As many of you know, starting a new job can be challenging in and of itself. It involves learning a new culture, understanding company values, as well as basic things such as remembering names and faces, and who to eat lunch with.
With all of the stress and challenges experienced within that first 90 days, which is just a small glimpse of what you will experience for the remainder of the year, it is imperative as a CISO to develop a plan to somehow balance the stress and challenges.
Truly, the first 90 days amounts to a “drinking from the fire hose” reality, but we forget that those first 90 days can also determine your future within the company (whether it is voluntary or involuntary), and determine your credibility with your colleagues.
So it is important to create an action plan to ensure that the first 90 days are successful, less stressful, and prepares you for the next 90 days.
Here are my 5 must do’s within the first 90 days:
1. Prior to joining the company, conduct thorough research to learn
what keeps the company functioning – the core business. Also know who’s who in the executive management team and within the company, this is where LinkedIn becomes a valuable resource. You also need to understand possible regulations that the company may be subject to, for example HIPAA or PCI. And once you have a clear grasp of the sector the company is in create an educated list of required security controls required.
2. Develop a one-year strategy, broken out by quarters, that includes a detailed task list of to dos that ensures that you are not being Reactive, “Fighting Fires,” but rather Proactive, “Managing Risk.” For example, the first quarter of the plan is to tackle high-risk, one-off issues, e.g. create a security policy and operating procedures, conduct a gap analysis review, and strengthen security policies for foundational security safeguards (firewalls, remote access VPN, ACL’s, MDM etc.…)
3. Develop a professional and semi-personal relationship with colleagues. This seems simple, but can be challenging if you do not extend yourself more than what you would normally do. Most importantly, you need to ensure that you develop a strong relationship with individuals from various teams including, legal, senior leadership, human resources, internal audit, and finance. This will be crucial to the success of your program.
4. Be strategic and know the core business values of the company. Do not attempt to build a security program without knowing what to protect (crown jewels – the most valuable business assets) and prioritizing based on risk on operating impact. So before proposing a new security technology, take a pause and ask yourself “how would this benefit the core business.”
5. Most likely you will not have a budget on day one, so forget about purchasing new security technologies and tools, and instead look to leverage technologies already implemented or purchased but not implemented — shelfware. Both your boss and your colleagues will appreciate your resourcefulness and this will help to build credibility, which will be key to future security investments.
I’m always interested in speaking with others about what they do and how they do it, so please share your Top 5 must do’s for the first 90 days in the job.