The First 30 Days

You've landed in a top cyber security role -- CISO or otherwise titled -- the cyber-buck stops at your desk. Congratulations! What are your priorities? Hopefully, you have more than 30 days to get your feet under you, but if things are a bit hot, here is a condensed 30 day outline. (If you were promoted from within you have a huge advantage and you may be able to shortcut the first couple steps, but don't assume. You might not have been told everything.)

1. Take a lesson from Sun Tsu and get the lay of the land before your engage. Learn everything you can prior to start, or if you were thrown in by surprise, absorb as much as quickly as you can from the company website, LinkedIn, Glassdoor, and news sources (especially financial), WSJ, etc... Hopefully you don't find anything surprising. Know the business so you know how to interface. Learn the names of the leaders. Use a web search to find an org chart or just ask for one. If there was a breach, don't sweat it. You're going to fix that, but you might need to handle some PR duties, so put the Communications/Marketing/Public Affairs leader and Legal on your short list. Understand completely what it is you are legally responsible for, especially if this is your first regulated vertical. That may affect your prioritization. If you aren't 100% certain what the business drivers are, make it part of your initial foray to identify them and look for more than just KPIs.

2. Do your company intro, get your accounts set up, and start organizing. Meet with your second layer of management and discuss any fires and the current roadmap. Evaluate your team and get their input. Let them know how you plan to manage and expectations.

3. Digest the latest audit and security review reports. Ask for the current list of open issues, open projects, budget, and any remediation plans if available. Absorb it all for discussion.

4. Schedule a set of meetings with the leadership and key company producers you haven't yet talked with extensively, and solicit input as you get to know one another. Find out what the pain points are in the org with security and other topics. This is the most important step in your transition. Mistakes in integrating with the existing business structure will haunt you until addressed. Do a good job now and it pays dividends.

5. Quickly assemble a draft list of what the situation and priorities appear to be, then meet with the CEO (or your leadership) and see if you are aligned on what is needed. If you weren't able to assemble a rational plan because the data isn't available, work with what you can and improving the plan becomes one of your top priorities.

6. Meet with any problem vendors that surfaced during your analysis and finalize your plan of attack.

Day 31: time to be about it. Don't forget to collect your metrics so you can report on the improvements your team is making!

The biggest stumbling blocks to a smooth transition are a security program that isn't operating effectively, and a lack of data. If there are readily apparent problems or if there isn't a current (quality) security assessment, you're going to need to tackle those first, along with any fires.

If this is your first role, do not dictate, facilitate. Your job is to enable the business to do business better and safer, but if you interfere with any of the production aspects, you're going to be in hot water. Be non-disruptive. Be smooth. Be decisive, but not abrasive. Move too fast and you create new problems, but moving too slowly may expand your existing problems.

Good luck!

Additional commentary on the subject:

1. https://cyberleadershipinstitute.com/nailing-your-first-100-days-in-a-ciso-role/

2. https://bluelava.io/ciso-first-90-days/