A CISO will spend less than two years in the role before moving onto another endeavor.
One of the primary factors behind this alarming turnover rate is the constant stress of the job. In fact, it’s common for a CISO to work nights, weekends and holidays, given that malicious threat actors never truly sleep. Despite being prepared for an attack or loss of data, breaches still do happen, and it’s often the CISO left to face the music -- if they aren't fired.
Once a new CISO joins an organization, onboarding can be daunting. Where should a new CISO even begin? Let’s break down the three initiatives CISOs can implement in order to be more proactive and successful, right from the start.
1: Have the Hard Conversations
A whopping 80 percent of employees across industries report feeling stressed because of ineffective company communication. As a CISO, it’s important to understand the pain points across the entire organization, spanning every department, from HR to finance and everything in between. During the first few weeks on the job, make it a priority to schedule meetings with these department leaders, and encourage honest, open conversations on organizational successes, challenges, fears and more.
For example, HR leaders may be focused on ensuring employees’ Personally Identifiable Information (PII) is properly secured, while CFOs will likely be laser focused on adhering to evolving compliance regulations like the General Data Privacy Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Not only should a CISO understand these various areas of focus, but they should also regularly communicate how the organization is working to achieve these goals, and look to schedule ongoing meetings with these leaders to ensure regular reporting and full transparency.
On top of regular reporting and transparency, CISOs should take the time to educate organization leaders within the business about data security regulations. By teaching them how to think and act in a way that facilitates a successful data security strategy, CISOs can get leaders to consider how they treat data.
2: Understand Where All Data Resides
Another starting point for newly-appointed CISOs should be understanding where all company data resides, whether stored on-premise or in the cloud. More often than not, organizations prioritize only a subset of sensitive data, without realizing that malicious actors can take advantage of the unknown or overlooked.
To begin this audit, CISOs should look to conduct a complete data discovery sweep across all business units. Vast, disparate data can enter company networks each day — it’s important to understand where it lives, what it contains and who has access to this. For example, are employees storing classified documents in a personal file hosting service or on their desktops? Are they sharing sensitive materials with others through Google Drive? How is employee data — including salary figures, social security numbers, dependent information — being handled by HR teams? Only with this information can CISOs prioritize data management, while identifying top areas for concern.
3: Audit the Security Tool Arsenal
Global spending on cybersecurity products is predicted to exceed $1 trillion over the next five years. Simultaneously, as companies spend more on security, losses from cybercrime have nearly doubled in the last five years. Pair this with the fact that with most organizations already using an average of 80 security vendors’ products with minimal tool integration strategy, and you have a recipe for disaster — right from day one on the job.
How can security teams benefit from so many tools in their arsenal? As a newly appointed CISO, it’d be wise to run through the organizations’ security tool spend and understand:
● Which solutions are working well? On the contrary, which tools are ineffective, outdated or being ignored?
● Are there multiple technologies doing the same thing? If so, can you eliminate any?
● Which tools offer strong reporting and measurement, so that other department leaders remain informed on progress following initial hard conversations?
● What is the security budget allotted for the following year?
These questions will help CISOs make the right investment in security solutions for the business, while hopefully eliminating tool fatigue that often plagues IT security teams as they sift through an average of 80 solutions each day.
A new CISO doesn’t have the luxury of easing into the gig — more often than not, this role jumps right into important business decisions on day one. With such high pressure and constant stress relating to the role, it’s important to have a strong foundation when setting out to achieve the task at hand. Through these three simple steps, CISOs should gain a better understanding of data management strategies, security spending and the organization’s priorities at large.
Peter Duthie, GroundLabs