Getting started at a new organization

A chief information security officer (CISO) has a lot on their shoulders to ensure an organization is secure. And for someone new to the role, the challenge is even more significant.

The CISO function has developed dramatically in recent years as a result of increased industry threats. The role is as a company leader who aids in the development of confidence in people, technology, and process. And at many companies, CISOs are being given a seat on the board. 

In this article, we'll examine how a new CISO can build and establish a security-focused ecosystem in an organization.

5 steps for CISOs getting started in a new organization

1. Understand your business

The first step is to gain a thorough understanding of your company and its industry. It includes understanding the future of your company and its future development plans. With that knowledge, you'll be able to see how security can be implemented to the level of a business enabler.

The second step is getting to know the teams and individuals within your company. It includes getting to know what they do, how they work, and what projects they're currently focused on. By getting to know your teams, and the high-performing individuals within the groups, you'll be able to remove future security hurdles.

2. Develop trust with leadership

It's vital that a CISO develops a relationship with the board to stay aware of what's going on within the organization. If a CISO has recently joined an organization, it will need to understand and align with the current strategies to make any changes. A CISO will not be successful if they operate in isolation, so they must identify with the organization and grasp the board's goals. When the board of directors trusts you, you can accomplish incredible things within a business.

To build trust with a board, a good start is simple for a CISO to follow through on what they've promised to the board. This is why it's important to understand the business's goals, as well-aligned projects are more likely to succeed. Delivering as promised will help build credibility, and with that buy-in, the board will be more inclined to listen to you and encourage your ideas.

3. Recognize an organization's culture

A CISO needs to understand a company's culture to have deeper insights around the people, the business, and the different departments. Being fully aligned with culture helps a CISO better understand their role, see how they fit in, and ensure that they're doing what's needed for the business.

For security practices to be adopted, they need to fit culturally. Depending on the industry, CISOs will inherit security challenges. For example, if development and security are traditionally siloed, the CISO needs to help shift the existing culture towards openness and collaboration. To do so, it will be critical to conduct a gap analysis and determine the three dimensions of technology, process, and organizational type so that the shift isn't overly disruptive

4. Make security a team sport

Security isn't just technology and procedures, and it's also teams and people. For certain practices to be successfully implemented throughout an organization, it needs to be treated as a team sport. This means that every person in every team understands their role in security and how to work with other teams to stay secure. Whether it's someone in marketing knowing to report a phishing attempt to InfoSec, or a developer knowing how to use a static application security testing (SAST) tool that security provided, everyone has a role to play.

As a CISO, if there's a problem, you need to grasp it, respond swiftly, and make sure the teams understand the need to collaborate quickly and respond to the incident. This can happen by ensuring that everyone in the firm receives rigorous security training regardless of their function.

5. Think and act strategically

A CISO must think strategically in terms of broad goals and more narrowly in specific teams. It's vital to recognize where holes exist in procedures (and how to fix those gaps) and develop "risk maturity" so that everyone understands the company's risk appetite and tolerances. Security needs to be viewed as a benefit to the bottom line, not an operating expense. It's the CISO's responsibility to advocate for that perspective and gain Support from the top down.

From the top-down, this can mean addressing the board to acquire financing for new ideas, projects, or anything else required to create a secure ecosystem within an organization. From the bottom up, it's essential that every employee understands their role in security and sees themselves as a valuable contributor. CISOs need to be able to communicate clearly with any employee, regardless of level or position.

Up next: Which roles should report to the CISO?

CISOs play an essential role in any company. Security is a broad-reaching responsibility, and they need to be mindful of it all. It can mean making sure Support doesn't share PII in a ticket, that passwords always follow specific rules, and that office workers know not to scan in non-employees during the lunch rush accidentally. It may seem like a lot, but understanding your company and its goals, teams, and employees is the first step towards making security a cultural value.

In our next article, we'll tackle the topic of determining which roles should report up to the CISO. Stay tuned!