It seems to be a rite of passage for all CISOs to, at some point in their career, write down their advice for other CISOs starting a new job, whether they are a first-time or veteran CISO. Somehow, I’ve avoided this urge until recently, when I sat down to write my own version. While I was writing it, Christina Shannon published her version, so of course I had to make sure I didn’t miss any of the advice she was giving. And then I found someone else’s version, and, again, I had to double-check mine against theirs. And… you get the picture. I ended up with a guide that is comprehensive, yet easy to understand and operationalize, a feat to be proud of for certain. Yet, there was still work left to be done. I felt compelled to start with miniature versions of my full guide on how to be a CISO, so I wrote How to CISO in the Cloud Parts I and II.
The truth is, if I listed everyone’s advice I looked at, that list would be longer than the ebook version you’re about to grab below (and, clocking in at just shy of thirteen thousand words, it isn’t short). Not to mention, if we choose to dive deep into the concepts found in my full guide on “How to CISO,” we could probably produce hundreds of mini ebooks that cover important concepts in great depth. So, How to CISO in the Cloud is just the beginning, and I’m excited to announce the release of the full guide: How to CISO, Volume 1: The First 91 Days.
In this journey of compiling my advice on how to be successful as a CISO, the true first lesson for any CISO starting a new job is clear: We’ve got you. The CISO community is generous with its time and energy, and we all want you to succeed. Ask for help and you’ll find it waiting for you. If you’re not in a slack channel with a lot of CISOs already, come find one (you’re probably too busy to make your own, but you do you).
Breakdown of How to CISO
What you’ll find in this guide, which might be a little different than in other guides, is an emphasis on the questions you need to answer as part of doing your job. Starting with “What is this company that I work for?,” because the strategies that will work in an outsourced call center might not work when you start securing a software engineering company. I cover understanding your risks (although a bit differently than I covered them in How to CISO in the Cloud Part I) and the questions you’ll need to ask to develop your strategy (different from How to CISO in the Cloud Part II). Then come the important questions.
What are the quick wins you’re going to execute on?
Some CISOs think you shouldn’t make any changes in the first 91 days, and you should definitely be cautious to avoid making changes you don’t understand. But often, you’ll find opportunities to make small, tactical changes that are visible enough to let your partners see that you can make effective changes. These might not take effect until outside your first quarter, but the primary objective for you is to build up momentum as a positive change agent – find the quick, low-cost changes that everyone is going to be supportive of.
How are you going to set up your program for mid-term progress?
Now that you’ve set yourself up for success with some early wins, identify the changes that will bear fruit over the next 12 to 18 months. These might or might not be transformative, but you’re setting up a pattern of continuous delivery on meaningful projects.
What is your long-term strategy?
Of course, you’ll want a theme that is tying together all of your quick wins and mid-term projects, and those are going to roll into your long-term strategy. How are you setting up your company along zero trust principles? Maybe you’re focusing on enabling a secure cloud-first development strategy. Whatever your strategy is, articulate it so you can make long-term investments that provide ongoing benefit.
And, most importantly, how are you going to communicate your plan and get buy-in from all of your stakeholders? Happy reading, and good luck in your new role!
Short on time for reading? Register for the webinar instead to get started!