In the second of a two-part series, Ahmad Douglas, Chief Information Security Officer at CommScope, shares strategies to hit the ground running (and listening).

In my previous article, I offered advice for senior security leaders on how to make the jump to the capstone role of CISO. But the real distinction isn’t obtaining the title – it’s thriving in your new position. To do this, you’ll need to build and run an excellent security program, while effectively managing up to the C-suite, laterally with your senior executive peers, and down throughout your organization.

Let’s get started with the strategies for your success.

Mind the ramp: creating a meaningful 90-day plan

Many companies have an onboarding program for new executives, typically centered around the first 90 days of employment. Some are more structured and prescriptive; others are less formal. A strong executive thrives in either environment.

An incoming CISO should be prepared to present an initial diagnosis, security strategy, and roadmap within their first 90 days. But there’s a catch:  the information security function operates with less complete information and a more rapidly evolving landscape than nearly any other field. Couple that with the tendency of security leaders to over-focus on technical details and prescriptive solutions, and the 90-day plan presents an obstacle course requiring thoughtful navigation.

Don’t give in to the natural tendency to focus on creating a one-time deliverable. Instead, use the 90-day plan as an on-ramp for a long-term, iterative program of setting and achieving security goals. Speak to the core areas of security – people, processes, and technology – aligning them to what matters most to the organization you and your team serve. Some key considerations follow.

People

  • What’s the right organizational structure for your team to start with, and how might it evolve over time?
  • What are the security organization’s existing strengths and opportunities – in terms of people leadership, as well as security domain skills?
  • What’s the appropriate mix of security FTEs (full-time employees), contractors, and service providers?

Processes

  • Are the organization’s security policies and control framework fit for purpose?
  • Can the organization articulate its risk tolerance and manage gaps?
  • Are the metrics in place effective for measuring performance and risk?

Technology

  • What are the key technical controls?  Are they operating effectively?
  • Are there any immediate control gaps that need to be addressed?
  • Are there immediate opportunities to optimize or consolidate tools / vendors?

If funds are available, many CISOs begin their role by bringing in a reputable third party to perform a security maturity assessment. Such assessments are typically aligned with an industry-standard framework, such as the NIST Cybersecurity Framework, and rated on a common process maturity scale, like the Capability Maturity Model. Showing the C-suite and board members the current state of your company’s security capabilities according to the NIST Five Functions along a 0 – 5 scale is an accessible way to jumpstart strategic conversations.

Conducting the assessment and presenting the results as essentially an outsider (remember – you just joined) requires tact and empathy. It’s a great test of that all-important executive presence we noted in the previous article. Where the organization begins its journey is less important. Facilitating a conversation about where the organization wants to be, how quickly, and how to do so with financial stewardship and sensitivity to the company’s culture – these are the hallmarks of a strong CISO.

Listening is one of the most essential executive skills, and key to the success of your 90-day plan. Validate your assumptions with your peers and other stakeholders as you craft your plan. Vet your strategy and planned initiatives, modifying them according to their feedback. In this way, your presentations to the C-suite and board will have the buy-in of your more tenured colleagues, increasing your credibility and helping you to anticipate any questions or concerns. Your approach to security must bring along everyone in the company.

People power

CISOs are professionals who have evolved through the ranks of a mostly technical field. As such, we are commonly experienced with the basics of leadership – goal setting, performance ratings, motivating and holding accountable our team members. But to be a great CISO, and a great executive in general, you must become passionate about all things human resources.

Culture must become the first word in your vocabulary.  Your company has a culture, and you and your team must fit into it seamlessly.  Does it emphasize individual accomplishment or collaboration? Being right or getting along? Moving fast or careful consideration? Read the culture continually, become your team’s beacon of the company culture, and guide your team members thoughtfully to align with it.

As a senior leader, you’ll also set a culture for your team. Most fundamentally, people come to work to earn money, but that’s a brittle transaction. In my experience, beyond fair compensation, the best people seek two things from their work:  a sense of purpose and pride, and opportunities to grow their skills. Work within the scope and resources available to you to cultivate and reinforce a culture oriented on learning, growth, and celebrating excellence.

