For a security leader, the first three months on the job are a honeymoon period that can pass by in a blur. A new CISO can be overwhelmed by numerous initiatives, handovers and other demands for time. It becomes important to remember that a key objective in the first three months should be to focus on establishing credibility that can be leveraged for the rest of the tenure, says Tom Scholtz, research vice president at analyst firm Gartner.
"You need to do three key things," he says in an interview with Information Security Media Group. "The first is to establish and maintain relationships with key stakeholders and key influencers. The second is to articulate and communicate where you want to take the security program. The third is to identify five projects you want to look at in the next 12 months. Of those, pick two key projects that you will either be able to complete or show meaningful progress in the first three months."
The CISO has to wear many hats today, and communication is an important skill. So it's a good idea for a new CISO to get some communications training, considering the multiple stakeholders with which a CISO needs to engage, Scholtz says. When it comes to presentations to senior executives, a key tip is to get somebody from the business to act as a sounding board for the first draft, and then channel that feedback into your communication, he adds (see: Articulating Security's Business Value).
Avoid the Blame Game
One of the common mistakes that new CISOs make is blaming their predecessor for things gone wrong. This should be avoided, Scholz says, because it sets a negative tone for the security function. The second common mistake, he says, is trying to do too much. And another big issue is focusing too much on the technical aspects of security, neglecting the people and process aspects. "As a new security leader, keep in mind that effective security is based upon a balance of people, process and technology," Scholz stresses.
In this exclusive audio interview (see audio player link below image), Scholtz shares his views on how security leaders can build the right kind of credibility and vision in their early days on the job. He discusses:
The areas a new leader should focus on; Establishing effective lines of communication; Common mistakes CISOs make in the first three months on the job.As research vice president at Gartner, Scholtz advises clients on security management strategies and trends. He is an authority on information security policy design, security organizational dynamics and security management processes. Scholtz is a regular presenter at European industry events and has more than 20 years of experience in information security and systems management. His background includes extensive technology experience in the utility and banking industries. Scholtz has been with Gartner since 2005 with the acquisition of META Group, where he was an analyst for eight years. Before META Group, he served in various IT architecture and operations roles for a number of South African companies.