A CISO’s First 90 Days: The Ultimate Action Plan and Advice

By Maheswaran Shamugasundaram

Many organizations seek a Chief Information Security Officer (CISO) who possesses a mix of technical proficiency and leadership abilities. While this is no longer a purely technical role, CISOs need to be able to communicate effectively with technical teams, understand evolving security risks and data protection technology, and also be able to articulate complex security matters and solutions to non-technical executives and board members.

For CISOs starting at a new organization that has unknown data governance and security systems, the first 90 days can be challenging to say the least.

Challenges faced by new CISOs

Over the last 10 years, the role of the CISO has become pretty complex, and this has become even more pronounced since the onset of COVID.

From a relatively straightforward office job that involved protecting devices and files where data is stored, CISOs today have to do a lot of heavy lifting due to the world of remote work and the progressive shift of data into the cloud.

Employees and applications now need to be connected to each other 24/7, around the world. Not to mention the abundance of third-party applications that require access to your sensitive data and often don’t get the security team’s seal of approval prior to activating. This means dealing with new threat vectors and additional gaps that can be exploited for fraud and theft, such as employees working from unsafe locations and wifi networks.

Spare a thought for CISOs who have ended up with tons of extra tasks and risk management problems from remote work.

On the flip side, with advanced technology such as Data Security Posture Management (DSPM) platforms, CISOs can easily locate and tag more sensitive data, apply access permissions, and track usage and movement. This means they can quantify risks and analyze what went wrong in the event of a breach so they can prevent future attacks.

For organizations that rely on endpoint and perimeter solutions for security, CISOs can bear the brunt of any attacks by the latest developments in ransomware, such as threats that seek to monetize their malicious access.

These breaches can result in your data being held for ransom and locked down until payment is made. Payment demands are often made with crypto as the currency, which makes it hard to track, and almost impossible to recover once a payment is sent.

From a team perspective, the role of CISO is a disabler, not an enabler—so new CISOs need to develop a thick skin early on.

They’ll need to build out a team of SecOps, GRC, and Sec Architects, and ensure that everyone is productive whether they’re on-site or working from home. Plus, they’ll need to ensure that security initiatives put in place are understood and adhered to by everyone – from the CEO to the R&D teams and non-technical board members.

The challenges faced by a new CISO can also manifest in other ways, like stress from a lack of resources and technology available to help them succeed in their role. A single, centralized platform can positively impact their work, reduce the risk of mistakes, and improve stress levels.

Why the first 90 days are critical for a new CISO

It’s a CISOs responsibility to establish a solid security foundation as rapidly as possible, and there are many mistakes that can be made along the way. This is why the first 90 days are the most important for new CISOs.

Without a clear pathway to success in the early months, CISOs can lose confidence in their ability as change agents and put their entire organization at risk of data theft and financial loss. No pressure!

Here’s our recommended roadmap for CISOs in the first 90 days of a new role.

CISOs’ action plan for the first 90 days

Having an action plan in place for the early days can help CISOs prioritize the steps they need to take, based on what they learn about an organization’s existing systems and data. This means they can reduce the feeling of overwhelm and work strategically toward business goals.

Implement measures to ensure data is protected

For a new CISO, it can be challenging trying to locate and classify all the sensitive data across an organization, not to mention ensuring that it’s also safe from a variety of threats.

Data protection technology is often focused on perimeters and endpoints, giving internal bad actors the perfect opportunity to slip through any security gaps in files, folders, and devices. For large organizations, it’s practically impossible to audit data activity at scale without a robust DSPM.

It is important to have a customized Data Risk Assessment that causes zero disruption to your IT environment, and can help new CISOs quickly:

• Pinpoint vulnerabilities.
• Simplify compliance.
• Prioritize risks and act on them according to business requirements.

By implementing a DSPM tool, CISOs can automatically build a baseline, or “peace-time profile” over hours, days, and weeks for every user and device in your organization, enabling them to:

• Easily spot unusual behavior in the cloud or on-prem.
• See what kinds of accounts exist and who they belong to.
• Understand who uses which devices and accesses certain data.
• Monitor when users are active and where they are located.

Develop a system to detect and respond promptly to any potential breaches.

Most security solutions can only fix breaches after they’ve happened, not before or during a threat event. In many cases, affected data can’t be restored—so an “after the fact” solution isn’t enough.

Focusing on data and insider threats, allows CISOs to secure files, folders, drives, and permissions far beyond the abilities of simple backup or perimeter solutions. This includes insider risk-management tools and automatic detection at any sign of compromise.

Alongside automated threat detection and mitigation, organisations should have a dedicated incident response team who can help with:

• Proactive alert monitoring and threat investigation.
• Customized threat model development.
• Automated response configurations.
• Regular updates to review security findings.

Ensure there are robust security measures in place.

Organizations create and send a stunning amount of data every day across their cloud and internal networks. As cloud service adoption increases, CISOs need to know where the risks are at every touchpoint so they can prioritize each risk and put the necessary security in place.

This includes thinking about factors such as:

• Enhanced monitoring of external and guest users.
• Privileged account monitoring.
• The ability to spot risky configuration changes and deviations from service best practices.
• Stale identity removal.

Establish procedures to demonstrate that data is handled responsibly.

CISOs should establish procedures and reporting that can help them demonstrate to stakeholders and board members that data is being classified and handled appropriately.

They need to prove that:

• Sensitive data is labeled correctly.
• Users can have access granted or revoked as appropriate.
• The data lifecycle is being managed.
• Unauthorized or suspicious activity is flagged and dealt with at speed.

Reports should be able to be generated as needed to provide updates to stakeholders, and enable their organization to make smarter, faster decisions about their data security.

Maximize the value of the tools and technology.

Having best-in-class tools and technology won’t make any difference to your security unless there’s widespread adoption and usage.

Adopting powerful data security solutions within a single, user-friendly platform, which ensures optimal adoption with little to no learning curve is imperative.

(The author is Maheswaran Shamugasundaram, Country Manager – India, Varonis, and the views expressed in this article are his own)