CISO: First 30 days

Posted on by | 1 Comment

Intro

I have seen quite a few articles on what CISO’s should concentrate on so I am going to give you my opinion. So you have just landed a new role as CISO so after induction (if you don’t have one add it to the list of items to resolve) and hand over if you get one as the previous security leader departed before you arrived, I will articulate some helpful pointers to help in your role that should be done in the first 30 days and help make an impression.

Governance 

The first thing I always look for is an organisations security governance, do they have one? is there a security policy documented if so is it signed off and at what level. I always try to get the exec to sign off the security policy & strategy that way you drive security as a top-down approach.  

Understand the Legal and regulatory frameworks that must be adhered to, such as GDPR etc. Make best friends with the DPO they will be your biggest ally and will help support your security initiatives that concern personal data. 

If there is no security policy I would recommend following one of the main frameworks such as ISO27001 or NIST Cybersecurity Framework, I use the CSF to produce a heatmap as a quick one-page metric and a good way to measure yourself in enhancing the organisation’s security posture. I have a CSF heatmap template which I’m happy to share just email me.

I would always recommend reaching out to your predecessor if they had already departed, they may give you insight into your challenges.

Business Goals

Another thing I always look at is the business as a whole. What are its goals? how does it generate revenue? and how would security impact upon these goals and revenue? 

By looking at what data is used to produce revenue, mapping out the transaction flows should be on the list as well as a business impact assessment, however, these make take some time. Also looking at current threats to the sector of your organisation will help identify where to look.

The main reason for looking at goals is to align risk with the goals, ergo any negative impact on one or more goals is more likely to be funded and agreed by the senior management.

Organisation Structure

This is always an interesting aspect of how is the organisation structured and in so where does the CISO role reside? Inside IT or technology more likely the role will be more aligned with line of defence one (Security operations) outside of IT or Technology role more likely will be aligned with the line of defence two ( Security Governance Risk and Compliance)

Personally, I prefer the CISO role in the Security Risk and Compliance domain as stated: “security is a business process”.

one thing that may need to be looked at in closer detail is the security function certainly taking a data-centric view which I do and equate risk to financial impacts, there will always be good synergy between security, fraud, revenue assurance and risk functions and would advise modelling the security function that either absorbs some of these function if within the finance directorate or has dotted reporting lines.

Fraud is normally a result of a non-effective or non-existent security control being exploited i.e. Busines email compromise to redirect payments.

Budget 

Always needed to fund security resources and initiatives, an optimal measure is about 5% to 8% of the IT spend. The advice here is to make sure the security budget is a separate budget line and owned by the CISO, although some areas may be seen as IT it should be separate. And assuming that the organisation used a blended rate for cross charging have a code set up so on paper the security function can be seen to receiving revenue rather than just a cost centre, you will be surprised how much time and effet goes into vendor review and consulting on internal projects.

Current Security Posture

leading on from the reference to the heatmap above one of the first things I do I measure the organisation’s security posture from both inside and outside. I believe the outside view of an organisation is critical, this is what the customers and regulators will see, and does normally drive good behaviour. I would recommend the free FICO Cyber Risk Score to start after it proves value you can always purchase a subscription to enable you to expand to third parties.

Based on one of the frameworks above ISO27001 or NIST Cybersecurity framework I would undertake a quick audit of your organisation to understand its current security posture, where the GAPS are and ensure aligned with the known risk and business goals. 

Undertaking a security maturity assessment as part of the exercise will not only give visibility albeit at a high level of controls that need addressing but also how effective the controls are. I normally use the CIS top 20 to demonstrate the effectiveness and have some good metrics for reporting upwards depending upon the audience.

Gather up the external-facing addresses and feed them into a vulnerability scanner this will give you a view on what hacker will see.

Domains & Certificates

Again another first thing I do what domains are registered to the company, who registered them and when do they expire (this one is critical hopefully none have expired in before your tenure started).

Along with the domain I look for all the certificates in use and concentrate on public-facing services normally it’s quicker to use a public scanner of these addresses than getting someone from the business to provide the information if the company has been through a few changes I’m sure you will find older domain names and certificates. 

Identity 

Offboarding for a lot of organisations seems to be a challenge normally teh process needs to be refined and HR need to talk to IT to ensure information is received promptly. The big issue is normally around contractor and third-party accounts they normally slip through the cracks. As a quick win on the active directory, I normally look at all the devices that haven’t logged into the domain in last 90 and have them deleted, and all users who haven’t logged into the domain in last 90 days remove those but ensuring HR and third parties advise which account may still be in use but are not used for the reason of account of last resort or someone on maternity leave.

Of course, this is just one system and an organisation will have many on-premises and cloud-based systems that all have an identity store. As part of your strategy single sign-on from a central authentication, this should be a goal to aim towards.

Final Throughts

Be pragmatic most security people are called teh “Project Prevention Department” dont be that guy or girl.

Be a buisiness enabler not a blocker.

Build relationships and trust.

Download our CISO as a Service white Paper Download

matt hardy

View posts by matt hardy

Matt is a global CISO with 20+ Years of Directing International Security Programmes for Multi-Billion Pound Organisations. With a passion for security and a cybersecurity evangelist.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.