The First 90 Days of Chief Information Security Officer (CISO)

``

The First 90 Days of Chief Information Security Officer (CISO) Prepared for a graduate course: Information Security for Managers Abstract The change in IT networks in the recent years has changed the role, definition and the scope of skills and responsibilities of a CISO. This paper provides an overview of the changing environments and the current state of a CISO. The paper presents the first 90 days plan of a CISO crucial to determine the success of a new CISO at the organization. The 90 days plan consists of five phases: Preparation, Assessment, Planning, Execution and Measurement. Each phase includes multiple steps and recommends a set of actions a CISO may perform. It is recommended that the five phases plan is the minimum requirement to achieve success in the position of a CISO today.

2014

Esia Yosupov NYU Poly – School of Engineering

12/13/2014

Esia Yosupov

1 �

The First 90 Days of Chief Information Security Officer (CISO) Prepared for a graduate course: Information Security for Managers

Introduction

In today’s global economy, the goal of nearly every company is to have access to its information

while ensuring Confidentiality, Integrity and Availability. While, technological advancements

enabled businesses to operate faster and more efficiently, it resulted in addition in complexity to

the IT network environment. As IT network environment has become more complicated, the

role of an Information Security Officer (CISO) has become a daunting task that has evolved

radically over the last few years.

Multiple factors contributed to the change in the role of an Information Security Officer (CISO).

The scale of change has shifted primarily because of a range of high-profile trends, as products

and technologies are more consumer-based (Deign, 2014). The recent trend such as Bring Your

Own Device (BYOD), although is often referred to as one single model, there are many

interpretations. Potential based on the model implemented, cost savings and security challenges

vary greatly. Other trends include cloud computing and mobility. The increasing use of mobile

devices in particular, has become a relatively easy target for Cybercriminals. According to Cisco’s

2013 global mobile data forecast, there are more than 7 billion connected devices in the world.

By 2018, it is predicted to be nearly 1.4 mobile devices per capita, translated to over 10 billion

mobile-connected devices (Cisco, 2014). All those trends have blurred the boundaries between

corporate networks and the outside world, therefore making the role of a CISO more difficult

and challenging.

Another factor changing the role of an Information Security Officer (CISO) that has increasingly

caught many organizations attention are the number of high-profile security breaches such as

Target and Niemen Marcus Data Breaches, in the late 2013, causing data theft of millions of

consumers, and billions in dollars losses. According to the Global State of Information Security Survey 2015, Figure 1, the costs of incidents report an increase of 92% over 2013 (PwC, 2014).

Henceforth, increasing Cybersecurity threats are requiring a close attention from the top

executive’s level in particular from the Chief Security Officer (CISO). This paper presents the

first 90 days plan of a Chief Security Officer in an organization. The first months are critical for

his\her success or failure in the position. Successful individuals will be the ones who establish a

Esia Yosupov

2 �

Figure 1: Incidents are more costly to large organizations. Average financial losses due to security incidents, 2013–2014

personal brand of credibility and leadership who lays the ground foundation for a security

program. New CISOs who will approach the role with a strong plan for the first 90 days are likely to enjoy success.

Target audience

This paper is intended to all IT professionals who are aiming to become Chief Security Officers

or currently holding the Chief Security Officer position. It is not a technical paper and doesn’t

cover technical strategies or plans. In addition, other non-technical professionals from different

departments are encouraged to read this paper to get an idea of the scope of a CISO role and understand its importance.

The Evolution of the CISO

Before the role of a Chief Security Officer (CISO) was created, most organizations relied on

professionals in the IT department to cover the security of their infrastructure. It is only after

the September 11th, 2001 event and the United States Patriotic Act in October 2001 that the

federal government required a dedicated role that is solely devoted to the IT Security of the

organization, both physical and non-physical. By 2001, only 47% of companies, in both private

a government sectors, acknowledged the existence of an employee dedicated to the organization

security (Cho, 2003). By 2009, the number of CISOs a as a security executive grew to 85% in large organizations.

