1. So you want to be a CISO – 5 steps for Success
The position as Chief Information Security Officer(CISO) is not for the faint of heart, it requires knowledge of disparate security
technologies, risk management frameworks, as well as network and security architectures. This position will also require you to interpret
the applicability of numerous Federal and State Laws, Regulations, and Compliance regimes against your standing Cyber Security strategy
and assess required changes to your organization’s security program. So with these daunting requirements in mind, I am writing this article
as a road map for the new CISO.
I have been in the Information Technology and Cyber Security fieldsfor over 25 years and have been a CISO for the last 7 years. As a CISO, I
rely heavilyon my experiencesas a Network and Security Architect and Security Auditor to provide context in evaluating the health of my
networks and security program. As CISO, I have used five steps to provide me with a foundation to improve my organization’s Cyber
Security strategy and protect my networks and other critical organizational assets. These steps are:
1. Meet & Greet - “Walk About”
2. Inventory
3. Assessments
4. Plan
5. Communicate
1. “Walk About”: It begins with the first meeting you have with your team and then continues with walking about the organization to meet
key stake holders and executive leadership.I findwhen meeting with your team this givesyou the first chance to start verbalizi ngyour
security strategy and assessing your team’s individual skillsetsand experience.This assessment will feed into how you implement your
strategy and future projects. If your team lacks experience, you may not be able to implement the security architecture changes as soon as
you planned and you may have to contract a 3rd
-party vendor to provide the services you require. In meeting key personnel in your
organization, you will need to be open to their issues, keeping in mind that as the CISO they are your customers. You provide a service to
them and you need to be cognizant that they may have had problems in the past with how your team has performed. In meeting with
executive leadership you will need to find out what are their key business concerns. Try to bring across to them that Cyber Security is a
business enabler; it provides a secure foundation for them to innovate and develop new services for the organization. The last part of this
step is to meet with your boss, whether it’s the CIO or another executive,and ensure you understand the scope of your responsibilities.Itis
very hard to lead your security team and manage an enterprise Cyber Security program if there is some ambiguity on what you are
responsible for as CISO. So now the organization knows who you are, it’s time for the second step…you need to find out more about your
organization and especiallythe security program you have inherited.
2. “Inventory”: In this stage it’s about visibility intopeople,reports, metrics, budgets, work processes and policies.Here you will look at
your team and assess their skill sets and experiences,you will look at contractors that fall under your purview and the services they provide
(reviewcontracts & SLA metrics). Here you will also look at your current budget and previous security budgets; I have used this exercise

2. here for trend analysis. If you want to understand how the organization views security, it’s in this budget analysis where you will gain some
perspective into whether Cyber Security is leveraged to grow the business or seen as a cost center. When you are reviewing your budget
you will also need to look at your departments and your organization’s budgets, again this viewpoint into the financial health of your
organization will aide you in your future plans for your program and projects for your team. One of the last things you will do in this step is
also one of the most time consuming. You will need to assess the current network and security architectures, work processes, and standing
policies.This is where you will assess the basic “Cyber Hygiene” of your organization; you will findpolicies and procedures that will needto
be improved upon and possible architectural changes to reduce the risk exposure of your organization. You will needto verifyyou have
updated network documentation such as network maps, subnet and VLAN lists, and asset management documentation. These documents
will provide you visibilityintohow your network and security suite is actually configured. I have found from my own experience that many
times the organization believesone thing, but when you actually delve into your networks and Cyber Security portfolio you find your
network architecture is quite different,data is being used by personnel in unique ways and work processes are being communicated
verbally and have never been properly documented. It is at the end of this step that I take a break and reviewmy notes on what I have
found and then I proceed to reviewmy predecessor’s notes, emails, and documents. I would suggest that you wait until now to review your
predecessor’s information; this allows you to approach his/her information with a more informed perspective as you compare their notes
with your findings.
3. “Assessment”: In the previous step you receivedvisibility as you conducted your inventory, but now it’s time to get dirty. You now need
to get a better understanding of how your network and your Cyber Security suite is put together, how data flows through your architecture
and how organizational personnel actually use corporate data. Here is where we will delve into the health of the Cyber Security suite; we
will look at installed firewalls,AV solutions, IDS/IPS sensors etc., and security procedures that are in place such as patch management and
incident response to name a few.The new upgraded network diagrams and documentation will be used in this step to build a roadmap for
follow-onassessment projects. In this stage, we will assess the effectivenessof the present Cyber Security program and annotate areas for
improvement. I tend to use the NIST and ISO frameworks as templates for the security controls that will be assessed and verify their
applicability to my present network and security architecture. It is in this step where you will want to break out previous vulnerability
assessments and penetration tests. You will want to review each of these report’s findingsand the recommendations for remediation and
verify the recommendations were implemented. This stage is the most technical of the five,you may want to ask for 3rd
-party vendor
assistance to conduct these assessments and provide recommendations. By the end of the assessment step, you will now have a list of
security gaps, these will become future projects that should be prioritized based on the risk exposure to your organization.
4. “Planning”: Here is where we begin to buildout the plan, we will start to draft the vision for upgrading the organization’s Cyber Security
strategy based on our findings. It’s here that we start analyzing issuesidentifiedduring the assessment phase, we will also look at the
security program as a whole, and any currently identifiedchallenges such as a lack of executive support, incomplete inventories (e.g.
organizational blind spots related to hardware, software, and systems), audit gaps, and incorrect security processes. By now we should
have a list that needs to be addressed, we will have prioritizedmany of our findings on this list based on risk exposure to the organization
or requirements for meeting compliance, and we should now look for “low hanging fruit”. We will want to identifysecurity gaps and issues

3. from our new list that can be addressed quickly and provide value to the organization once corrected. What matters here is that as a new
CISO, you want some wins under your belt to move your new security program forward. As you developthe updated strategic plan, it
should be used to create your new security budget based on projects that will provide value to the organization. This value can be
measured in new services you provide to your stakeholders or the reductions in exposure to your organization from existential ,
operational, legal and regulatory risks. It is this value I believe where you can drive home, in the next step, that your Cyber Security
program and team are core components of the organization and you enable them to meet their strategic goals.
5. “Communicate”: So now we come to the final step, we have collected all of our notes and findings and have developedour new budget
and strategic vision for upgrading the organization’s Cyber Security strategy. This strategy, with our prioritized listof security issues, will
now needto be socialized because we need support for implementing the changes that the organization should make. We will need to
communicate our assessment findings – “Where we are presently” from an overall cyber perspective,and then add our vision “Where we
want to be”. Our identifiedgaps and issues will be the difference betweenthese two pictures, it is these gaps we need to socialize so our
organization understands the business value in correcting these issues and reducing the risk and liability to the organization.
In the end, remember this will take time and you will be siftingthrough and collecting large amount of information as you assess your
Cyber Security program. I have found during this time to remember you can’t do it all immediately,use your team, and reach out to your
peers for help and advice. Remember it is crucial to develop your relationshipswith your stakeholders, they are your customers and there
will be times you will need their assistance. I have found being a CISO is an awesome job, I thoroughly enjoy the challenges it brings, and
hope this roadmap I have developedwill provide you with a plan to help you as you take on your new position.