A CISO's First 90 Days: The Ultimate Action Plan and Advice

Many organizations seek a Chief Information Security Officer (CISO) who possesses a mix of technical proficiency and leadership abilities. While this is no longer a purely technical role, CISOs need to be able to communicate effectively with technical teams, understand evolving security risks and data protection technology, and also be able to articulate complex security matters and solutions to non-technical executives and board members.

For CISOs starting at a new organization that has unknown data governance and security systems, the first 90 days can be challenging to say the least.

In this article, we’ll look at:

• The roles and responsibilities of today’s CISOs.
• Emerging trends and challenges to be aware of.
• A CISO action plan for the first 90 days.
• How Varonis can help CISOs get up to speed faster.

By the end of this blog, you’ll have a solid 90-day plan to step into a new CISO role and get up to speed faster.

Role and responsibilities of today’s CISOs

While no two CISO jobs are the same, an expansive and varied workload is common for CISOs, and they typically fit into a board-level advisory role. 

To succeed in this position, CISOs need a solid business understanding as well as a good handle on the technical aspects of the job, wrapped up with the ability to communicate clearly to both technical and non-technical team members and stakeholders.

Typical responsibilities of a CISO include:

Building resiliency and advocating for security initiatives.

CISOs will develop or update an organization’s  infosec policies, guidelines, and procedures, and align their cybersecurity goals with business objectives. 

This means they need to be a leader for their security team and be able to articulate technical problems and solutions clearly to non-technical stakeholders. This might include helping the board understand any potential security issues that might arise from implementing new hardware or software, or from acquiring another business.

They should also be advocates for new technology and security initiatives. CISOs need the ability to quantify which security risks are real and how much money should be spent on combating threats to ensure the organization can reduce the risk of sophisticated malware breaches and internal theft.

Data security management.

Once initiatives are approved, CISOs make sure everything runs smoothly, including planning, purchasing, and rolling out new technology and ensuring the IT infrastructure keeps best practices in mind at every step.

They’ll also need to be a step ahead of any future security issues by ensuring updates and patches are applied, putting access controls in place for sensitive data, investigating breaches if they happen, and taking action if they discover internal bad actors are to blame.

Compliance

CISOs help their organization maintain the necessary compliance standards for their industry. They need to understand any new or upcoming regulations that affect the company (e.g. SOX, HIPAA, GDPR, and GLBA) so they can ensure compliance protocols are met.

Security operations

A good CISO needs to stay up to speed with the evolving landscape of external and internal threats. They should be able to manage and optimize the security stack and put systems in place that give them a real-time analysis of immediate threats, plus the ability to reduce the blast radius if something goes wrong.

Virtual CISOs

With the rise of remote work and global hiring, virtual CISOs (vCISOs) now exist to fill the gaps for small to medium businesses who can’t afford (or don’t need) a full-time CISO. 

Making a virtual hire can also be appealing to companies who need a CISO for specific things, such as helping them meet compliance standards. vCISOs can help drastically reduce the hiring, onboarding, and admin costs of a traditional CISO employee.

A vCISO is a skilled professional and should offer the same level of guidance and expertise as an in-house CISO. They’ll be able to develop security policies and standards, create and implement programs, evaluate your network infrastructure, and conduct risk assessments that can help you pinpoint areas for improvement. 

Challenges faced by new CISOs 

Over the last 10 years, the role of the CISO has become pretty complex, and this has become even more pronounced since the onset of COVID. 

From a relatively straightforward office job that involved protecting devices and files where data is stored, CISOs today have to do a lot of heavy lifting due to the world of remote work and the progressive shift of data into the cloud.

Employees and applications now need to be connected to each other 24/7, around the world. Not to mention the abundance of third-party applications that require access to your sensitive data and often don’t get the security team's seal of approval prior to activating. This means dealing with new threat vectors and additional gaps that can be exploited for fraud and theft, such as employees working from unsafe locations and wifi networks.

Spare a thought for CISOs who have ended up with tons of extra tasks and risk management problems from remote work.