Over the past years, the responsibilities and the skills needed to become a CISO have evolved

dramatically. From an individual of who has in depth technical skills dealing with IT security

administration, to performing high-level risk management. A talented individual who is a

Esia Yosupov

3 �

Leader, business-oriented with exceptional communication skills. A decade ago, the focus of

security professional in the organization dealt with firewalls, antivirus signatures, spyware and

detections of mischievous activities on the web on a smaller scale (Brenner, 2010). Today, the

majority the responsibilities changed to looking at the big picture and designing the program

that balances acceptable risks as cybercrimes are happening on a global scale. Today,

Cybercriminals aim to harm systems, steal identities for monetary reasons. Figure 2 shows the

number of detected incidents in year

2013 and 2014. There is a significant

increase in incidents detection

especially in larger companies (PwC, 2014).

There are two situations in which a

new CISO may be hired. The first

situation is where a company does not

have a dedicated employee to manage

the IT networks, in other words the

CISO position was never created. Due

to the recent security breaches making

headlines, they are concerned and realized the importance of the role. They seek to mitigate the

risk of being the next cybercriminals target. The second situation is where a company may not

have CISO or replacing one, may seek to recover from a data breach. In either situation, a new

CISO is entering a new leadership position. To enjoy success, a new CISO has to have a solid

plan of actions. A new CISO is hired because the company understands its importance and

values the position. Therefore, to get the most out of it, a CISO will prepare and plan for his new role. The initial plan should consist of the first three months of the position.

The Five Phases of a New CISO Plan

The first 90 days of a Chief Information Security Officer (CISO) include five phases, which are

crucial to determine the success of the new CISO at the organization. The five phases include:

Preparation, Assessment, Planning, Execution and Measurement. Each phase includes multiple

steps and recommends a set of actions a CISO may perform. The five phases are described

consecutively, however phases may overlap, and some phases may require more time than

others. The following five phases are required, at minimum, to enjoy success in the first ninety days of the role of a Chief Information Security Officer (CISO).

Figure 2: Large companies detect more incidents. Detected security incidents by company size (revenue)

Esia Yosupov

4 �

The First 90 Days

Phase I: Preparation (days 0-15)

The Preparation phase provides an organizational overview, what type of industry does it

operate in, learns organizational structure, and establishes mutual agreement on expectations

and role responsibilities. The role of an Information Security Officer (CISO) interacts with

almost every department in the organization. Therefore, the first step is to be visible\known

among all management, senior stakeholders and new staff. Scheduling a departmental meeting,

in the very first days, with all the key leaders in the organization to introduce the new CISO may

be a good start. During the meeting (maybe couple of meetings will be needed) the goal is to

collect as much information and to get a broad picture of what the organization is all about. It is

the best opportunity to discuss security topics and concerns, just like an open communication thread. The new CISO should be approachable and display enthusiasm for the new role.

As we learned in the new defined Information Security Officer (CISO) skills and responsibilities,

another important goal is to build relationships with new staff and stakeholders. Building

political capital by listening to employees, displaying empathy, and gathering their goals and

objectives to help them be successful when building the future Information Security Roadmap and Strategy.

Another action to perform is to get to know the security team skill sets to better utilize technical

skills and identify Star performers (who may later be part of the security program lead). This

may be accomplished by creating an inventory of skills (inducing technical and soft skills)

(Fimlaid, 2014). Collecting team members inventory skill by talking to team members, holding

one-on-one meeting, and observing performance. This action is the most important task to find

out what already have and to figure out who can help in the next phases. This action also helps

to avoid underperforming or demotivating employees and ensure employees’ goals are aligned with organizational goals.

