A new CISO confronts multiple challenges. This checklist provides guidance on what CISOs should focus on within the first 30 days, six months and first year of their tenure to ensure a fast, successful start.
New CISO Priority Checklist
New CISOs: First 30 Days
- Ensure you have a clear CISO charter, specifically
- CISO responsibilities and accountabilities need to be stated clearly and comprehensively.
- There should be no disconnect between CISO and executive management expectations.
- Determine whether existing governance models have been successful within the organization and work to learn of any potential political pitfalls.
- Determine if a viable risk register, exists
- If a risk register is in place, ensure it:
- Addresses the most significant risks.
- Has executive-level buy-in.
- Is integrated in most business processes.
- Shows clear lines of risk ownership and accountability.
- If there is no risk register or it lacks executive-level buy-in:
- Work on getting one created.
- Ensure it has comprehensive executive input and review.
- Review current infosec policies, standards and operating procedures
- Ensure they are clear, current and comprehensive.
- Ensure they address the enterprise’s biggest risks (for many CISOs, this should encompass ransomware preparedness and defenses in some way).
- Ensure compliance truly moves the needle in terms of mitigating those risks, and ensure you understand what reporting requirements are in place.
- Clearly define what information requires protection
- Is it personally identifiable information, financial data, intellectual property or something else?
- Once defined, document it, train employees to understand it and publish it where it is easy to review and reference.
New CISOs: First 6 Months
- Establish clear metrics and key performance indicators
- Start with the highest risks from the risk register.
- Ensure metrics and key performance indicators reflect the risks and what is being done to mitigate them.
- Create a clear, concise dashboard to keep executives apprised of progress, while avoiding minutiae.
- Understand and benchmark CISO resources
- Delineate all resources (staff and budget) under CISO control.
- Benchmark against similar-sized enterprises in your industry and against what the infosec charter requires of the CISO and team.
- Document any disconnects or discrepancies early to set accurate expectations with executive leadership.
DOWNLOAD: 2023 Security Budget Benchmark Summary Report
- Evaluate third-party risk management capabilities
- If you have a dedicated vendor management team, work to understand how comprehensive existing third-party risk evaluations are.
- If a prioritized list of third parties does not exist—particularly, any with extensive access or privileges within the environment—start development of this list.
- Review the enterprise’s prior security incidents
- Review high-profile breaches (e.g., MGM, Caesars, Clorox) to determine if similar systemic failures exist within the enterprise.
- Ensure that if they do, they are captured in the risk register and are being corrected.
- If they aren’t captured in the risk register but should have been, determine why that happened and how to preclude recurrence (“root cause analysis”).
- Review past audit findings related to security
- Determine if they relate to true information security risks.
- Work to get them resolved and to demonstrate the infosec team’s support for audit compliance.
- Get an infosec strategic roadmap in place
- If one exists, update it to reflect the enterprise’s current risk posture and goals.
- If one doesn’t exist, create it.
- Gauge the morale and attitude of your staff
- Determine if low morale, poor performance or mismatches among skills and job assignments, etc., exist.
- If they do, confront those challenges and correct them.
New CISOs: First Year
- Uncover and address the biggest complaints about infosec
- Use the risk register and, if helpful, talk to the CIO and help desk personnel to gain their perspectives (if not already done through the risk register).
- Work to reduce the worst risks and address the greatest complaints.
- Try to move the needle on compliance with policies/requirements by considering more user-friendly solutions (e.g., self-service password resets).
- Review and streamline account provisioning/deprovisioning
- Determine if this is a pain point for users and supervisors.
- Tighten up the provisioning process to make it efficient, while still ensuring the principle of “least privilege” is met.
- Get with app owners to determine a clear picture of which users should receive certain privileges and when.
- Work to streamline, or even automate, the process of granting and revoking privileges, ideally utilizing SSO, federation and other more modern IAM capabilities and tools.
- Foster better relationships
- Work to improve relationships with HR, internal audit, finance and other key groups.
- Establish meaningful communications with those groups—listen to them and explain what infosec is doing or can do to deal with their worries and concerns.
- Ensure you have a continuing dialog—not a “one and done” discussion.
- Clean up the endpoints
- Ensure endpoints boot up quickly and cleanly.
- Clear up performance problems with full disk encryption, anti-malware protection or other security features.
- Ensure authentication works seamlessly.
- Ensure a capable endpoint detection and response tool is in place.
- Review the SDLC
- Ensure business and related infosec requirements are defined prior to project commencement.
- Ensure information security is properly addressed early in the process.
- Ensure the SDLC is properly governed and executed, with appropriate phase gate review of infosec requirements.
- Ensure developers are properly trained on secure coding practices.
- Address policy vs. practice (Cognitive Dissonance)
- Ensure policies and standards are understood and followed.
- Identify areas where users are ignoring or not complying (i.e., employing “workarounds”), determine their root cause and then deal with the gaps, which may require policy adjustments, better training or enforcing adherence.
- Ensure SSO is in place for all cloud access
- Determine if users are struggling with multiple credentials for cloud resources.
- Determine if/how an SSO solution could help or, if one already exists, how it can be expanded to more applications and services (both internal and cloud).
- Tackle help desk overload
- Reduce volume and complexity of calls. For example:
- Enable password self-service resets.
- Provide an easy way to report phishing emails (outside of the help desk).
- Deal with recidivists (those users who call again and again reporting the same problem—often, a forgotten password). This may include getting their supervisors involved.
CISO Compensation & Security Budget Benchmark Reports
Each year, IANS, in partnership with Artico Search, releases a series of benchmark reports on CISO compensation, security organization, security staff compensation, and job satisfaction.
These in-depth reports feature new takeaways, uncover a wealth of insights, and provide valuable leadership guidance to fine-tune your budget, current role, department, and career path.
Download our 2023 CISO Compensation Benchmark Report – the second in our CISO Comp and Budget Report series
– and gain access to these and other valuable insights and data sets.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.