On the flip side, with advanced technology such as Data Security Posture Management (DSPM) platforms, CISOs can easily locate and tag more sensitive data, apply access permissions, and track usage and movement. This means they can quantify risks and analyze what went wrong in the event of a breach so they can prevent future attacks.

For organizations that rely on endpoint and perimeter solutions for security, CISOs can bear the brunt of any attacks by the latest developments in ransomware, such as threats that seek to monetize their malicious access. 

These breaches can result in your data being held for ransom and locked down until payment is made. Payment demands are often made with crypto as the currency, which makes it hard to track, and almost impossible to recover once a payment is sent.

From a team perspective, the role of CISO is a disabler, not an enabler—so new CISOs need to develop a thick skin early on. 

They’ll need to build out a team of SecOps, GRC, and Sec Architects, and ensure that everyone is productive whether they’re on-site or working from home. Plus, they’ll need to ensure that security initiatives put in place are understood and adhered to by everyone – from the CEO to the R&D teams and non-technical board members.

The challenges faced by a new CISO can also manifest in other ways, like stress from a lack of resources and technology available to help them succeed in their role. A single, centralized platform can positively impact their work, reduce the risk of mistakes, and improve stress levels.

Why the first 90 days are critical for a new CISO

It’s a CISOs responsibility to establish a solid security foundation as rapidly as possible, and there are many mistakes that can be made along the way. This is why the first 90 days are the most important for new CISOs.

Some of the biggest hurdles they face include:

• Understanding security vulnerabilities: You can’t fix a problem you can’t see or understand. Unfamiliar IT and network infrastructures, paired with thousands of employees and various cloud applications, pose an unknown set of risks that a CISO needs to assess before they can address and prioritize them. Every second that a security gap exists poses a threat to the entire organization.
• Communication and coordination: CISOs need to manage and coordinate with a wide range of people, from their own security team to wider teams and upwards to the C-suite, stakeholders, investors, and partners. They need exceptional communication and persuasive skills to present problems and solutions that align with business goals—often to non-technical people.
• Getting buy-in for security initiatives: If fixing security risks requires new technology, CISOs need the necessary funding to implement this at speed. Getting the buy-in and budget to make these changes can be difficult, requiring CISOs to strongly advocate for the importance of security, then develop and fund a strategy that can be quickly approved, implemented, and adopted across the organization.
• Reducing costs: - CISOs might step into a new role where the organization is cutting costs. This could mean operating with less budget, smaller teams, and limited technology resources. By consolidating tools (e.g. moving from multiple interconnected tools to one platform that can do it all) and improving workflows, CISOs can help reduce ongoing costs while ensuring that security measures are still meeting best practices.

Without a clear pathway to success in the early months, CISOs can lose confidence in their ability as change agents and put their entire organization at risk of data theft and financial loss. No pressure! 

Here’s our recommended roadmap for CISOs in the first 90 days of a new role.

CISOs’ action plan for the first 90 days

Having an action plan in place for the early days can help CISOs prioritize the steps they need to take, based on what they learn about an organization's existing systems and data. This means they can reduce the feeling of overwhelm and work strategically toward business goals.

Implement measures to ensure data is protected

For a new CISO, it can be challenging trying to locate and classify all the sensitive data across an organization, not to mention ensuring that it’s also safe from a variety of threats. 

Data protection technology is often focused on perimeters and endpoints, giving internal bad actors the perfect opportunity to slip through any security gaps in files, folders, and devices. For large organizations, it’s practically impossible to audit data activity at scale without a robust DSPM.

Varonis offers a free, customized Data Risk Assessment that causes zero disruption to your IT environment, and can help new CISOs quickly:

• Pinpoint vulnerabilities.
• Simplify compliance.
• Prioritize risks and act on them according to business requirements.

Get started with our world-famous data risk assessment.

