Navigating your first 30 days as a CISO

Merritt Baer at Lacework offers some advice for CISOs who are just starting out

 

Navigating your first 30 days as CISO can be daunting. You’re taking on the security posture of an entire company, and you know that without sound security approaches to infrastructure, a company is open to external threats, service limits and degradation, and insider risk.

 

To effectively steer your organisation’s security, approach your first 30 days with a strategic mindset and focus on these three things: information intake, quick wins and creating processes.  

 

Information intake

Take the time to immerse yourself in the organisational landscape, gather insights into standard practices within the enterprise, look at how tasks are accomplished, and get a feel for decision-making dynamics. Try to build an understanding of what practices work effectively and identify areas that require improvement.  

 

It’s important to understand what’s happening at your organisation before trying to make any significant changes. Begin by conducting a thorough asset inventory to identify existing resources, and a general assessment of your organisation’s current cybersecurity posture, providing a basis for potential reviews and adjustments. 

 

Ask new colleagues and peers about current plans and compliance reports. A central tenet of being CISO is overseeing regulatory compliance responses–so you need to know what policies your organisation follows as early as possible. (And, “We have a policy for that” is often quite different from what the organization is doing in practice.)

 

Also ask about root credentials, superadmin access, encryption practices, employee permission, and exfiltration visibility. Addressing these matters early and comprehensively is crucial for immediate security enhancement and the prevention of potential breaches or data loss.  

 

Quick infosec wins

Once you’ve asked your questions, it’s time to focus on some quick wins. Begin by identifying who and what lives in your network, and what the business is doing around access management–including third-party apps.

Access: Streamlining access and setting up single sign-on wherever possible facilitates employee use of necessary apps and tools. 

 

Vendor review: This is just as important as an asset inventory. When going through the review, establish where your enterprise is currently spending, what you get out of these expenses, and when important contracts are up for renewal. It may sound obvious, but these questions could expose serious issues within your organisation’s spending and help save budget, which has the added bonus of building a relationship with your CFO and COO. 

 

Incident response: Ensure that there is an incident response mechanism in place – after all, you never know what could be lurking in your network, so being prepared for any hypothetical event is key. 

 

Code security: Examining your company’s code security capabilities can serve as a preventive measure by identifying security issues before they are deployed. It also accelerates prioritisation and resolution of issues, regardless of their location in the application lifecycle. 

 

As an added bonus, your cloud security vendor should be able to help with this. Recently, leading CNAPPs are tying code security functions like Software Composition Analysis (SCA) and Static Application Security Testing (SAST) into the same platform that handles CSPM and Identity Management. Stronger code security capabilities can empower your internal teams to innovate and grow their scope on a faster scale–and if you’re looking for a quick win, a robust code security analysis tool and process may be exactly what you need. 

 

Build relationships: As CISO, one of your most important jobs is to build and maintain strong relationships across the business. This requires buy-in from stakeholders across the company. At its core, building valuable relationships–especially with more tenured employees–will not only emphasise your commitment to prioritising business risk assessments, but can also help build a culture that champions security and aligns security strategies with the broader business goals. 

 

As cloud reinforces the ability and responsibility to build security into all dev cycles, we see DevSecOps appearing in more and more IT and cloud budgets. Find ways that you can align your security spend with other business centres within the company. 

  

Create process

Creating scalable processes as CISO is essential for establishing consistency and effectiveness.

 

For example–get your ticketing system in order so you have a process for authentication and traceability. This of course allows you to track the time to respond and time to resolve–but more importantly, as a repeated and documented process, you can see which issues pop up consistently and start building bots to automatically resolve “known requests” and build the foundation for scaling.

 

Assign the person or team responsible for deciding which issues need automation and who writes the according code. Minimise the gray area of human decision-making for ticketing and automate where possible.

 

There are many similar areas where you can have an early impact as a CISO and enact robust processes. How do we know we’re focused on the right priorities as a security team? Do we do forced blameless escalations when we’re experiencing an incident? How do we clean up noncompliant configurations? Are you and your team up to date on the most recent CVE research? Establish these processes early and set your team up for success.

 

CISOs are invariably trying to do the right thing, but in such a high-risk environment, good intentions are not enough. By taking some of these key steps in your first 30 days in the role, you can embed processes and ways of working that enable the business to move forward and grow. 

 

---

 

Merritt Baer is Field CISO at Lacework 

 

Main image courtesy of iStockPhoto.com