Every company faces its own unique technical and security challenges, but new research indicates that most newly hired chief information security officers would be best served by initially focusing time and attention on their workforce, not their systems and processes.
According to a new report from Forrester that draws on interviews with dozens of security executives, a CISO's first few months on the job are as much a test of his or her political acumen and relationship-building skills as they are about technical skills or digital transformation plans.
Two major themes emerged from the research and interviews conducted with CISOs. The first is that developing human connections is more critical to a CISO's early success than mastery of the technical details. The second: while it is virtually impossible to fix or address a company’s major security challenges in the first 100 days, it is definitely possible to alienate other business units and irreparably harm your security team’s brand in the eyes of peers and colleagues.
New security executives should still have a detailed plan in place for how to tackle their first few months, but one that is also flexible and adaptable, since it will likely need to be updated as new information comes in. In addition to mapping out top security problems, these plans should also take into account questions such as why the company needed a new CISO in the first place (Was the predecessor fired or did the company even have one in place?), whether they have recently suffered a serious data breach and how security issues are communicated up and down the chain of command.
Jeff Pollard, vice president, principal analyst and lead author of the Forrester report, told SC Media that time and time again CISOs cited the ability to cultivate positive relationships as the most important quality to have early in a job.
“The one thing that was uniform [in interviews] is the technology is the easy part, and it’s the part most security teams and leaders already know,” Pollard said. “Enterprises are big ecosystems of people, and you have to be able to navigate that.”
A new CISO might have been brought in specifically to transform the organization’s security practices or clean up after the mistakes of the old regime. Still, the researchers argue that new security execs should resist the impulse to introduce themselves to colleagues and peers by explicitly criticizing past policies or choices put in place by previous leadership and avoid other aggressive or hostile communications in the early weeks.
While big changes or reforms may be in the offing, many employees are looking to ensure that their executive leaders understand the conditions and specific nuances under which previous choices were made. Critiquing those decisions without knowing the historical context “screams immaturity as a leader, particularly with peer executives,” the authors write.
Instead, the first weeks and months of an executive’s tenure should be focused on building and restoring trust between the security shop and the rest of the organization. This is usually a good place to start due to the reality that many security teams are not especially popular within their own company. Security is often perceived internally as an obstacle or inhibitor to implementing new ideas or processes, and being cognizant of these dynamics and establishing a broader framework of trust and communication with direct reports and other business units is often a key step that CISOs should prioritize early in their tenures.
Pollard said the first three months of a CISO's tenure is often a critical window of time to signal, in a respectful and non-judgmental way, a break with past practices or a desire to repair broken relationships. It’s also the best time to familiarize yourself with individual members of the security team and weed out potentially toxic staffers who may be harming the security team’s reputation with other business units.
“In certain companies there is some scorched earth…or problems that previous security regimes have caused by maybe not being as plugged into the rest of the organization, maybe being seen as an obstacle or impediment as opposed to a group that would help,” Pollard said. “I think we’ve done a lot to overcome some of that image of the past…but it’s also in those first 100 days that you can accidentally harken back to that if you do things incorrectly.”
The notions of people over technology and also exercising caution in the early stages of a new job was echoed by other CISOs. Rick Holland, a CISO at Digital Shadows who was interviewed for the Forrester report, told SC Media that mapping out the needs and motivations of your colleagues and peers is often more of a priority for newly minted CISOs than mapping out the threat landscape.
“Relationships will be the foundation for all work that the CISO has to undertake,” Holland said. “Who are the key stakeholders? What do these business partners care about? What motivates them? What are their business goals? Understanding these answers will help a CISO develop a roadmap and navigate the people components of the organization.”
Taking the time to gain a more granular understanding of the technology environment and how the company arrived at the status quo can also demonstrate the kind of baseline competence and thoughtfulness that could be remembered long after the honeymoon period ends.
“From personal experience, I find there is nothing worse than the new guy showing up and asserting his own agenda onto an existing team without evaluating what is already in motion and how that personal agenda fits or aligns with existing momentum,” Netenrich CISO Chris Morales wrote in an email. “It is great to have a vision based on past experience, but it is more important to embrace the new culture and not alienate the most important resource you have — people with existing knowledge of the landscape and who have laid the groundwork for future success.”