Your First 100 Days on the Job as a CISO [A Free Checklist]
The buzz and bustle in the cybersecurity profession means that each day, week, quarter, and so forth brings new challenges.
The role of the CISO is emerging from the shadows to own a central role in the boardroom, and it comes as a general feeling of instability grips executives. Rising cyber insurance premiums, ransomware threats, talent shortages, increasing threat risks mean that cyber executives are feeling the heat.
We’ve entered a period of cyber crisis.
That is why this companion checklist is here to accompany you on your first 100 days in the CISO hot seat. We’ve surmised tools, tips, and frameworks for you in this guide.
- Phase 1: Assessment and relationship building [Month 1]
- Phase 2: Strategy Development and Quick Wins [Month 2]
- Phase 3: Communication and lift off [Month 3]
- Phase 4: Temperature check and reevaluation [Month 4]
We hope you’ll find this guide is useful as part of our wider CISO Insights series. You’ll find the first blog in this series here.
Phase 1: Assessment and relationship building
Month 1
Review your security posture
It is time to think about your security posture with a thorough assessment of where you stand in your new role.
To know what you’ve inherited, take the time to undertake a thorough analysis of your current security infrastructure, policies, and procedures, as well as a review of recent security incidents and the effectiveness of how your predecessor handled it.
When it comes to the massive black hole that is compliance, take some time to review, review, and review some more, especially when it comes to vendors you are working with. Consider adding an internal audit to your calendar to review all compliance certifications.
Access your relationships
“You can have everything in life you want if you will just help enough other people get what they want.”
Rod McDermott, CEO of McDermott + Bull
Building strong relationships within your organization is huge pathway to success and so is engaging with board members, C-suite executives, department heads, and key external stakeholders. A long list of meeting new faces is an essential part of your initial onboarding homework. You need to lead by example and foster an environment where cybersecurity is not scary, but essential for business continuity.
When it comes to your security team and forging relationships within the CIO’s department, you’ll need to hit the ground running with a cybersecurity strategy and program that builds confidence for the on-the-ground challenges and opportunities they are facing.
Tackle your budget admin
The next part of your to-do list is to review the budget of your entire cybersecurity program. This is one of the most tedious and aggravating tasks on your list but there is no risk assessment without budget to help you achieve all those business goals.
It is a task not without its issues, wrangling business leaders like the CFO and the wider Finance team.
In the U.S., data shows that while 12% of CISOs saw budget declines in 2024, IT spending is increasing more and more on security, increasing from 8.6% of IT budgets in 2020 to 13.2% in 2024.
You’ll need to quickly identify risky resource gaps and plead your case for areas where you can optimize. You’ll also need oodles of time with senior level executives in various departments to eventually get closer to what you want and need. Our advice is to take deep breaths and align your needs as closely as possible to meeting regulatory compliance and security threat needs.
We found this guide by Forrester an excellent resource.
Phase 2: Strategy Development and Quick Wins
Month 2
Month two is all about accelerating on your new roadmap that all these faces and resolving budget constraints feel more familiar. It is no mean task to develop a roadmap that can cover the most important security risks (while also supporting business objectives).
Last year, studies highlighted that organizations with strong data governance are 2x more likely to exceed business goals. You’ll need to scrape and
Map out your CISO cybersecurity roadmap
How can you blend risk management, low-effort initiatives that convert to impactful improvements, and enhance security policies all around in your first roadmap presentation?
It is not an easy task.
Especially when according to a Trend Micro study,”90% of IT decision makers claim their business would be willing to compromise on cybersecurity in favor of digital transformation, productivity, or other goals.”
Varying attitudes to cyber risk mean that wrangling advocacy and budget to side step current and future vulnerabilities can badly affect your sphere of progress.
One overlooked item on the roadmap of a new CISO can be communicating tradeoffs to senior leaders, especially when you are switching up processes. Every roadmap conversion for any role can lead to counterproductive back and forths, with IT security and the C-suite leaders wanting different priorities to be front and centre.
