New CISO – Your first 100 Days

Average tenure of a CISO is just 26 months due to high stress and burnout according to a recent Zdnet report by Catalin Cimpanu that summarises survey results undertaken by Nominet.

Chief Information Security Officers (CISOs, or CSOs) across the industry are reporting high levels of stress; 88% of CISOs reported being “moderately or tremendously stressed”

Today, many companies are adopting CISO roles. The constant threat of hacks, ransomware, phishing, and online scams makes establishing a cyber-security department in any company a unavoidable decision. However, most companies are not ready to embed CISOs into their company culture and day-to-day operations.

CISO jobs come with low budgets, long working hours, a lack of power on executive boards, a diminishing pool of trained professionals they can hire, but also a constant stress of not having done enough to secure the company’s infrastructure against cyber-attacks, continuous pressure due to newly arising threats, and little thanks for the good work done, but all the blame if everything goes wrong.

The typical responsibilities of a CISO post include:

  • Protect Business Assets
  • Manage Business Risk
  • Ensure Efficient Spending & Return on Investment
  • Deliver Security Services & Controls
  • Develop & Deliver Reporting
  • Comply with Regulation, Standards & Policies
  • Attract, Engage & Retain Expertise
  • Strategy, Planning & Horizon Scanning

are clearly burdensome.

Setting expectations and starting to execute a reasoned approach are vital actions in the first 100 days and this article gives an example of such an approach- BASIL’s way – Basic Approach to Security Incident Limitation!

[1] Discover the Enterprise’s Data Crown Jewels

[2] Determine who and how these are accessed

[3] Redesign the IT Architecture to better protect the Data Crown Jewels

[4] Present plan for the changes necessary

[5] Set performance goals so CISO role and the Enterprise’s risk can be assessed

[6] Repeat after 18 months !

Executing this approach is still difficult but it is logical and will hopefully relieve some of the stress. Basil Philipsz would be pleased to provide a document that is a more detailed guide to help deliver this approach.