The New First 100 Days of a CISO
Focusing ONLY on tactical firefighting is a major mistake, even in a global pandemic
By JC Gaillard
The last twelve months have changed things considerably for the CISO. Cybersecurity has been center-stage, and even more now after the SolarWinds and Colonial hacks. This could be a blessing or a curse.
The pandemic keeps evolving on a global scale, and while some countries may be reaching the end of the tunnel, others are still in the midst of the most dramatic phases.
Global business is still significantly impacted, and there is no sign of a “new normal” in sight for many industries.
Still, people are changing jobs, and CISOs in particular, as many firms wake up to the need to ramp up cybersecurity measures in the face of the accelerated digitization of their business or their large-scale move to remote working.
But, in the face of the new situation created by the pandemic, the approach I highlighted back in 2018 around the “First 100 Days of the CISO” needs adjusting.
It still makes sense for any incoming executive to approach their first period in a new job in a structured way, to meet with business stakeholders and listen to their expectations first in relation to the role, then to build a strategic framework addressing those, and then an execution framework to deliver it. But two aspects have changed fundamentally:
While stakeholders are more likely to recognize cybersecurity as an important agenda item, they are still likely to be focused on short-term objectives, either in terms of crisis response or in terms of bounce-back strategy. They may not be receptive to long-term views; as a matter of fact, they may not have any form of long-term visibility for the moment, as the global pandemic continues to unfold worldwide.
That’s the second main issue: 100 days is probably an irrelevant timeframe here, irrespective of how you frame it (back in 2018, we articulated it into 6 days, 6 weeks, and 6 months encompassing around 100 business days). Nobody can be sure how the world will be like in 100 days, let alone in 6 months.
So how should an incoming CISO approach their new role?
Meeting with key stakeholders and team members as soon as realistically possible, and listening to their objectives, concerns, and priorities, is still key as a starting point.
Back in 2018, we strongly advocated in favor of traveling and meeting face to face – where required – to develop a stronger personal bond: This is not likely to be possible for the short-term, so most of those discussions will have to take place remotely. Let’s face it: This is a problem, and the absence of direct personal interaction could distort the perception the new CISO develops of the firm and its culture – for good or for bad. The most important for the CISO at this stage is to remain aware of that. But establishing direct communication channels with the business – as solid as they can be at the moment – is more essential than ever.
Second, it is likely – as we have already highlighted – that a short term agenda will emerge from those discussions. The temptation will be extremely high for the CISO to focus only on alleged low-hanging fruits and on firefighting, at least until the worst of the crisis is over. To be honest, this is the way many CISOs have traditionally approached their first 100 days anyway, so more than a “temptation”, it will be a line of least resistance – or even a well-trodden path – for some.
As a matter of fact, we highlighted back in 2018 that it was a dangerous path to follow and a “curse”, unlikely to lead to the development of truly transformational dynamics around cybersecurity: That is still the case, but, realistically, it will be a trend difficult to oppose for the new CISO.
In fact, this is the very element that makes the new first 100 days of the CISO far more complex than ever before.
It is no longer just a matter of balancing tactical and strategic objectives while validating strategy and execution frameworks; it could be about doing this in absence of clear strategic visibility from the business, as the path out of the COVID crisis emerges, and in a context where those directions may evolve or change, depending on the turns the crisis may still take.
The new CISO must talk constantly with business stakeholders, to understand how this context is moving, and build their own cybersecurity strategic options – possibly scenario-based, and ready to be embedded into the post-crisis business strategy as it aggregates. And all this in parallel to short-term tactical work to keep the lights on.
Make no mistakes: This is now becoming a matter of survival for the CISO role at any form of senior leadership level.
“Constant firefighting downgrades the role and the CISO must fight to avoid its gravitational pull” we wrote back in 2018.
Focus ONLY on low hanging fruits and alleged quick wins, fail to leverage on the opportunities presented by the pandemic to cement cybersecurity as a true dimension of business strategy, and the new CISO could find their role relegated forever to middle-management layers, alongside other technical operational matters.
JC Gaillard is the Founder and Managing Director of Corix Partners, a London-based Boutique Management Consultancy Firm focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.
He is a leading consultant, a senior executive and a global cyber security influencer with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.