topics to address. A new CSO should never assume fundamentals are in place and find out who owns security discipline for all systems.”
Once you are on the job, the most immediate things you need to do include meeting with your new boss and developing a road map to assess the company. Then, meet with other key leaders in the organization and obtain their assessment of what needs to be done from their perspective. “Key to your success will be to completely understand the corporate strategy approved by the Board of Directors, CEO and other members of the leadership team. Remember, your job as the CSO is to enable the achievement of those objectives,” Mahon said.
Once you have the strategy, and other leaders’ perspective, begin the tactical assessment of the teams you will lead. Assess the talent, review the last three years' accomplishments and future initiatives developed by those teams, and then ask yourself if these accomplishments and initiatives are supporting the corporate strategy.
“When you meet with your teams, let them know who you are, what you value, that you do not want any politics, and you respect straight shooters. When assessing the teams, look for those who have the will and skill to be in the CSO organization,” he said.
[ MORE ON CSO: The 15 best cities for information security pay ]
After you have completed your assessment put down on paper what you will accomplish in the next 30 to 90 days, the first year, and begin to develop the long-term.
Stan Black, CSO at Citrix, cautions though that hope is not a strategy. Often CSOs are hired because security is perceived as an important business risk. A key indicator of this potential risk is the hiring managers' title or role. Companies with material security risk should not hire CSOs to report to CIOs, he said.
The best way to mitigate this risk is to provide a 100-day plan outlining what people, processes, and technologies are needed to manage a company’s security risk. “If the hiring company can’t internalize, apply, and commit to the plan, don't take the job,” he said.
Transform security from a problem into a revenue enabler. In today’s world, products and services are not acceptable or of adequate quality unless they are secure. This is often a foreign concept that requires engaging cross-functional teams including legal, sales, marketing, PR, Internal Audit, R&D, and BoD to effectively transform security from delivery barrier to business enabler, he added.
Vendor vs non vendor perspective
Gunter Ollmann, CSO, Vectra Networks, gave the first day answer from two perspectives: vendor and non vendor.
From a non-vendor CSO perspective:
- Measure the current security baseline of the organization. Use of vulnerability scanning services to get that first-pass understanding, and compare to what policies are thought to be in place. Getting that initial baseline helps define the scale and identify key problem areas that need to be tackled. Later on, comparing progress to that baseline is invaluable for showing progress to the executive team and builds overall confidence.
- Identification and meetings with all stakeholders, and listening to them define in their own words the key risks and threats present within their spheres of influence. This allows the tailoring of messaging and hunt for common problems that can be solved to build both momentum and wider support for security changes.
From a vendor perspective:
- Review of SDLC adherence and evaluation of security maturity of engineering and product management teams. Tick-box audit of development processes against SDLC methodology and structure - looking for weaknesses and building a prioritization plan.
- Baseline of product security - from both a software coding and deployment hardening perspective. Understanding and being able to answer “what risks do I introduce to a customer’s network” is key.