So you want to be a CISO - Step #1 "Meet & Greet"

As a new CISO, transitioning into an organization can be daunting to say the least. You will be
inheriting a security program (if they have one) plus a project portfolio and budget that you
didn’t create. To get started in your new position you will first need to gather organizational
insights to better understand how your security program and team fit into your organization’s
mission. This information will be critical for the steps to follow.

You will start with first getting to know your team, they will be instrumental in the security
program you plan to implement and I have learned from experience to value their input (more on
that in a moment). So to start you need to first get a copy of your department’s “Organizational
Chart.” You want to better understand where security (You) fits in relation to the other teams and
business units within your new organization and the IT department. As you look at this chart,
make sure to note what they have listed as the structure of your team, you will want to see if it’s
accurate and you will want to note the job descriptions that make up your team. Now with this
information you should request a copy of the job descriptions (usually from HR or Personnel
Department) for the security positions that were annotated on the organizational chart. Read
through these job descriptions and take notes on what services and professional experience these
positions are expected to perform as well as specific competencies and certifications the security
team should have and maintain. I bring this up because I can’t count the number of times I found
security job descriptions don’t accurately reflect the work the team actually performs. Now with
these job descriptions in hand, you need to review the performance records for each of your team
members. I have found that having some background on the position first gives you a frame of
reference as you read your team’s performance evaluations. What you are looking for here is to
get a feeling for the people who will be working for you; you need to look for trends both good
and bad and keep an open mind. The big thing to remember here is these reports are subjective
because they were not written by you; they are basically a one-sided conversation that can be
useful. Don’t let this background paint the full picture of your new employees. It’s your job to
make this assessment. They are, after all, your team.

Now that you have done some homework, it’s time to meet your team. I generally bring the team
into a meeting to introduce myself and provide an overall view of what I expect from them and
our security program. I fill them in on who I am and how I have led teams in the past and then let
them go back to work, telling them I will follow up with them individually. Soon afterwards, I
will reach out to them and meet with them individually for a cup of coffee or a quick lunch.
What I am looking for when I meet with them is are they a fit, will they fit the team I want to
build – you will find this out as you talk with them. You will probably have your way of doing it,
the main thing here is getting a better understanding of the people you will lead and mentor. It is
during this time that you will find that many of your new team members have organizational
information that is invaluable. I have found while working for the City of San Diego that many
of my people have worked in several departments before landing in the Department of
Information Technology. Their experiences have helped me to better understand these
departments’ business rules and how data is used to provide services to the citizens of San
Diego. Your team’s experiences will help you as you later plan projects that provide services to
multiple departments across your organization. Leverage this insight to ensure when you brief
your projects you speak to what “they need” not to what “you want”.
Now that you have met your team, it’s time for your “walk about. It’s time to meet your
stakeholders in the other departments of your organization. These departments are your
customers so offer to come to them, you want to make an effort to introduce yourself and
understand how they do business. I would suggest that before you schedule these meetings, talk
with your new team and your peers within your department. You will want to not only learn
about the stakeholder who you are going to meet but also learn about the “influencers” within
that department. These influencers will be people who may not be in a formal leadership role but
are key to the organization and typically hold knowledge and experience that will help educate
you about the organization. As you meet the stakeholder, make sure you take notes on their “pain
points.” Which issues are causing them problems? I bring this up because they, like you, will
have future projects to correct or remove these problems and many of them will involve
technology. As the CISO for your organization you will see some of these future projects and
will have to provide some type of risk assessment. Another issue I would suggest you note is
what future services do they plan to provide? Are these plans for future services already a project
that is maturing? What is driving this future requirement? Is it a compliance issue? Is it a
strategic decision from the executive leadership team? Again, knowing this information, and
their associated organizational dynamics, is important because you will be required to perform
some type of risk assessment and I believe as a CISO your job is to not say “No” it is to say
“Maybe” and to say that effectively you must provide viable alternatives to reduce risk to the
organization. One last point to remember when meeting with stakeholders, the relationships you
create here are critical because they are the reason your security program exists – never forget
they are your customers.

After you have finished meeting your stakeholders and developing your new peer network, it is
best to meet members of the executive leadership team. Meeting with executive leadership gives
you more of the strategic view of the organization, where they believe the organization is going,
and how you can help the organization achieve its strategic goals. It is in conversations with the
executive leadership team, that you can gauge their knowledge of cyber security. Do they believe
you are a necessary evil to meet compliance requirements or are you a business enabler? If it’s
neither and they have no idea who you are and what your function is within the organization, that
just means you’re going to be busy educating people on the value of cyber security to the
organization. Providing this education on cyber can be as basic as sharing articles and blog
postings with your boss to setting up a cyber security committee made up of members from
across the organization for information sharing and educating them on upcoming cyber projects
and changes to the security program. I believe the more visibility you have about your cyber
security program and the benefits it provides to the organization, the healthier your
organization’s cyber hygiene will be – more to follow on “Visibility” in Step 5.

So now as we bring this step to conclusion, it’s time to do your one-on-one with your boss, this
could be the CIO, CTO or a leader from the executive leadership team. I am sure by this stage
you will have questions for him/her about the scope of your position. As I annotate in the Mind
Map below, it is important to understand your responsibilities – what do you cover in your
position? What areas fall under the purview of you and your team? Another extremely important
question that you will also need answered is what is your authority to act? How do you liaise
with important other departments such as legal, risk management or internal audit? Do you have
authority for Cyber Security for the whole organization or are you limited to only specific
business units? Do you have authority for only basic cyber hygiene issues such as removing
permissions from a user or do you have full authority to protect the organization? Do you have
authority to act in an incident response emergency and disconnect the organization from the
Internet or are you only allowed to make suggestions? It is critical you get answers to these
questions. One way to get these answers, request a roles and responsibility matrix that clearly
marks what is within the scope of your role as CISO for the organization. If at this meeting you
find there isn’t one, then this is where you take notes and create one that you and your boss can
agree to during a follow-on meeting. What I want to stress here is you want to make sure you
have something documented that states what your role is and what responsibility you have in
your position. I have found the position of CISO is a demanding one and not understanding the
scope of your position only makes it harder on yourself and your team.

As I bring this to a close, this step is not as technical as some of those to follow but it is the
foundation you will build your cyber security program upon. The network and relationships you
build here will be crucial for your team. Remember above all else that Cyber Security is a
business enabler and that your stakeholders are your customers – so take care of them, good
luck!

***All mindmaps for this article is available for download at https://app.box.com/Five-Step-

CISO-Mindmaps