Whatever the circumstances, the honeymoon period ends quickly, so it's critical to make sure the first 100 days are optimally spent. This will set the tone of your working career in this organization, so it's essential that no time is wasted in figuring out what needs to be done and implementing a plan detailing how to do it. That typically means identifying and fixing some of the biggest holes, making some organizational or process changes (for the better) and, ultimately, establishing a track record of meeting objectives.
Keep in mind that the regime change happened for a reason. Maybe the previous security manager lost the confidence of the team, or maybe he or she didn't get enough done or didn't let anything happen at all. Odds are there are issues that need to be dealt with, and it's up to you and your team to start making progress.
Basically, the first 100 days can be broken down into four distinct areas of focus:
- Baseline -- It's important to figure out how security really stands at the company, so some kind of assessment is in order. Maybe a pen test, maybe a scan, maybe a social engineering experiment; most likely all of the above. Keep in mind that after about 100 days, the blame for any problems will fall on the new security team, so all of the residual issues need to be found as soon as possible. There is no benefit to sugarcoating the situation.
- Triage -- Now that the baseline is established, the leaky buckets can be plugged. That means moving quickly to remediate the most obvious, easiest and cheapest issues. Finding a few quick wins is absolutely critical during the first 100 days. Those issues may not be the highest profile or even the most important, but by getting them fixed, it informs the organization's senior management team that you get things done successfully and on schedule.
- Evangelize -- Another key task for the first 100 days is to set the stage for a structured security program that will underlie security operations. That means meetings with executives are in order to figure out what they want protected and why. It also makes sense to present the entirety of the program to the power brokers in the organization; they will likely push back on some aspects, and that's fine. As credibility is built up, it'll become easier to get support for the projects and processes that are important to protecting data. But a big part of finding success as a senior security manager is to get face time with the corporate executives. If they don't know who you are and what you are doing, then you are doing it wrong.
- Plan the next steps -- The last thing to do during the honeymoon is to build a plan for the rest of the year. Senior managers like to see the team working on a plan. The underlying security program provides the structure, so the remaining task is to define some milestones and then start tracking progress against those milestones.
About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO, read his blog, or reach him via e-mail.
This was first published in November 2008