The 5-Step Framework For CISOs Starting in a New Company (If you want to stay longer than 6-12 months)

To start with, here's some background about me and why I consider myself to be in a position to suggest these steps. And as a word of warning, I will do it the "CISO" way, no "background sales noise" but straight forward and to the point:

1. I've been working in IT for over 15 years, 8 of them in Cyber.
2. I've created successful companies and products for both IT and Cyber
3. I've acted as a vCISO, Cyber Consultant, and auditor for over 50 organizations globally. From Micro to Enterprise (From 5 employees to Global Banks) business.
4. I'm the co-founder and creator of Boardish which is a specific CISO "Risk To Financial figures" tool to help the connection between the CISO and Board.
5. I listen a lot to David Spark and other amazing professionals in the industry who know their stuff. I don't think the CISO world starts and ends with me! :)

Why does all this matter?

As a vCISO and a consultant I usually need to achieve results very quickly, even in some cases within a month. So I built a methodology to "speed things up" - it's either you sink or swim in our profession, so these are my 5 recommended steps:

Step 1: Get / Request / Demand ! Clear expectations regarding "Why you are there"

Most of the CISO's I met tell me that one of the hardest things they encounter is the "lack of clarity" about their role and the expectations from the business.

As a result, it makes authority unclear and it difficult to make any actionable changes. That's one of the reasons (in my experience) why CISO roles have such a high staff turnover rate.

I suggest that the first step is having a meeting with the C-SUITE and asking them VERY clearly "What are you expecting from me + what are my goals from the perspective of the business"

I have encountered the following scenarios to "why we need a CISO", I am sure you have encountered MANY others:

1. Make the company more secure after a breach (usually the most common one for CISO's)
2. Protect the company against regulation and compliance fines
3. We "Need" a CISO "in place" DUE to regulation and compliance - This is often the hardest for a CISO because it doesn't mean "Anything" regarding goals. You then have to set your own criteria and clarify.
4. ?To make a product/software (sometimes its the Product and not the company) more secure ( usually software companies ).

In each scenario, you need to make sure that your success criteria are crystal clear, for example :

1. Reducing the risk of a Data breach by 50%
2. Increase our overall security posture by 30%
3. Reduce our recovery time from a cyber incident by 30%

YES - they are hard to quantify but this is part of our job and I will discuss it in the next steps.

In many cases, you will need to set your own performance criteria because your C-SUITE / Board won't have any for your role, I always like to use the "For every year we kept the company safe without a major incident I get 10 "Victory Points" and for each major incident minus 30 "Breach points" gamification.

This approach shows decision-makers the "long game" and makes them appreciate every year without a breach, and YES - you need to reach that 3 years mark to be relatively "safe".

Ultimately, if you don't quantify - you leave yourself vulnerable as a scapegoat. "The CISO got fired after a single phishing incident" rather than, our CISO has kept our organization incident-free for over 8 years so they are too valuable to get rid of.

Step 2: Get to know all the other risk owners and gain visibility to what they do and how it impacts the business, AKA "Know thy business"

Usually, Step 1 or Step 2 is Risk Assessment, BUT - how can we assess something we do not understand yet?

We need to understand what function or several functions really drive the business, which functions are the main catalyst, is it R&D or Sales or is it Marketing?

You need the see the entire company FLOW, and you may be surprised but the flow will look a bit different depending on whom you ask.

It's our Job to "attach" all the different pieces or perspectives into one and then link it with the "expectations" section of " part 1"

This step will also allow you to avoid a common mistake which is not seeing/figuring out who "is really" the department that carries more decision power.

(CISO's - We have all been there: a great plan, great solutions but ... it doesn't meet EXACTLY what department X wants and so the CEO dismisses it... don't go there ... )

If you are awoken at 2 AM at night and asked" which is the department that you need to "sell" first to get all the rest inline" - you need to be able to answer without thinking - that's true visibility in the flow of the company.

