The first 100 days as a CISO can be demanding. This is a critical time for you to build relationships with key stakeholders, set the tone for your security program, and start making a real difference to the organisation's security posture.
Here are some of the priorities for a CISO in their first 100 days:
Assess the current state of security: This includes understanding the organisation's cyber risk profile, the current security controls in place and their effectiveness, and the maturity of the security program.
Build relationships with key stakeholders: This includes the C-suite, business leaders, and other key decision-makers. It's important to build relationships with these stakeholders so that you can get their buy-in for your security initiatives, but also so they can influence the security initiatives through their business needs.
Identify and prioritise risks: Once you have a good understanding of the current state of security, you can start to identify and prioritise the most pressing risks. This will help you focus your efforts on the areas that will have the biggest impact on the organisation's security posture.
Communicate effectively: It's important to communicate effectively with stakeholders about the importance of security and the steps you're taking to improve the organisation's security posture. This will help to build trust and support for your security program.
Build a continuous security programme: There could well be some low hanging fruit or quick wins that will demonstrate a shift in the security posture. Delivering these successfully will help build confidence in your effectiveness as a security leader. However, most improvements will take time, and new initiatives will be identified through business-as-usual activities, audits and assessments. A security programme will have milestones, but is unlikely to have an end date.
It's also important to remember that the first 100 days are just the beginning. It takes time to build a strong security program, but if you focus on the priorities, then you'll have a great chance of success.
Here are some additional tips for a CISO in their first 100 days:
Don't be afraid to ask for help: There are a lot of resources available to help CISOs, so don't be afraid to reach out for help from your peers, industry organisations, or security vendors. Look for information sharing groups, either within your industry, or across industries. Attend events and round tables, network and connect with others.
Set realistic expectations: It's unrealistic to expect to fix all of the organisation's security problems in the first 100 days. Set realistic expectations for yourself and your team so that you don't get discouraged.
Be outcome focused: Focus on outcomes, and think about how you can demonstrate and measure success. Sometimes good security improvements are invisible to users, so think about how you can communicate and highlight those improvements.
Be patient: It takes time to build a strong security program. Don't expect to see results overnight. Be patient and persistent, and you will make a difference.
Whether as a CISO you need some support to review or complete these areas, or to free up time for your personal review of these areas, our Capability-as-a-Service can help.
Talk to us today. We can help!