The First 100 Days of the New CISO
There is some form of management reality beyond the “100 days” journalistic cliché: How does an incoming executive make an impact in a new role? What are the real timeframes to look at, and what can be expected and over what horizon? What are the key issues that should raise a red flag during the first few months in a new senior position? and those which can be ignored?
Those are the themes we have been exploring on the Corix Partners blog since November 2017 around the specific role of the incoming CISO.
Of course, each and everyone’s own path to success will ultimately depend on the specific context of their arrival — from their own previous experience at this level of responsibilities to the firm’s security management maturity. We believe, however, that this series of articles will prove helpful in guiding most CISOs through their first steps in a new organisation and provide them with a useful roadmap about making an impact in their new job.
Our experience drives us to split the new CISO’s roadmap into 3 different time horizons which can be roughly encapsulated into a 6-days / 6-weeks / 6-month paradigm. These three milestones represent good opportunities for the incoming CISO to focus on what truly matters at each step— and to highlight what they should not yet be concerned about.
It is key – in our opinion – for any new CISO to hit the ground running so your first six days should be dedicated to start engaging actively with your direct management and with your staff. As much as possible, you must meet with them face-to-face to start building a stronger personal bond. Make use of those first interactions to understand how reporting lines work in your new organization (upwards, downwards and sideways across matrix models), to position the challenge ahead and to identify key preexisting roadblocks. The only thing that should worry you at this point should be the inability to properly schedule those key first meetings because stakeholders don’t have time for you. Now would also be a good time to get the finance question straight: Do you have a budget allocated and how is it managed? Without appropriate resources, you won’t be able to achieve much.
Your first six weeks should be the natural continuity of the first six days. Only by meeting as many relevant stakeholders as possible will you be able to accurately assess the situation you are inheriting of as a CISO. Key at this stage is to listen, listen and listen instead of coming up with ready-made solutions, or focusing only on the burning fires. Travel if you must and take time to gather your thoughts, then start drafting a strategic framework — ameliorative directions, time-frames, and high-level costs — to address your findings, in relation to the objectives and challenges identified during your first week. Your main objective around this time should be to get your strategic framework validated with your boss, but you should be fully prepared if your plan is properly costed, rooted in tangible field observations and the expectations of key stakeholders. Lack of engagement from your management beyond merely tactical and technical topics and a general lack of interest from stakeholders for a truly transformative agenda should raise red flags.
Once validated, the next step must consist of executing your strategic framework and it will start with the formal setting up of an appropriate governance and operating model, as well as getting as many senior team members and stakeholders on board as you can. You should now be getting ready to implement what is very likely to be a mid- to long-term plan, and you must resist being pushed or drawn into tactical firefighting. Focus on infusing a sense of clarity among all stakeholders, both about timing and objectives.
As it turns out, your sixth month in the job should correspond approximately to your first 100 (working) days, and it is a good time to start looking back on your journey while recognizing that you are really only getting started.
While a 100 days framework is a useful model to think about getting up to speed in your new role, you must keep in mind that any lasting change in an organization’s InfoSec practices is likely to require steady work over a period of several years.
So while this series of articles should help you hit the ground running, always keep in mind that, if your objectives are rooted in delivering lasting change around cybersecurity, you are in for a marathon, not a sprint.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Security Strategy, Organisation & Governance challenges. This article was written in collaboration with Vincent Viers.