Congratulations! You are the new CISO. What do you do first?February 12, 2021
Recently a friend of mine, Jim (not his real name), took over as the CISO at a new organization. He asked me the question: Sesh what should I pay attention to? I am going to put my thoughts down below but I would like to hear from all of you.
I thought about this question, and my first thought was “Jim, you need to get an in-depth independent assessment of your current security landscape.” I thought about it and I listed out 4 reasons why this is critical.
- The first 6 months after you start as CISO is the only time that you can escape blame for the actions of the previous regime. After that you own the problem.
- You cannot depend on your current tools that are giving you an assessment of your risk posture. Your existing tools have some assumptions and exceptions built in. You need an independent point of view.
- You cannot depend on your current employees to give you an accurate assessment of your risk posture. We performed an assessment for a large financial company. We found that even through the security team had mandated a set of standards and best practices to be followed, things had drifted. Manual processes for deployment and undocumented changes had left the systems with several critical flaws. This is not uncommon.
- Even your current auditors may not give you a proper assessment of your security posture. Auditors have a limited budget when they come in. Often I have found that they negotiate a “dipstick” audit. Only check a subset of the infrastructure and only check a subset of the configurations that need to be checked.
I performed an assessment for a medical-records company to see if they were HIPAA compliant. The previous auditors had been passing the system each year with a dipstick audit that depended on a set of declarations from the head of operations. After the assessment was complete there was no denying that the system was riddled with holes. At least the new person was able to go in with a clear understanding of what the problems were.
I suggested that the next steps to perform were:
- Get an understanding of the risk posture from the Board, from the CEO and other senior corporate executives
- Review current measurements and metrics to see if they meet the organization’s needs. If not come up with new measurements, metrics and KRIs
- Build a business case, based on the assessment and the above to get from the current state to green.
I will expand on these over the coming weeks but first I want to hear from you all. What do you think about my advice on doing a thorough independent assessment first?