Becoming a new chief information security officer today: The steps for success

It's no easy ride -- but here are some tips from an experienced CISO.
Written by Charlie Osborne, Contributing Writer

Becoming a Chief information security officer (CISO) is no easy task, especially with the threat of evolving and disruptive cyberattacks a constant threat. 

A CISO is expected to take on the leadership of a team responsible for managing cybersecurity concerns in an organization, and the role requires the creation and implementation of strategies to deal with compliance, regulatory and legal considerations, process and patch management, and more. 

The CISO of an enterprise firm is also expected to have a thorough knowledge of the evolving threat landscape, and as such, may be expected to play a key role in incident response. They may also work with a Chief Information Officer (CIO) to manage data compliance. 

However, according to Steve Cobb, CISO of One Source Communications, a modern CISO needs to also have a head for numbers, too -- with budgets becoming a key consideration. 

See also: What is a CISO? Everything you need to know about the Chief Information Security Officer role

Speaking to attendees of Mandiant's Cyber Defense Summit 2021, Cobb said that in order to be successful, there are a number of topics these leaders need to consider and approach -- whether or not they have been brought in externally or have organically grown into the role.  

According to the One Source Communications CISO, these are some of the steps someone stepping into the role of a CISO or security officer should take.

-Review all existing policies: Cobb says the first step a new security officer should take is to review existing IT and security policies. Special attention should be paid to the company's Incident Response Plan -- if it exists -- as well as business continuity and recovery plans. 

If they don't exist, the CISO says that this could mean those new to the role have "an opportunity to have a significant impact on the organization."

-Review the last three security assessments: These should include any records of penetration tests, red team engagements, and vulnerability scans. 

Cobb also recommends that new security officers inquire about security awareness training, phishing simulations, and work out whether such training is actionable and valuable to staff. 

-Review cyber insurance policies: As a new CISO, you should evaluate existing policies including cyber insurance, representation from legal teams, connections with incident response (IR) -- and also who is handling the firm's PR. 

Insurance providers may list recommended or approved IR and legal responders, and so CISOs need to make sure an organization's teams are either on the permissible list, or added to them.

What is included in cyber insurance policies should also be explored. For example, does it cover ransomware infections or data theft and extortion, and if so, what is the limit of potential claims?

You should also find out if you are covered when it comes to liability should you become part of a lawsuit due to a cybersecurity incident -- and whether or not the same applies to your team.  

-Fighting for it: Questions should be asked at leadership meetings which will give new security officers a fighting chance to perform well in their roles. This includes what cybersecurity budget is available -- and this is separate or part of general IT budgets -- and has there been an increase year-over-year?

"If you are being brought in, I would argue that you should have a budget to make sure you can do what it is you're being asked to do," Cobb commented.

In addition, CISOs should find out what the most valuable corporate resources are that require protection, how long the company can cope with disruptive events, and whether or not data is being held that, if stolen, could cause "substantial reputational damage and/or significant loss of revenue," the executive says. 

-Investigate: According to Cobb, the next step is to find out what tools are in place -- what firewalls, is there any endpoint protection, is two- or multi-factor authentication in place, and is the organization protecting email flows? 

Key areas that should also be considered are whether or not anyone is monitoring out-of-hours, and whether or not the organization is able to rapidly detect basic attacks. 

Cobb also suggests asking for a new security assessment in light of your investigation. 

-Build relationships: Meet with the director or leader of IT teams and the CIO, and find out if security is a consideration (at all) -- and what protections are in place for the business. New CIOs should also find out what strategies are in place for on-premise and cloud setups. 

Cobb also suggests that today's security officers should try to be "visionary" and implement cultural change. 

"Let's start changing the culture," Cobb says. "They [changes] don't happen at the beginning of your stint as a CISO, they may happen years later. [...] That's why your strategy needs to be in place so you can be successful. Consider your limitations, but don't put the entire weight of the world for security on yourself. Put a team around you [..] and set the expectations of the business early on with your leadership."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards