A CISO will spend less than two years in the role before moving onto another endeavor.
One of the primary factors behind this alarming turnover rate is the constant stress of the job. In fact, it’s common for a CISO to work nights, weekends and holidays, given that malicious threat actors never truly sleep. Despite being prepared for an attack or loss of data, breaches still do happen, and it’s often the CISO left to face the music — if they aren’t fired.
Once a new CISO joins an organization, onboarding can be
daunting. Where should a new CISO even begin? Let’s break down the three
initiatives CISOs can implement in order to be more proactive and successful,
right from the start.
1: Have the Hard
A whopping 80 percent of
employees across industries report feeling stressed because of ineffective
company communication. As a CISO, it’s important to understand the pain points
across the entire organization, spanning every department, from HR to finance
and everything in between. During the first few weeks on the job, make it a
priority to schedule meetings with these department leaders, and encourage
honest, open conversations on organizational successes, challenges, fears and
For example, HR leaders may be focused on ensuring
employees’ Personally Identifiable Information (PII) is properly secured, while
CFOs will likely be laser focused on adhering to evolving compliance
regulations like the General Data Privacy Regulation (GDPR) or the California
Consumer Privacy Act (CCPA). Not only should a CISO understand these various
areas of focus, but they should also regularly communicate how the organization
is working to achieve these goals, and look to schedule ongoing meetings with
these leaders to ensure regular reporting and full transparency.
On top of regular reporting and transparency, CISOs should
take the time to educate organization leaders within the business about data
security regulations. By teaching them how to think and act in a way that
facilitates a successful data security strategy, CISOs can get leaders to
consider how they treat data.
2: Understand Where
All Data Resides
Another starting point for newly-appointed CISOs should be
understanding where all company data
resides, whether stored on-premise or in the cloud. More often than not,
organizations prioritize only a subset of sensitive data, without realizing that
malicious actors can take advantage of the unknown or overlooked.
To begin this audit, CISOs should look to conduct a complete
data discovery sweep across all business units. Vast, disparate data can enter
company networks each day — it’s important to understand where it lives, what
it contains and who has access to this. For example, are employees storing
classified documents in a personal file hosting service or on their desktops?
Are they sharing sensitive materials with others through Google Drive? How is
employee data — including salary figures, social security numbers, dependent
information — being handled by HR teams? Only with this information can CISOs
prioritize data management, while identifying top areas for concern.
3: Audit the Security
Global spending on cybersecurity products is predicted to
exceed $1 trillion over
the next five years. Simultaneously, as companies spend more on security,
losses from cybercrime have nearly doubled in the last five years. Pair
this with the fact that with most organizations already using an average of 80 security vendors’ products with minimal tool
integration strategy, and you have a recipe for disaster — right from day one
on the job.
How can security teams benefit from so many tools in their
arsenal? As a newly appointed CISO, it’d be wise to run through the
organizations’ security tool spend and understand:
● Which solutions are working well? On the contrary, which tools are ineffective, outdated or being ignored?
● Are there multiple technologies doing the same thing? If so, can you eliminate any?
● Which tools offer strong reporting and measurement, so that other department leaders remain informed on progress following initial hard conversations?
● What is the security budget allotted for the following year?
These questions will help CISOs make the right investment in
security solutions for the business, while hopefully eliminating tool fatigue
that often plagues IT security teams as they sift through an average of 80
solutions each day.
A new CISO doesn’t have the luxury of easing into the gig — more often than not, this role jumps right into important business decisions on day one. With such high pressure and constant stress relating to the role, it’s important to have a strong foundation when setting out to achieve the task at hand. Through these three simple steps, CISOs should gain a better understanding of data management strategies, security spending and the organization’s priorities at large.
Peter Duthie, GroundLabs