Learn about the Power of Gathered Identities. The Future of the Identity Graph Starts Here >>

How To Survive The First 100 Days As A New CISO

The chief information security officer (CISO) role has dramatically transformed. In the face of ever-growing cyber threats, CISOs have transitioned from solely technical defenders to strategic business leaders. Beyond safeguarding against cyberattacks, they now play a critical role in managing and mitigating inherent business risks, ultimately contributing directly to business value.

Today’s CISOs have expanded their influence, securing not just data and IP but also facilitating business growth and digital transformation, reinforcing the idea that robust cybersecurity can coexist with and even enhance customer experience. As this role continues to evolve, I anticipate that CISOs will further climb the corporate ladder, becoming indispensable in the digital age.

Taking on the role of CISO at any organization is exciting but challenging. Those first 100 days can feel like drinking from a firehose as you work to get a handle on the company’s security posture, build relationships across teams and start driving improvement initiatives.

Having tackled the role of CISO on several occasions throughout my career, there are some key focus areas and tips for effectively navigating those critical first 100 days.

Understand user access and identities.

Identity and user access are the first and most significant problems for any new CISO. Knowing who has access to what data, applications and systems across the organization should be priority number one. Poor user access and identity governance create huge risks, from access creep and identity debt to toxic role combinations. Auditing user privileges, implementing least privileged access and getting a handle on employee onboarding and offboarding processes are crucial right out of the gate.

Get visibility on systems, data and regulatory and legal frameworks.

Along with user identities, developing a comprehensive inventory of the company’s IT systems, data repositories and cloud infrastructure is essential. This allows a new CISO to understand potential regulatory impacts based on the types of data handled, such as consumer privacy laws like GDPR, HIPAA, financial regulations and more. Having this visibility enables the prioritization of compliance issues.

Build cross-functional relationships.

Forget the stereotype of the cybersecurity chief staring at screens all day. Effective cybersecurity isn’t just an IT team effort—it requires collaboration and alignment across the entire organization.

In the first 100 days, new CISOs must focus on establishing relationships with key internal stakeholders in the legal, HR, finance, marketing, customer service and development teams. According to Gartner, 65% of top-performing CISOs build relationships with senior business decision-makers outside of the context of projects.

This enables better communication by breaking down silos and helps ensure CISOs can access the resources they need. Making inroads with the C-suite and board of directors is equally as crucial. According to a recent survey of CISOs, 49% agreed that there is a lack of C-level buy-in to their role, with 32% “going as far as to say that there is no C-level buy-in at all.”

The key to unlocking this crucial executive buy-in lies in mastering the art of translating cyber speak. CISOs must become fluent in the language of the boardroom, presenting security strategies not as cost centers, but as business enablers. This means demonstrating how robust cybersecurity practices directly drive profitability, mitigate risk and safeguard the company’s reputation. CISOs can elevate their role from a technical necessity to a core business function by showcasing the tangible impact of security on the company’s financial well-being.

Build a security narrative that resonates.

How a company discusses and pitches its security approach to its employees can be just as important as the technical controls it implements. Traditionally, cybersecurity leaders have focused on improving technology and processes that support their programs, with little focus on the people who create and implement these changes. This outdated mindset is shifting.

While technical defenses remain essential, a growing emphasis is being placed on human-centric security practices. Recognizing this shift, Gartner forecasts that by 2027, half of the CISOs in large enterprises will prioritize human-centric security, aiming to reduce friction and enhance control uptake.

As a new CISO, I recommend befriending the marketing team early on to help shape the organization’s cybersecurity story. Getting buy-in on a cohesive security narrative makes it easier to drive initiatives and adopt the human-centric cybersecurity approach that will only become more important.

Pressure test incident response capabilities.

It’s also valuable to conduct tabletop exercises to pressure test incident response capabilities. These exercises simulate a cyberattack or data breach scenario, allowing the team to walk through the step-by-step process they would take in an actual event. The goal is to identify strengths and weaknesses in the organization’s incident response plan and ensure that all team members understand their roles and responsibilities.

This approach also helps fine-tune communication and coordination among different departments. By running through these simulations, organizations can improve their readiness, reduce response times and minimize the impact of an actual security incident.

Assess the company culture.

Leading security initiatives requires understanding the company’s culture around security. Is it well-prioritized and seen as enabling innovation? Or is security still viewed narrowly as burdening productivity? A new CISO may need to work on helping evolve mindsets in those first 100 days through education and open communication feedback loops.

The first 100 days as a new CISO are a whirlwind of assessing risks, building relationships and establishing priorities. However, by keeping focused on the fundamentals like identity and user access, data and systems, and crafting a cohesive security story, new CISOs will set themselves up for long-term success.

View article here

The Power of
Gathered Identities

Book your free 30 minute demo now.