Goals • Understand the organization’s business need, role expectations

with management, senior stakeholders and new staff • Develop meaningful relationships with new staff and stakeholders

Esia Yosupov

5 �

Phase II: Assessment (days 16-35)

The Assessment phase uncovers any security standings, security management, management

flaws, weaknesses, and strengths. In this phase the CISO gathers inventory of resources that will

be needed to manage the security organization. It includes but not limited to: people, reports,

available metrics and financial parameters, existing security strategy, policies, standards and

architecture (Scholtz & Byrnes, 2014). A close attention should be paid to anything the previous

CISO (if there was one) may have done well. The inventory of the Information Security Program

should include security staff and their responsibilities, program capabilities and how mature

those capabilities are, and any available metrics on department performance. Along with that,

reviewing budget and associated metrics. Uncovering the capital portfolio and operational expenditure on security management.

Information security High-level, current state Assessment

At this point the assessment is acting at a macro level to identify which elements of the

company's security program are functioning at best performance, and which elements must be

replaced or repaired. In this phase CISO evaluates compliance against industry standards such

as PCI and find out regulatory obligations. If the CISO has the capability, he\she may review and

assess the information security standings. However, there should be also an independent

(qualified Information Security Assessor such as framework ISO27001) performing assessment

to add credibility of any findings and to ensure quality (Fimlaid, 2014). Furthermore, security

assessment may include Penetration Testing and Vulnerability assessment, current audit

findings, security assessment risk, and risk assessment, which are needed to prioritize what remediation efforts to tackle first (Scholtz & Byrnes, 2014).

Goals • Gain a comprehensive insight into the current state of the Security

Program in the organization • Perform a High-level Assessment

• Review Available Metrics and Financial Parameters

Esia Yosupov

6 �

Phase III: Planning (36-60)

The Planning phase transforms all the information gathered in the previous phases into

actionable blueprint. The learned information will be aggregated to formulate an Information

Security strategy. Ultimately, the strategy will include a roadmap to delivering the program,

which includes risk management considerations. For example, some cases it might make sense

to mature an Information Security competency to 90% of the potential capability because the

additional 10% improvement might be costly. Developing this Information Security Roadmap

and being purposeful about investment and return on investment will help gain traction for the

future budget (Fimlaid, 2014). Overall Security Strategy should include a framework such as

27001 or NIST (National Institute of Standards and Technology) for overall industrial competitiveness.

Next is to set up goals and establish a program vision, essential for the success of an Information

Security Program. This could be considered as a prerequisite step to develop overall for

Information Security Program strategy. Is this step, a CISO redefines the new security of the

organization, one that reflects the maturity of the organization’s security and management practices, and that is compatible with the organizational culture (Scholtz & Byrnes, 2014).

Next step is to utilize the obtained budget information from Phase I: Preparation, it is time to

review the operational security budget to understand how spending is improving the program. It

is advised to have a financial analyst to assist with the budget and to develop ROI metrics to

show improvement in the fiscal posture of the Information Security Program. CISO should

communicate and get the agreement form the stakeholders in Phase I to make sure the support.

The goal is to have a plan for the next two to three months.

Next step is to focus on two security issues identified in the security assessment from Phase II:

Assessment. To best select the two key issues to focus on, the following questions may be

considered: what is the risk of failure? Will it be successful within three months? Are current resources and budget available?

Goals • A Draft of the Security Program Vision • Plan for Operational Security Budget for the next two to three

months • Plan the focus on two key issued identified in Phase II • Plan for a Security Awareness Program

Esia Yosupov

7 �

Information Security Awareness Program

Another objective is to ramp up Information Security Awareness Program. Often, CISOs fail to

notice the importance of such a program. Awareness program is not training to employees but it

is a foundation of awareness to both technical and non-technical employees. It is a fairly

challenging task, Security Awareness Program has to continuously develop and keep up-to-date

with interesting content and engaging enough. Nonetheless, it is a must do planning. It is

recommended to collaborate with the marketing department to come up with fresh and new

ideas, and ensure that every member of the security team advocates security to others and maybe delivers an informative resource annually.

