A new study by Deloitte shows that when a company makes a CISO hire from outside the organization, that executive...
faces many challenges, including a lack of resources and ineffective communication/reporting among stakeholders. What are some ways CISOs can overcome these challenges, quickly gain knowledge of an organization they are joining, and develop a security strategy that really meshes with the company?
A new, external CISO hire often faces challenges that predecessors have not been successful in overcoming, which is undoubtedly the reason for her hire. New CISOs may arrive at their new organization to find they lack resources, the protection architecture is wanting in critical areas and the security program is not embedded into the business culture. This is not uncommon, but what the CISO should realize is, in addition to these challenges, that expectations are high -- and that can be leveraged to gain support from upper management.
A study by Deloitte published in August 2015 stated that the CISO requires four faces to be successful in the organization: strategist, advisor, guardian and technologist. It further states that the goal for the new CISO hire is to emphasize the role as a strategist and advisor, and less as a guardian and technologist.
The trick is to find a way to overcome the challenges that face a new CISO hire and develop a strategy that will meet the organization's strategic objectives. To do this, the new CISO hire needs to take certain steps:
- Gain an understanding of the enterprise strategic short-term and long-term goals;
- Perform a cybersecurity risk assessment to identify mission critical systems;
- Use a proven information security framework such as NIST Cybersecurity Framework or ISO 27001 to drive results of the risk assessment;
- Establish a recurring communication on the state of information security with executive management and the board of directors;
- Perform an inventory of staff skills and cybersecurity tools for protection and monitoring;
- Develop an enterprise security awareness program that includes executive management;
- Develop a budget, strategic plan and tactical plan to deploy the protection constructs evidences from the risk assessment and resource inventories; and
- Develop and publish a board approved charter for information security that states roles and responsibilities, scope of control and independence.
Other factors are critical to the CISO's success, such as reporting structure, executive management support, respect from IT, visibility within the organization as a trusted business advisor, and ensuring that the cybersecurity program meets and exceeds enterprise protection needs. These may not initially be in place but if the new CISO hire takes these steps, she will have greater success.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Find out what to expect in a CISO job interview
Discover what organizations are looking for in CISO candidates
Learn how to avoid executive turnover after a data breach
Dig Deeper on Information security program management
Related Q&A from Mike O. Villegas
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading
Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading