You took the job. Now what?
What's done is done. There is no turning back! You've accepted the CISO job, and now you have to figure out what to do when you walk in the door. First, allow me to get the formalities out of the way. You have my condolences. You're are embarking on a journey that will leave you questioning your sanity on an almost daily basis. Don't worry, though, as it will also be a fulfilling way that you can contribute to the success of the organization as both a guardian and a trusted adviser. Just don't let them know where you hide the whiskey, or you will never be able to keep the sales team out of your office.
When you walk in the door, you need to come prepared with a high level strategy that you can use to plan your initial projects and begin to prioritize your efforts. I recommend taking a simple three phase approach to your security strategy at first. It is clear and concise, easy to communicate, and it will serve you well as you build your security program.
The first phase, "Inventory & Document", is dedicated to understanding the current state of the organization, including what assets you are protecting and how the business operates. The second phase, "Design & Implement", is about where you want to go and how you will get there. This includes defining capabilities, selecting tools, modifying business processes, and implementing new systems and tooling. The third phase, "Measure & Mature", focuses on applying management techniques to stabilize and improve the program after your new controls have are implemented. Defining metrics and measuring the performance of a security program is not easy, but it is necessary for the continuous improvement efforts that will take your program into the future. It is important to note that the third phase easily dovetails into more sophisticated business aligned strategic initiatives once the program is operating effectively.
While it is understandable that you and the other executives will be anxious to begin making broad changes and deploying new tooling right away, the first priority is situational awareness. Get your bearings before you set your direction. You will save time, energy, and frustration in the long run if you take a methodical and disciplined approach to building your security program.
I will explore each of the three phases of this strategy in upcoming posts, so stay tuned! In the mean time, click the "follow" button at the top right corner of the page to follow me on twitter and start a conversation. I would love to hear what you think!