A CISO's guide: Maximizing your first 30 days
It can be a challenging proposition to navigate your first 30 days as CISO. You have the responsibility of securing an entire company on your shoulders, and you know that without robust security infrastructure and processes, the organization is exposed to external threats, service restrictions and degradation, and insider risk.
To effectively guide your organization’s security posture, tackle your first 30 days with a strategic mindset and focus on the following three key priorities: taking in information, identifying quick wins, and implementing robust processes.
Take in information
Take the time to immerse yourself in the organizational landscape, gather insights into standard practices within the enterprise, look at how tasks are accomplished, and get a feel for decision-making dynamics. Try to build an understanding of what practices work effectively and identify areas that require improvement.
It's important to understand what’s happening at your organization before trying to make any significant changes. Begin by figuring out where folks keep their asset inventory -- or conducting one of your own -- to identify existing resources, and a general assessment of your organization’s current cybersecurity posture. (Note: for assets running in the cloud, you can do this logically. For OT or on-premises assets, you’ll need to do it manually.)
Ask new colleagues and peers about current plans and compliance reports. Every industry is regulated, so no matter what industry you’re in, as CISO you’ll be overseeing regulatory compliance. Find the policies your organization follows as early as possible -- and "We have a policy for that," is often quite different from what the organization is doing in practice.
Ask about root credentials, superadmin access, encryption practices, employee permission, and exfiltration visibility. Addressing basic high-stakes issues early and comprehensively is a good first triage against likelihood and severity of the company’s next bad day.
Identify quick wins
Once you’ve asked your questions, it’s time to focus on some quick wins. Begin by identifying who and what lives in your network, and what the business is doing around access management, including third-party apps.
Access: Streamlining access and setting up single sign-on wherever possible facilitates employee use of necessary apps and tools.
Vendor review: This is just as important as an asset inventory. When going through the review, establish where your enterprise is currently spending, what you get out of these expenses, and when important contracts are up for renewal. It may sound obvious, but these questions could expose serious issues within your organization’s spending and help save budget, which has the added bonus of building a relationship with your CFO and COO. (Also, any vendor that has access to your real data and systems, but you aren’t operationalizing a benefit from it, is a security risk in itself.)
Incident response: What are the current runbooks and playbooks? This is a muscle group that gets better over time but it requires practice. As one colleague stated, “There are two ways to learn incident response, and one will be chosen for you -- in a real incident.” You don’t want to learn on an actual bad day, you want to grow those capabilities through exercise.
Code security: Code security is obviously an important element of your security processes, looking to identify security issues before they deploy. It also accelerates prioritization and resolution of issues, regardless of their location in the application lifecycle. Take a critical eye to the company’s current code security work -- what’s in place today? What’s working?
Tooling can help with this. Some of the manual code review elements are now more streamlined, including ability to do software composition analysis, which helps to do a software bill of materials, as well as static application security testing, which examines raw code. Stronger code security capabilities can empower your internal teams to innovate and grow their scope on a faster scale -- and if you’re looking for a quick win, a robust code security analysis tool and process may help get you ahead with better data, better outcomes, and better data about your outcomes.
Build relationships: As CISO, one of your most important jobs is to build and maintain strong relationships across the business.This requires empathy. At its core, building valuable relationships -- especially with more tenured employees -- will not only emphasize your commitment to prioritizing business risk assessments, but can also help build a culture that champions security and aligns security strategies with the broader business goals.
As cloud reinforces the ability and responsibility to build security into all dev cycles, we see DevSecOps appearing in more and more IT and cloud budgets. Find ways that you can align your security spend with other business centers within the company. If the CTO and CIO see accelerated development cycles because of the security guardrails and paved roads you’ve been able to put in place via infrastructure as code and templatization (and the code security reviews you can embed), you’ll have more political capital to spend when you need to slow something down because the release doesn’t have a high enough level of security.
Implement robust processes
Create scalable processes -- it’s essential for growth, but also for consistency and effectiveness.
For example -- get your trouble ticketing system in order so you have a process for authentication and traceability. This of course allows you to track the time to respond and time to resolve -- but more importantly, as a repeated and documented process, you can see which issues pop up consistently and start building bots to automatically resolve "known requests" and build the foundation for scaling through automating away resolutions more and more. Assign the person or team responsible for deciding which issues need automation and who writes the according code. Minimize the gray area and reserve human decision-making for truly novel or high stakes situations.
There are many similar areas where you can have an early impact as a CISO and enact robust processes. How do we know we're focused on the right priorities as a security team? Do we do forced blameless escalations (every 15 mins is a common standard) when we detect an anomaly? How do we clean up noncompliant configurations? How do we incorporate CVE research and threat landscape information into decisions around risk tolerance and proactive security? Establish some processes early and refine them over time as a virtuous flywheel.
When it comes to security, good intentions are not enough. Even the most mature security shops work at this, but it’s critical to build a mechanistic approach. Here I’ve tried to boil down some key initial steps that allow you to integrate effective processes and ways of working for your team, setting high standards for security resilience.
Photo credit: Den Rise / Shutterstock
Merritt Baer is Field CISO, Lacework.