Congratulations: You’re the new chief information security officer for an organization.
In this time of increasingly successful cyber attacks, on your shoulders lie the responsibility for establishing and maintaining the vision, strategy, and program to ensure information assets and technologies are adequately protected.
After walking into your new office, now what?
In a column this week for SC Magazine Peter Duthie, co-CEO at GroundLabs tries to answer that question by suggesting a new CISO take three initiatives:
- Have hard conversations: In the first few weeks on the job, make it a priority to schedule meetings with department leaders about their security and privacy-related challenges. This will also an opportunity to remind them how to treat data;
- Understand where all the corporate data is: How many employees keep classified documents in a personal file hosting service or on their desktops? How many share sensitive materials with others through cloud storage like Google Drive? “Only with this information can CISOs prioritize data management,” writes Duthie, “while identifying top areas for concern;”
- Audit the security tools: Among the questions to be asked are which solutions are working well/are ineffective, and are there multiple technologies doing the same thing?
CISOs have a lot on their hands, including dealing with the board. In an interview at the annual RSA Conference two years ago, a CEO told me an essential skill for infosec leaders is learning how to talk to directors. But the first weeks in a new job are also vital for the CISO to learn about the strengths and weaknesses of their new post.
As Duthie writes, it’s important for a CISO to have a strong understanding of his new environment when setting out to succeed in a new post.