Your First 100 Days as a New Chief Information Security Officer
A successful chief information security officer (CISO) is primarily a leader, a manager and a communicator, not a technologist.
Most CISOs who fail do so because they don’t understand or meet business requirements and expectations, or they don’t effectively communicate how they’ve met the expectations.
Those who approach the role with a strong plan for the first 100 days are likely to enjoy success.
Your first 100 days as a CISO constitutes a “honeymoon” period. You must formulate a course of action, make connections, and establish and communicate a personal management style.
Tom Scholtz, vice president and Gartner Fellow, believes that those who approach the role with a strong plan for the first 100 days are likely to enjoy success. This will depend on:
- Establishing a foundational personal brand of credibility and leadership
- Laying the foundation for a sound security program
“It’s within this critical period that you establish yourself and create the basic perceptions that others will, for better or worse, associate with your subsequent plans and actions,” said Mr. Scholtz.
Gartner breaks down the CISO’s objectives into a 100 day roadmap. Each phase includes critical target outcomes, actions and resources, as well as some optional ideas to consider as time and resources allow.
Don’t wait until your first day on the job to prepare. Take some key actions before you start to inform yourself, learn about colleagues and staff, draft communications to make a great impression on day 1 and set up meetings with your team and key business and IT leaders. Don’t make the mistake of approaching your new role with ad hoc communications and plans. A few hours of investment in planning before you start will ensure critical preparations are completed. Demonstrating that you understand “how things work around here” is crucial.
Gain a comprehensive insight into the current state of the organization’s security program; what’s working and what isn’t; and the top five challenges that you’ll prioritize for the first three to six months. During your first week, try to spend most of your time creating an inventory of the resources needed to manage the security organisation: people, reports, available metrics and financial parameters. Use face-to-face meetings to build a strong understanding of the business and rapport with key stakeholders.
Turn what you’ve learned into a blueprint for action. Share your security program vision with your team, line managers and business stakeholders. This is your chance to design and refine your new security organization. By now you should have a reasonably accurate picture of your monthly security operations budget, so plan your budget for the next two to three months.
This is your opportunity to deliver visible results. Redefine your team; get involved in existing projects; set budgets; establish (or re-establish) the security governance processes and forums; and ensure senior management commitment for the security charter you developed.
Start providing evidence of your impact. Develop an executive reporting framework and process; monitor program and project progress; and highlight early wins, successes and challenges. Schedule meetings with your line manager, team leaders and key stakeholders to gather their thoughts on the progress made and challenges encountered during the first 100 days of your tenure.
Gartner clients can read more in the report The Chief Information Security Officer’s First 100 Days.
Gartner analysts will provide additional analysis for information security executives at the Gartner Security & Risk Management Summits 2016 taking place in Mumbai and London. Follow news and updates from the events on Twitter at #GartnerSEC.