Phase IV: Execution (61-80)

The Execution phase delivers visible results of the security program strategy. The Charter draft

encompasses missions and objectives of the security program strategy. The Charter format

should contain enough details that could be converted to an operational plan. Also, a Charter

should be written in a high level, comprehensible by approving parties. Before approaching

Board of Directors or Information Security Steering Committee for Charter approval, it is recommended to have appropriate reviewers to the program.

Considering the Information Security Program strategy and objectives, it is the time to utilize

the Inventory skill, rearranging and placing people in the right place to accomplish the strategy.

Considering the strengths of the selected Star leaders, autonomy should be given. For instance

Senior Leaders would be able to work autonomously and help you coach and provide oversight

to Junior Leaders, while junior leaders might need a little more structure with work plans and

project reviews.

Lastly, participating in existing projects, whether inherited security projects or implementing

new ones. First it ensures that projects stay on track and stay on top of stalled projects.

Depending on company’s needs and overall risk least priority projects can put on hold. Second,

this is a good opportunity to gain some credibility in the team and show a successful

contribution of the CISO role. Besides that, this process should have two objectives: keep the

Goals • Draft an Enterprise Information Security Charter • Select Star Security Team leaders • Implementing Existing Security projects

Esia Yosupov

8 �

team focused on project business value and when needed, to keep team members motivated for

smooth and effective execution phase.

Phase V: Measurement (81-90)

The Measurement phase evaluates whether goals and objectives were met. The Information

Security Program Strategy is a solid platform to track progress of the strategic deliverables, and

tasks. This is an opportunity to provide impact evidence and show achievable results. This

phase overlaps significantly with the Execution phase as a corrective measure. It provides

feedback so that deliverables and objectives can be attuned and produce desired results. Given

all the hard work that was done up to date, this phase is essentially an evidence whether the

CISO have been successful or not. A CISO has to prepare an initial report for Executive

Management and the Steering Committee. This can be used as a component of the overall

Information Security Governance processes. Finally, the key is to continually monitor the Information Security Program deliverables. When needed, modify it or tuned it up.

Conclusions

With the threat of cybercriminals attacking organizations on a global scale, the role of a CISO

has become a challenging position. The importance of a CISO in organizations now is more

important than ever. A CISO may not only be a technologist but also an individual who is a

leader, someone who can see the big picture. Based on current knowledge, the paper presented

the first 90 days of a CISO in terms of the five phases including: Preparation, Assessment,

Planning, Execution and Measurement. Some of the phases may overlap, and some may take

more than others. The five phases plan is a minimum requirement to enjoy success in the role of

a CISO. As seen from the five phases the role of a CISO is to effectively communicate with key

leader and manifest a holistic approach to security goals with are aligned with the business goals and objectives.

Goals • Initial status report for Executive Management and the steering

committee • Monitor Security Program • The Foundations of an effective Security Reporting Framework

Esia Yosupov

9 �

References

Brenner, B. (2010, November 2). The New CISO: How the role has changed in 5 years. Retrieved December 5, 2014, from http://www.csoonline.com

Cho, M. (2003, January 1). Mixing Technology and Business: The Roles and Responsibilities of

the Chief Information Security Officer. Retrieved November 26, 2014, from http://www.sans.org/reading-room/whitepapers/assurance

Cisco. (2014, February 5). Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2013–2018. Retrieved December 5, 2014, from http://www.cisco.com

Deign, J. (2014, January 6). What Might it Take to Be a Chief Security Officer in 2014? Retrieved November 26, 2014, from http://newsroom.cisco.com

Fimlaid, J. (2014, November 18). The First 101 Days as a New CISO - A Chief Information

Security Officer's Playbook. Retrieved November 26, 2014, from https://nuharbor.net

PwC. (2014, September 30). Managing cyber risks in an interconnected world: Key findings

from The Global State of Information Security Survey 2015. Retrieved December 4, 2014, from http://www.pwc.com

Scholtz, T., & Byrnes, C. (2014, June 27). The Chief Information Security Officer's First 100

Days. Retrieved November 26, 2014, from http://www.gartner.com