The First 100 Days of the New CISO: How to avoid the “Curse of Firefighting”?
Constant firefighting downgrades the role and the CISO must fight to avoid its gravitational pull
With regards to many other C-level roles, the Chief Information Security Officer (CISO) position is a fairly recent creation for many organisations. Although it started to emerge over 15 years ago, it has been spurred further recently by growing concerns over cybersecurity and highly publicized data breaches. Figuring out its right place within organisations is still quite a hot debate between management and security experts
How an incoming executive needs to approach such a complex role is also a hot debate. Many experts – including us – have written about this and have framed the topic using the “first 100 days” journalistic cliché. In our own series, we took issue with the fact that most consultants’ analysis and suggestions fail to consider the incoming CISO within the broader context and organisational complexity of the firm.
In large organisations, no function exists in a vacuum, and getting anything done requires aligning your strategy with other stakeholders’ priorities, business cycles, and budget cycles. It will always take time, as well as political and managerial acumen, but nothing in our opinion that could not be set in motion to an extent with the first 6 months in office.
In practice, the real challenge always lies in balancing strategic longer-term views with the tactical aspects of the day-to-day of the function: It is unavoidable that an amount of time during the CISO’s first months in the job will be spent dealing with tactical firefighting and that it will impact their ability to elevate to the level required to start weighing in on key strategic issues.
As one of our contributors pointed out – a CISO at a large services organisation – “the 100 days often end around day 3”.
There is no way around this: If you want to stay in place in this kind of role for more than 100 days, you must deal with the day-to-day emergencies; you must meet expectations before you can transcend them.
This is especially true when the CISO reports directly to the CIO – which often results in concentrating the role on its most technical dimensions and is accentuated further by the short-termist culture of many IT executives.
It is a context where it is easy for the CISO to be tempted to give up and think that tactical issues will always win and will prevent the role from ever elevating beyond mere firefighting. Even worse for organisations, this situation is often self-perpetuating: A tactical mindset breeds tactical attitudes, and short-termism is hard to escape once you start indulging in it.
Taking this somewhat fatalistic view to its logical conclusion, it becomes the type of situation where the positioning of the CISO within the organisation is bound to evolve and move under a CSO type-of-position whose responsibility would be to elevate the transversal topic of cybersecurity to address the more and more pressing questions from the board and senior stakeholders on these matters.
This would leave the CISO with the downscaled but unambiguous task of dealing with the day-to-day firefighting aspects of the function, while it becomes the role of the CSO to push strategic cybersecurity initiatives throughout the organisation.
While in our opinion the emergence of CSO roles is unavoidable in many large organisations due to the increasing pressure on boards around cyber security matters, and the emergence of broader transversal topics such as resilience or privacy, it is achievable for the CISO to elevate their position to a highly strategic and respected level, but it will require strong managerial acumen and personal gravitas to know how to deal with the tactical while aiming for strategic goals. It comes down to the personal profile of the individual involved and their experience: This is certainly not a junior role anymore in any way.
It will be a bumpy ride, especially at first, as day-to-day issues will inevitably arise. They will distract and could ”nudge you off course”, as another of our contributors – a CISO in a large airline organisation – put it, but the challenge is to get back on course and carry on.
Meaningful change will happen over time, through hard work, full commitment to a transformative agenda and maybe bottom-up approaches, but always looking for top-down drivers and leveraging on them when they appear. Once achieved, the long-term rewards – both tangible and reputational – of the transformation delivered will be for the CISO to grab.