How CISOs can prepare for starting at a new company

- -

Whatever your role, moving to a new company can be hard. Becoming familiar with colleagues, processes, and cultural norms takes time. For Chief Information Security Officers (CISOs), these challenges are compounded by a digital environment - and threat landscape - that never stands still.

Cutting-edge technologies are changing the game for CISOs, creating new risks and requiring new safeguards. It’s hardly surprising that many CISOs are struggling to keep pace - regardless of how long they’ve been in position. In fact, many have recently moved or are thinking of making a switch, with 75% considering a career change.

However, even if it’s impossible to completely avoid challenges when taking on a new CISO position, this doesn’t mean security leaders should be intimidated by them. Transitioning into the role of CISO at a new firm can be made a little easier if an individual’s responsibilities are clearly outlined, if they remain up to date with emerging threats, and have a full understanding of the organization's technology landscape.

Building on the work of management guru Michael D. Watkins, we believe that the first 90 days are critical for any CISO looking to make a successful transition to a new company. In Watkins’ book, “The First 90 Days: Proven Strategies for Getting Up to Speed Faster and Smarter," he explains why the first three months often determine whether a new leadership role turns out to be a success or not.

Taking insights from Watkins’ work, plus research from more than 200 CISOs, we have created our own eBook, "The CISO’s First 90 Days: A Transition Plan for Success" to guide security leaders aiming to make an impact at a new organization. There’s no need to fear change. Our plan gives CISOs specific goals, metrics, and phases to ensure a seamless transition to their new role. Utilizing these tools CISOs can navigate challenges and hit the ground running.

A phased transition

As part of our 90-day plan, we believe that CISOs will have the most success when transitioning to a new company by following a structured framework broken down into various phases. The first of these involves pre-start preparation.

During the pre-start preparation phase, the primary objective for CISOs at a new organization will be to understand their role, assess the maturity of the current security landscape, and prepare strategically with the information at their disposal. This is easier said than done, with a survey of CISOs revealing that the most commonly cited concern when adopting a position is receiving an inaccurate audit of the company's security posture. Evidently, gaining a clear understanding of the security credentials at a new company can be difficult.

To ensure that phase one of the transition to a new organization goes as smoothly as possible, it’s a good idea for new CISOs to research a company’s history extensively, as well as its culture and any industry-specific security challenges. Even a quick search online will inform CISOs of cybersecurity trends that are emerging across particular sectors. In financial services, for instance, phishing, ransomware, and SQL injections are among the most common cyber threats. Having an awareness of this will only help CISOs make a fast start in their new role.

CISOs should make use of all relevant publicly available information in preparation for their new position, engaging with stakeholders and conducting meetings with other members of the security team to gain a better idea of their organization’s security posture and maturity level. This approach will not only help them to understand the problems currently faced by the company but also any areas in need of improvement​.

Getting the most from the pre-start phase

Any CISO who only starts exploring a company’s security posture after they’ve started in their new role could face some unpleasant surprises. That’s why the pre-start preparation phase is so important. It enables CISOs to prepare appropriately, planning for the types of tools they will use, the colleagues they will work with, and the impact they want to make.

By the time the pre-start preparation phase is complete, three important areas should be clear to them: stakeholder goals, team pain points, and customer and regulatory needs. In terms of understanding stakeholder goals, the initial transition phase should involve new CISOs engaging with key stakeholders to understand their expectations and strategic goals. These could involve third-party risk management, access controls, cloud security, or something else entirely. The most important thing is for new CISOs to actually create a dialog with new stakeholders. By engaging with them, their challenges, concerns, and goals will become clear.

When looking to assess the pain points of a new security team, CISOs will hopefully have gained a pretty good idea from their initial interactions. Research indicates that these pain points are likely to include supply chain attacks, with Gartner predicting that 45% of global organizations will be impacted by them in some way by 2025, and a year-on-year increase in vulnerabilities. Any CISO should take the time to talk with their team, understand their concerns, and build trust early on.

And don’t just look internally either. The pre-start phase should also involve new CISOs learning the needs and expectations of customers and regulators too. Be aware that these can change at any moment as well. As a case in point, the European Parliament approved the EU Cyber Resilience Act earlier this year. More regulatory developments will surely follow with marked differences between jurisdictions. Remaining informed of these changes will allow a new CISO to ensure their security methods are both compliant and customer-centric.

A seamless transition for tighter security

No one is claiming that starting a new CISO position is straightforward. Accessing the information you need to properly prepare for your role may not be easy and truly understanding the culture of an organization from the outside may be challenging. However, these aren’t reasons for prospective CISOs to start their role without preparing appropriately.

There are ways for new CISOs to overcome the difficulties of researching their new role before they begin. Be sure to leverage publicly available data where possible, including financial reports and industry news, to gain information regarding the company. Talk with stakeholders in advance of your start date - not only to discuss methods, strategies, and tools - but also to build relationships.

And don’t forget that preparing for life as a new CISO takes time. That’s why we have created a 90-day plan to ease the transition. Our structured approach takes CISOs step by step through the goals, conversations, and metrics that are likely to play a key role in ensuring that starting a new position represents a fruitful new beginning for other employees, customers, partners, and, of course, the CISO themself.

To find out more about the challenges and opportunities of starting as a new CISO, from the pre-start preparation phase to gathering feedback, be sure to check out Hadrian’s new eBook, "The CISO’s First 90 Days: A Transition Plan for Success."

{{related-article}}

Stop Focusing on the Noise: Prioritize the Risks That Truly Matter

{{quote-1}}

,

{{quote-2}}

,

Related articles.

All resources

Threat Trends

The Risk of Misconfigured Access Control Policies in Cloud Configuration

The Risk of Misconfigured Access Control Policies in Cloud Configuration

Threat Trends

cURL and libcurl CVEs Unwrapped: Debunking the Hype

cURL and libcurl CVEs Unwrapped: Debunking the Hype

Threat Trends

IDOR Explained: Everything you need to know

IDOR Explained: Everything you need to know

Start your journey today

Experience faster, simpler, and easier automated penetration testing in a quick 20-minute demo.

Book a demo