New role, new challenges – ensuring a smooth transition for incoming CISOs 

Think back to the last time you started a new job – how long did it take for you to feel like you’d got to grips with everything? A few weeks? A month? And from that, how many new processes did you have to get clued up on? Add that to the task of simply adapting to a new role, in a new company, with new people and that outlines most people’s experience starting a new job.   

But now imagine that same process, but the entire company’s security is in your hands from the second you begin. This is the life of a Chief Information Security Officer (CISO). They don’t have the luxury of a grace period to get used to their environment – they need immediate understanding of the security estate they just inherited.  

But when a comprehensive security strategy relies entirely on complete visibility, how is a new CISO meant to put said strategy into place when there is so much that is unknown? 

The teething period (or lack of) 

All CISOs encounter the same challenge when starting in a new company: it’s time to get used to yet another network environment. No two business infrastructures are the same, so it’s essentially like working from a blank slate each time.    

Despite this blatant set back, CISOs are expected to demonstrate complete understanding and control, reporting on risks and presenting a strategic security future to the business from the get-go.  

So, from day one, CISOs already have four hefty challenges to overcome: their lack of visibility of the organisation’s security estate; their lack of time to get up to speed; the need to get to grips with new tools; and the time-consuming and incomplete reporting process.  

Seeing it from the other side 

Onboarding a new CISO is no mean feat for the organisation either. Already in the uncomfortable position of losing their current security officer, who knew the landscape and processes inside and out, the business needs to get the new individual up to speed – and quickly. Every day that the position remains open, or in a state of transition, the business remains vulnerable.  

The entire situation is stacked against the CISO. Once on the payroll, the board and risk committee expect them to deliver.  

Unfortunately, this means CISOs are often forced to work in tactical and operational approaches, rather than from an overarching strategic standpoint. It often becomes a guessing game where everyone hopes for the best – but this is a dangerous game to play.  

Thrown in the deep end  

When the stakes are high, the pressure is even greater. The nature of cybersecurity means there is always something going on, always something to manage and always something to defend against. It is a 24/7 battle.  

Incoming security officers will of course prepare as best they can before joining a new organisation, but until they’re sat in front of the data, there’s no way of knowing what they will discover. The predecessor will have shaped the network for their preferred way of working, which will unlikely match that of the new hire.  

One of the biggest tasks for security officers is developing comprehensive reports on the state of the infrastructure and risk landscape.  

Security teams are also forced to complete these tasks manually due to a lack of automated capabilities. Every week, if not more frequently, the team collects information, carries out manual analysis and correlates the data to provide a general overview. By the time it reaches the CISO, it’s often at least one week later – which is now out of date.  

The second major challenge is securing sufficient budget for their security programme. Cybersecurity budget is often viewed as a cost centre. But, as CISOs know well enough, when it comes to cybersecurity, it’s no longer a case of ‘if’ something happens and more a case of ‘when.’ So, instead of investing to prevent something happening, we’re investing now to reduce the chances of an attack turning into a successful breach and mitigating the damage caused should the worst happen.   

Steps for onboarding  

For CISOs about to enter a new role, there are four key focuses to help with the onboarding process.  

1. Look into the past 

Review the reports, audits and activities of the organisation in the months and years leading up to your onboarding. This should provide invaluable insight into the state of the organisation’s security.  

1. Find the current security ‘champion’ 

Even though the previous CISO has now left, there will be other team members with a strong grasp of the state of the security posture. They can provide consultation during those first few months when you’re getting up to speed.   

1. Getting the board’s support 

The CISO needs to make sure the board is aware of the level of risks, as this obviously has a massive impact on business. If the board is kept in the loop, it’s more likely that the CISOs will get better tools and general investment; but if they’re left out of the conversations, the chances of the CISO being successful in their mission drops significantly.   

1. Real-time solutions 

The security teams need solutions that provide real-time visibility into their existing security controls to help identify gaps and risks quickly and accurately; by identifying security gaps and being able to demonstrate these risks to the board, CISOs are more likely to win additional support and investment.  

Security threats can come from within and outside the organisation. Yes, CISOs are responsible for protecting the business from threat actors and their evolving hacking toolkit, but there are also several compliance regulations they must abide by as well.  

Criminals will always target the weakest link and their methods for identifying this low hanging fruit are growing in sophistication. Complete visibility is essential. One particular organisation I’ve worked with in the past carried out a security risk report and found that a password had not been changed in 22 years. The company’s lack of visibility beforehand meant this had gone unnoticed for two decades. Nowadays, that’s a death sentence for an organisation.  

Working together 

Onboarding a new member of staff must be a joint effort from the organisation and the incoming individual. Security officers have a huge amount of responsibility that impacts the whole business. It’s therefore in the company’s best interest to ensure the new CISO is supported in their introductory months. There may not be time for a grace period, but there is certainly the capacity for a smooth transition.  

By Lior Arbel, CTO of Encore

For more information, visit: www.encore.io