Book your free assessment

By implementing a DSPM tool like Varonis, CISOs can automatically build a baseline, or “peace-time profile” over hours, days, and weeks for every user and device in your organization, enabling them to:

• Easily spot unusual behavior in the cloud or on-prem.
• See what kinds of accounts exist and who they belong to.
• Understand who uses which devices and accesses certain data.
• Monitor when users are active and where they are located.

Develop a system to detect and respond promptly to any potential breaches.

Most security solutions can only fix breaches after they’ve happened, not before or during a threat event. In many cases, affected data can’t be restored—so an “after the fact” solution isn’t enough.

Unlike other tools, Varonis focuses on data and insider threats, allowing CISOs to secure files, folders, drives, and permissions far beyond the abilities of simple backup or perimeter solutions. This includes insider risk-management tools and automatic detection at any sign of compromise.

Alongside automated threat detection and mitigation, Varonis also offers a dedicated incident response team who can help with:

• Proactive alert monitoring and threat investigation.
• Customized threat model development.
• Automated response configurations.
• Regular updates to review security findings.

Ensure there are robust security measures in place.

Organizations create and send a stunning amount of data every day across their cloud and internal networks. As cloud service adoption increases, CISOs need to know where the risks are at every touchpoint so they can prioritize each risk and put the necessary security in place.

This includes thinking about factors such as:

• Enhanced monitoring of external and guest users.
• Privileged account monitoring.
• The ability to spot risky configuration changes and deviations from service best practices.
• Stale identity removal.

Establish procedures to demonstrate that data is handled responsibly.

CISOs should establish procedures and reporting that can help them demonstrate to stakeholders and board members that data is being classified and handled appropriately.

They need to prove that:

• Sensitive data is labeled correctly.
• Users can have access granted or revoked as appropriate.
• The data lifecycle is being managed.
• Unauthorized or suspicious activity is flagged and dealt with at speed.

Reports should be able to be generated as needed to provide updates to stakeholders, and enable their organization to make smarter, faster decisions about their data security.

Maximize the value of the tools and technology. 

Having best-in-class tools and technology won’t make any difference to your security unless there’s widespread adoption and usage.

Varonis offers powerful data security solutions within a single, user-friendly platform, which ensures optimal adoption with little to no learning curve. 

We also ensure that Varonis tools are customized to fit your specific needs, and we provide ongoing training and optimization sessions if needed, plus vast resources, including whitepapers, videos, research, and webinars—so you get the best possible value out of your DSPM solution.

Read more: 

• How Punahou School Protects Student Data On-Premises and in Google Drive With Varonis

• How Varonis Helps a U.S. Cultural Institution Protect Against Cyber Attacks 

• The Exact Data Security Roadmap We’ve Used With 7,000+ CISOs

How Varonis can help CISOs get up to speed faster.

CISOs often walk into a new role inheriting data security and compliance systems that don’t meet best practices, and aren’t able to cope with the significant amount of data being created and stored across an organization. It can be a minefield to ensure that all pieces of sensitive data are accounted for.

By implementing a roadmap like the one we’ve mentioned above, and using a tool like Varonis, CISOs can cut down on the manual work needed to reach the necessary compliance and security standards, and do so at a significantly faster and more cost-efficient rate than bringing in third parties to help with this task.

Varonis helps CISOs quickly understand their organization’s on-prem or cloud data landscape, so they can feel confident about where sensitive data lives, who has access, and who has been accessing data at any given time. 

Our technology gives CISOs complete visibility into what employees are doing, the data they create, and how they access and share data across the IT infrastructure. Our team will send you an alert and take action to lock down the potentially affected data if a breach is detected. 

With Varonis, CISOs can confidently communicate to board members and stakeholders about the state of critical data at any given time, bringing them peace of mind in their role.

As a part of our Data-First Forum series, we invite CISOs from various industries to share their invaluable insights on cybersecurity. In the episode below, Mark Walmsley, CISO of Freshfields, Tim Callahan, CISO of Aflac, and Mark Fitzgerald, former CISO at Investors Bank, shared the steps they took to become CISOs, the biggest challenges they face, and what they think it takes to become a successful cybersecurity leader.