 

Related article:

Becoming a CISO, Part 1: Landing the Right Position

By Ahmad Douglas

 

Building a great team is another situation where success invites a new challenge – retaining them. Start thinking about how you’ll create opportunities for those employees who rise to the challenge.  The best managers who don’t have enough opportunity for all of their rising stars focus on trying to keep them within the company more broadly, but will also help to place them externally if that’s the right move. Rockstar employees should be viewed in terms of career-long relationships.

Getting down to the science of your new organization, talent management is the other most important topic.  Your first 90 days must include an inventory of your organizational structure and leadership team, and ideally a 9-box assessment of every team member’s performance and future potential. Once you know who your current stars, rising stars, solid performers, and marginal performers are, map them to their seniority and compensation level. Look for situations where job levels and pay do not correlate positively with work contribution. Prioritize your insights based on retaining key talent. In every people leadership role I’ve held, I’ve observed that managing underperforming or disengaged team members is as important as promoting and recognizing high performers.

A CISO has never had more options for covering the many functions of their role. Every security leader should be mindful of the timeless trope of security asking for ever-increasing headcount. Your peers leading the business units are true P&L leaders who have the flexibility to offset increased expense with new revenue. Because you likely don’t have that option, stewardship must be your North Star. Work with your stakeholders to identify the risks that matter most to them. Measure and communicate the effectiveness of your current program and controls to manage those risks. Then, suggest options to close gaps of concern, making thoughtful use of not just FTEs, but contractors, consultants, offshoring, and managed services.  Keep in mind that elegant solutions frequently blend headcount – permanent or temporary – with increased automation or improved processes.

When things don’t go as planned

Few roles are as dynamic and challenging as the CISO.  Plans change quickly, whether driven by business developments such as M&A activity, competitors, regulations, cyber incidents, and other factors. Even if you don’t walk into a pre-existing cyber incident or have one spring up early in your tenure, you will likely discover significant differences from the situation you had initially expected. Be adaptable and collaborative.

A steady personality is essential for the CISO role. There will be enough panic to go around when the company is tested with a cyber incident or data breach. The CISO must remain calm and focused – attributes that are best cultivated through practice and experience.

Relationships are also key. A good CISO has an established network of other trusted CISO confidants, as well as warm relationships with law enforcement and key service providers.  Do not wait for a major cyber incident to establish these relationships.

And although no CISO would ever want their company to experience an incident or breach, if one occurs, the best CISOs see opportunity in the chaos. Incidents that occur earlier in a new CISO’s tenure offer opportunities to accelerate the onboarding process. An observant security leader will quickly learn the company’s culture and values, including how it makes decisions and handles stress.

Other opportunities in an early incident include assessing talent and building community.  Look for people who “run to the fire”; they are action-oriented and focused on finding solutions rather than simply pointing out shortcomings. These people are your treasured assets as you move past the incident and into greater security maturity. Likewise, the CISO can leverage the opportunity to build a sense of shared fate across the company and earn early credibility through collaboration and solid execution.

Final thoughts

The long journey to security maturity is about the quality of the battles you fight. No matter where you start, you must hone a culture that attracts talented people and engages their passion and natural curiosity. Focus on leveling up the relationship and quality of conversations with your senior executives and board. And most importantly, understand the risk landscape that faces your company, then build consensus for the initiatives that will counter those risks.

Security is a game of “we,” not “I.”

 

Roles We Recruit


 

Read our weekly e-newsletter packed with career advice and resources for the strategic technology leader, and information about active searches.

The Heller Report

Add a Comment

Training Developers for AI: One CIO’s Approach

Nov 20, 2024

My CIO Career: Neil Hampshire, Chief Information and Digital Officer at Ocean Spray Cranberries, on Cultivating Successful Relationships

Nov 13, 2024