When a new CISO arrives in an organization, they will often walk in expecting to review, assess, build upon, and sometimes undo the work of their predecessor. Obviously, this can be a daunting and unique challenge. Sometimes they may find that there is nothing but a green field in front of them. That can be even more terrifying and thrilling. On the one hand, you have an opportunity to build the program you have always dreamed of. On the other, you have to build the whole damned thing.
Regardless of the maturity level of the program, you are walking into, there are many things that every CISO must remember when starting a new position:
- Understand the Business
- Establish a Baseline
In this series, we will cover critical lessons that new CISOs must learn when taking on the monumental responsibility of building from scratch.
Establish a Baseline
Once you understand the business, it will give you the opportunity to thoughtfully approach your plan.
Now that you have a good understanding of the business, you will need to begin the hard work of securely supporting it. To accomplish this, I recommend that you assess based on a common framework so you can track progress quarter over quarter, year over year. For a framework such as this to be successful it needs to have a few keys components:
- Describe your current state – Where are we at?
- Describe your desired state – Where do you want to get to?
- Prioritize remediation – You need to identify which actions will have the greatest impact within your framework and will achieve the greatest reduction of risk.
- Measure progress – You need to track the impact of your efforts and measure how close you are to achieving your desired state.
- Communicate easily to stakeholders – You need a tool to show management how you’ve made things better (and you probably have to do it on a single PowerPoint slide).
My personal favorite method of modeling a current snapshot is the NIST CSF or Cybersecurity Framework. With the CSF, you rank your organization in 5 key areas of cybersecurity:
- Identify – Do you understand your own assets and capabilities?
- Protect – What safeguards do you have in place?
- Detect – If something bad happens, will you know if something bad happens?
- Respond – If something bad happens, will you know how to respond?
- Recover – After you respond, can you recover appropriately?
Each category is ranked from 0 (None) to 4 (Adaptive).
Part of the reason I love this system is that it allows the organization to determine to what level they desire to raise their organizational posture to meet their needs. This differs from other systems where it is implied that you *must* get to the unachievable upper end, the NIST CSF specifically states that while Tier 1 (Partial) organizations are encouraged to move to Tier 2 (Risk Informed), higher scores should be weighed on a cost-benefit analysis.
Hmm… Cost-benefit analysis? Sounds like you might have to Understand the Business.
Perhaps more importantly, it gives you a common language to explain the impact on management. As an example, when advocating for a centralized Incident Response tabletop with executive involvement, it helps when I can tell the leadership that by approving policies and participating in this 2-hour exercise, we will raise our NIST CSF Respond score from 1.3 to 2.3 instantly.
For more information on the NIST CSF, visit here.