Step 3: Build a Risk Assessment plan + Attach an OWNER TO EACH RISK

I won't go deep in the micro of "how to do a risk assessment plan" but here are several important tips:

1. Get as many people from different departments, power users, or ambassadors and involve them in the process! In most cases they can see risk in places which you still cant (because you are new to the organization).
2. Use tools - there are some great CISO tools for Risk Assessments which use all the relevant frameworks like NIST, FAIR, and more. USE TECHNOLOGY to streamline the process, I am still a bit confused when I see CISO's using "Excel", we are "the Tech Gods!" - the ambassadors of "making tech more efficient for the process" - lead by example and save yourself time and errors.
3. When assigning risk scores - make sure that most ( it's not usually all ) of the people involved will agree, or at least won't argue against your assessment. If you value something as low risk and most of the participants consider it to be high risk, you need to do the deeper due diligence. I usually use Risk Assessment on Risk Assessment, if the Risk is not certain - this is a risk by itself so I "increase it up a level".
4. Risk Ownership - Each risk NEEDS to have an owner. In some cases, it's more obvious like with a DPO or CCO, in other cases you as the CISO will be the risk owner. But something to be aware of is that in my experience other departments will try to "reduce" / "Manipulate" the risk. e.g. "Protecting the website from SQL Injections is not really the Marketing / Sales departments' issue even though 100% of sales are done via the site" You need to be very assertive in nominating Risk Owners if the people nominated don't agree with your nomination - then Risk can be transferred.

(I'll discuss this in the next steps. Hint: it's either you have skin in the game or you don't have a say regarding the Budget! )

Step 4: Build a mitigation plan and Quantify it to actual financial numbers! -

What is the point of a risk assessment plan if you don't have a plan to mitigate those risk? In order to mitigate those risks you need MONEY and resources! (People / Tools / Both )

1. Quantify the Threats! - Translate / Convert / Quantify the Threat from "Risk Scores" to the financial impact. In the above example: SQL Injection is a High probability and High Impact? - Great but what does it really say to the other department heads and C-SUITE? Not a lot. Instead, saying, for example, an SQL Injection has a Threat impact of $50.5 Million on your organization, suddenly they will listen.
2. Quantify the Solution - How much it will cost? Both the one time purchases, maintenance, human resources required - everything ... a proper "total cost".
3. Show in MONEY what is the remaining exposure if your proposed plan is implemented.
4. Show decision-makers your Risk Assessment plan and your mitigation plan - combined, don't waste their time on Risk Scores - come with decision-making information and plans

I created a tool to do EXACTLY this - www.boardish.io ( last promotion in the article I promise )

Step 5: Negotiate Risk Owner VS the budget for your Mitigation plan

Remember step 1? - you are usually put in the organization to make it more secure, and making it more secure costs money.

Some departments / C-Suites / Boards will push back and say "it's too much, we are not responsible for this, it needs to come from IT and not from our department and so on"

Yes you need to be cost-efficient but you also need to be very strict with your professional assessment, for example:

1. You need $250K to fix the biggest issue which is "Data Breach" for the specific company.
2. Your Board / decision-makers say "No" (it's too expensive or any other reason)
3. You say "Ok " - BUT - when you've said "No" you become the owner of that Risk and not me the CISO. So when a data breach will occur its crystal clear that I planned how to mitigate it (you brought me in to do exactly this ) and you said no. You can't force them to say yes to your proposal, but you can be very clear on risk ownership and that 'no' means they own the risk now.

I already hear you saying "BUT - Eli you are not being realistic - they don't listen to us ... and many more excuses."

Yes - Being a CISO is a VERY HARD JOB, you need to be both professional and to have highly evolved people skills to be able to cope with big changes. A CISO is a much more managerial role than "techy" in my view.

But remember that if you "cave" and accept a "No" and you own the risk - it's just a matter of time that this risk will happen (Data Breach) and you will be at fault. It's your risk and you did not fight hard enough to get your budget approved.

CISO's are in new waters, Deep waters, waters with different tides, and the occasional tsunami, so it's time to sink or swim!

Eli Migdal