The new security boss needs to listen if they hope to win over a myriad of new constituencies in their first 90 days
You just took over as the CISO, ready to dig in and make the most of this fantastic opportunity. With so much needing to be fixed, where do you start first?
This topic received attention during the RSA 2022 security conference this week at a session that featured CISOs from Reddit, Amplitude and Robinhood. The CISOs recounted their first three months on the job, sharing the particular challenges they faced while building out their organizations’ strategies, policies and procedures.
Any new CISO will need access to the best and most actionable intelligence possible about the shifting threats to their organizations. They’re walking into new situations where they’ll immediately be under the gun to translate all the data that they’re keeping tabs on into real business impact.
All the while, they’ll be expected to report to their bosses in the C-suite both on the organization’s risks and security exposure as well as what they’re doing to stay ahead of the bad guys. Clearly, enterprises are going to need an updated approach to put them in a stronger position when it comes to threat detection and response.
That doesn’t happen nearly enough, according to panelist Olivia Rose, the CISO of Amplitude. She noted that many new CISOs don’t listen carefully enough when they take over and risk ostracizing the people actually doing the work. Instead, she said the CISO’s first 30 days should be akin to a listening tour.
The immediate goal is to build allies for any rethink of the organization's security posture. The longer-term goal is to implement the necessary tools and processes that will make it easier for the enterprise to stay on top of security threats.
For example, one of the first things that another panelist, Caleb Sima, the CISO of Robinhood, did when he took over was to conduct an internal survey to measure the relationship between security and the rest of the organization. That was the jumping-off point for follow-up conversations with other departments about what they needed and how to improve the security relationship. After consulting with the engineering leadership and other stakeholders, he then built out planning decks with progress goals for his first year in preparation for a presentation of his findings to the executive team.
It’s worth noting that this degree of sharing doesn’t need to be limited to the walls of an organization. Building on the advice outlined by Sima, new methods and tools are emerging to enable sharing within intelligence communities and among organizations that historically would have avoided sharing information for fear of spilling trade secrets. The Anomali platform, for example, makes threat intelligence sharing possible between ISACs, ISAOs, industry groups and other communities looking to share intelligence in a secure and trusted way.
Winning Over the Board
Perhaps no relationship – particularly during those first 90 days – is as critical as the one between the new CISO and the company’s board of directors.
In the past, truth be told, the relationship left much to be desired. But in more recent years, more boards have recognized the strategic value of security and the monetary and reputational risks of data breaches. For new CISOs, it’s more important to articulate the nature of the gathering threats, real and potential, and the company’s defense capabilities – in plain English. That means keeping insights and implications very clear, with an emphasis on impact.
Going even further, the CISO at some point early in their tenure will need to report progress to the board and demonstrate the positive impact they’re having on the business. This is the hard part.
This also underscores the urgency of moving beyond reactive threat detection to proactive adversary detection. A CISO can’t afford to miss any looming threats. As they build out the organization’s strategies, policies, and procedures, they have to move fast without breaking anything, all the while maintaining visibility into the threat landscape. This requires transforming threat analysis and investigations into effective defenses–an approach that incorporates established industry frameworks, such as the MITRE ATT&CK framework. This can help break down the complexity of an attack and inject relevant threat intelligence for quick analysis that can inform an effective defense against adversaries.
The Bottom Line
A CISO’s job is obviously very hard, and each environment is going to be different. It’s important for you to set the tone early and outline the strategies that will ensure success for your organization. That will make it easier to evolve beyond reactive incident response to improve the organization’s security posture before any attack.
- During your conversations, it’s key to find out:
- What tools are in place currently? And which are working?
- Why are things done the way they are?
- What is the problem(s) they are trying to solve with each process?
- How can I improve processes and make my analysts job easier?
The C-suite is going to want to know whether you can align data with the profile of a potential victim before an attack unfolds to determine what an attacker is likely planning to do. The answer to that question hinges on your degree of visibility into attacker behavior, intent, and motivation, extending to organizational and technology targets.
This is where having a partner like Anomali can help smooth that process with a security platform that streamlines all of the enterprise’s security intelligence without needing to rip and replace anything. Instead, it will bolster what’s already in place. And that’s also going to demonstrate ROI and make the task of any CISO that much easier to manage.
For additional information, check out the following resources:
FEATURED RESOURCES
Anomali Cyber Watch: Cisco ISE Flaw, Ni8mare, N8scape, Zero-Click Prompt Injection and more
Anomali Cyber Watch: OWASP Agentic AI, MongoBleed, WebRAT Malware, and more