Framing trade offs correctly is key to delivering on your roadmap without compromising your team’s ability to deliver and increasing the probability of burn out within your team.
“There are no solutions, there are only trade offs; you try to get the best trade-off you can get, that’s all you can hope for.” – Thomas Sowell
When it comes to establishing KPIs and metrics, the whole team risks losing from poor direction from the Chief Information Security Officer. You’ll need to approach selecting data from who the intended recipient is; from your board of directors to your Chief Information Officer. However, everyone loves clearcut cyber threats reporting, something that CISOs with less internal support can lean on their vendors for. When it comes to incident responses, disaster recovery, and generic security measures
In our upcoming CISO Insights blog, we’ll further dive into CISO KPIs that count in 2024. Check out the first blog in this series, “How to Navigate Board Meetings: A Primer for CISOs.”
Phase 3: Communication and lift off
Month 3
Kick off your security initiatives with gusto
Month three should feel a little different. You’ve sat down with pen and paper and reviewed risk management, built a cybersecurity roadmap, wrangled with your CFO (and hopefully formed great relationships) with the rest of your team which is all positive.
But it is still the season of proving your worth as a new kid in the C-suite block. Now you’ll need to executive and prove that action beats anxiety.
In a nutshell, you’ll need to ramp up the following 3 action items:
1: Implement your strategic roadmap: It needs to demonstrate your focus on security operations, business processes, reporting structures, threat landscapes, training programs, data protection, and incident response preparation. The goal here is to be as thorough as possible with the data and resources you have analyzed so far. You’ll need to focus on the high impact, quick wins as much as possible.
2: Make better communication your goal: You can’t safeguard your position without massively tightening how sharply you communicate to everyone. From your board to your security manager, you need to adapt how you share data and reports. What is also critical is reviewing how you’ll share information to all stakeholders if data breaches and cyberattacks occur. It would be unfortunate if a major crisis happens when you are just taking over the reigns so be prepared in case it does happen. It is the CISO’s responsibility to communicate well, not just emit stress to a new team of security professionals who look to you for guidance.
When it comes to your board you’ll need to focus on adapting your language to basic data security metrics that are digestible. No matter how savvy and smart you are in the eyes of your team, if your security breach presentation is double Dutch, you’ll flail. In this period, lean on vendor dashboards as you ramp up your own analysis of internal metrics. The mulitfacted role of a CISO means that you have to pivot every detail to your audience.
3: Ramp up an internal security culture: It sounds obvious but the work starts now to gain trust and educate every single member of your team, all departments, the board, and not least your executive team. PWC have found that 46% of companies have found that CEO buy-in is a huge driver for improved cybersecurity culture at work.
Phase 4: Temperature check and reevaluation
Month 4
Month 4 feels like stepping off the treadmill after an aggressive sprint session. Now it is time to stretch and evaluate (really evaluate) how you are performing after the first 3 months.
You can tackle this in a few ways:
- Take time to review your performance receipts: What has been deployed, revamped, scrapped. Have you had the impact you’d hoped? Are your team settling into a new rhythm of cohesive productivity? What has gone wrong? Take time to hear feedback from your team and use it to do better!
- Look at your KPI results: Review, revise and, repeat your winning findings. Keep a close eye on your vendor reporting and see how viable their reporting feels for your needs and coverage.
- Think future forward: By now you are firmly establishing your findings and you yourself need time to evaluate, read, and be mindful of time and budget constraints that will pop up. Now you have a greater idea of operational and incidental events in your new role you can carry out some deep work to establish more precision in your reporting and routines.
Remember if you need any threat investigation expertise during this time you can contact our REACT team.
Wrapping up
Congratulations on making it through the first 100 day marathon. We wish you every success for the next sprint. You may be ruminating on continuing to build out your roadmap so make sure to check out more engrossing and helping resources over on our blog.