[eBook] Your First 90 Days as a CISO – 9 Steps to Success


Chief Information Security Officers (CISOs) are an essential pillar of an organization’s defense, and they must take it into account a lot. Especially for new CISOs this can be a daunting task. The first 90 days for a new CISO are crucial in setting up their security team, so there is little time to waste and a lot to accomplish.

Fortunately. A new guide from XDR vendor Cynet (download here) seeks to give new and seasoned CISOs a lasting foundation to build a successful security organization. The challenges facing new CISOs are not just logistical.

They include securing their environment against known and unknown threats, managing stakeholders with unique needs and demands, and interfacing with management to show the value of enhanced security.

Therefore, planning clearly defined milestones can help CISOs seize the opportunity for change and implement security capabilities that enable organizations to grow and prosper.

Security leaders can also leverage organizations’ readiness to undergo digital transformations to deploy smarter, more adaptive defenses. This is essential, because a good security team can improve an organization’s ability to evolve and innovate. The question is where to start.

9 steps for new CISOs

The eBook explains how new CISOs should approach their first 90 days to ensure that each passing week builds on the last, and allows security managers to understand both their current reality and what they are doing. need to improve. Before creating a security stack and organization, new CISOs should understand the status quo, what works, and what needs to be upgraded or replaced.

Here are the nine steps to a successful new CISO, according to the guide:

  1. Understanding Business Risks – The first two weeks of a new security manager’s new job should be spent not learning, but learning. New CISOs must familiarize themselves with their organization, its functioning, its security strategy and its interactions with the market. It should also be an opportunity to meet other leaders and stakeholders to understand their needs.
  2. Understand organizational processes and develop a team – Next, it’s time to take a look at processes and teams, and how they interact. Before implementing new protocols, CISOs and security managers should be aware of the processes already in place and how they work or do not work for the organization.
  3. Build a strategy – Next, it’s time to start developing a new security strategy that meets business strategy, organizational goals and objectives, and staff career goals and objectives. This will include thinking about automation and how cyber risks are detected and addressed, as well as how to test your defenses.
  4. Finalization of strategies and implementation – With a strategy built, it’s time to put some rubber on the road and get started. Before finalizing your strategy, it’s important to get critical feedback from other stakeholders before presenting a final plan to the board and executive committee. With final approval, it’s time to start developing tactics and planning the implementation of the new strategy.
  5. Become agile – Once the strategies are put into practice, security teams can focus on finding ways to become more responsive, more adaptable, and agile enough to tackle any challenge. This includes finding the right tools and methods for project management.
  6. Measure and report – Now, it’s time to make sure that the plans that have been implemented are working properly. Once things are in place, it’s time to start regular cycles of measurement and reporting to show both the security team and the executive committee that the strategy is working.
  7. Pen test – This is a critical step and should be an important assessment of the effectiveness of a strategy. Any good plan should always include rigorous testing to help teams find places where defenses aren’t working or vulnerabilities that might not show up on paper but do in practice.
  8. Build a ZTA plan – Now is the time to get rid of outdated Identity and Access Management (IAM) paradigms and move to multi-factor authentication (MFA). It also includes upgrading the security posture of SaaS applications, as well as network defenses that can prevent common attacks.
  9. Evaluate SaaS providers – Finally, and in order to use SaaS applications wherever possible, a new CISO should carefully consider existing vendors to find a solution that can cover as many services as possible without requiring complex and potentially risky security stacks.

You can read more about how RSSIs can get started successfully here.


Leave A Reply