The Path to Ensuring Success within the first 100 days: A Guide for CISOs

According to the 2021 EY Global Information Survey (GISS), cyber expenditure of APAC companies are low at 0.05% of annual revenue, even though 73% of companies warned of an increase in disruptive attacks. Check Point Research also found that as a region, Asia experienced the most cyberattacks in the third quarter of 2022, with an average of 1,778 weekly attacks per organisation, which is an increase of 21% compared to the same period last year and above the worldwide weekly average of 1,130 attacks. Comparing the figure with other regions, the number of weekly attacks Asia succumbs to dwarf that of Europe and North America, which average 896 and 849 attacks respectively.  

With that, cybersecurity is increasing in importance for each organization. The role of a CISO has become more strategic, extending beyond compliance and technical metric monitoring to create and champion a culture of shared cyber risk ownership. So, what can an incoming CISO do in their first 100 days to create the foundation for success? 

In my intense discussions with CISOs from across APAC and Europe discussing not just their company’s cybersecurity issues and requirements, I have been privileged to receive insights on their challenges and opportunities when they first take on a new role. Together with The Cyber Leadership Institute which also provides a great framework,  I will expand to help provide new CISOs key activities that need to happen to maximise success.

Start-up: Days 0 – 15 

For a strong start, spend time with your direct report to align on key challenges and opportunities and discuss the vision for information security. Get acquainted with organisational structure and reporting lines, and build relationships, particularly within the legal, security, risk, compliance, HR, operations and governance teams.

During the first few weeks, analyse the cyber strategy to understand current maturity. This means analysing previous risk assessments, threat hunting reports, gap analysis and security roadmaps, security policies, audit reports, and risk management tools. Make time to set up meetings with key stakeholders. Lock in regular risk management meetings with appropriate stakeholders to discuss the business’ risk profile and any open or untreated risk. Identify key security vendors and establish communication. Key security vendors can assist with gap analysis and Cyber Security Risk Assessments. 

Seek and collaborate with like-minded people. Chances are someone has either already dealt with, or is currently dealing with, the challenges you are.

Understand: Days 0-45

Without a strategy, it is impossible to develop a meaningful plan of action, and ad hoc tactical point solutions will invariably inhibit overall integration. 

In the first month and a half, focus on understanding security and compliance-specific projects and initiatives. Identify which tasks need to be prioritised based on overall current state maturity, existing security program, critical control deployment and top risks. Understand your business’ incident response capability, the top 10 business-critical applications, and their respective threat models.

Understand the roles and responsibilities for your organisation’s information security governance – who are accountable, on a need-to-know, and who can you consult.

Validate that sound security practices are in place, to support strategic organisational objectives and risk management, and the enterprise is suitably geared towards preventing attacks. 

Review the company’s information security charter to understand its security vision, security mission and cyber security scope, as well as which departments must comply.

One of your key tasks must be to identify the business’ mission critical data or “crown jewels” — such as information about customers, intellectual property, product designs, and finance — and the current security controls around them. Keep a register and prioritise the non-negotiable controls to keep all critical assets secure — for example, ensuring all databases are encrypted. 

With supply chain and 3rd-party risks at the forefront of many recent breaches, understand if third parties are hosting your organisation’s critical assets, review contracts and assess if they meet their security obligations.

Find at least one internal and one external executive mentor. External mentors from different sectors can provide unbiased and innovative advice to help navigate stakeholder politics.   

One of the primary roles of a CISO is information security risk management, so understanding how risk, including taxonomy and rank, is communicated within the company should be a top priority within the first month.

Prioritise: Days 15-60

It is time to focus on prioritising activities, developing a vision to share with your manager, team and key stakeholders, and getting feedback to refine your plan. 

Start by building an Information Security Strategy that is business-aligned, risk aware and holistic, enabling you to clearly communicate the company’s information security risk profile. Consider putting together a controls framework that satisfies multiple compliance requirements by testing a single control. 

From a controls perspective, a holistic approach is better executed with a consolidated security architecture that includes the protection of cloud, network, endpoints and comprehensive user access, all empowered by a single management and security operations platform. This approach is a game-changer and addresses many of the hurdles CISOs and security teams face. 

Align with your direct report and stakeholders on at least three key issues to close out over the next two months. These will be your quick wins — projects that significantly impact the cybersecurity program with minimum effort. Quick wins will help gain credibility early on.

Another quick win is prioritising customised security awareness and training. This activity can be easily outsourced; an important first step in forging an awareness-driven culture where everyone in the company understands that cyber security is everyone’s responsibility.

To execute an information security program, you will need funding. In this phase, plan your operational security budget and headcount for the next couple of months.

Execute: Days 30-80

By now, you should be actively making progress towards quick wins – focus on the top three urgent issues, addressing them with established enterprise security architecture principles — integrated by design, rather than bolted on. 

This is the time to get a tabletop exercise executed. Ensure engagement of all key stakeholders. This is an opportunity to demonstrate and educate executives on the potential impact of a successful cyberattack. Tabletop exercises are best delivered via an experienced third-party Incident Response team with a track record of working complex APT cases.

In this phase, you should also lead security-related governance forums and cyber steering committees focused on eliminating waste, addressing critical blind spots, maximising cybersecurity investments’ value, and ensuring you deliver value quickly. The cyber steering committee should comprise of cross-functional teams with domain expertise and business stakeholders, all with clearly defined roles, responsibility and scope. 

Next, focus on executing a game plan to achieve the desired state, with controls and processes that must be prioritised to meet current and emerging risks with high likelihood and business impact. 

Results: Days 45-100

You are approaching your first 100 days. You should be delivering results and showing progress with metrics tied to business goals.

Measure progress against the top five outcomes for the 100-day plan, as this will help the business identify which tactics are and are not working, so ineffectiveness can be address quickly.

When reporting to executives and the board, highlight any project risks as part of your regular exercises because executives do not like surprises. Clearly outline risk scenarios, likelihood, impact, risk mitigation plan and potential additional costs.

By the end of your 100 days run, aim to report on the following:

•           What is our current capability maturity?

•           What is the biggest threat to the organisation?

•           What part of the security posture requires the most urgent attention?

•           What resources are required to address threats that will cause the organisation most harm?

•           How does the executive team want effectiveness of cyber investment reported?

•           What is the organisation’s risk if nothing changes?

Remember that for a CISO to succeed with tenure and positive outcomes, you must win your key stakeholders over and never underestimate the importance of forging deep and meaningful relationships with key stakeholders. 

As the CISO’s role continues to evolve with the changing digital transformation seen across businesses, the critical importance of cybersecurity will also simultaneously be accorded greater priority to ensure protection and minimal risk for the organization. With key insights on how best to ensure success for new CISOs, assurance of integrated and adequate protection can be implemented.

---