For the newly appointed CIO or CISO, being hit with an unexpected information security disaster is like a bone-crushing punch in the face.
Not only do you have to think on your feet and make decisions confidently and swiftly, but if you are still unfamiliar with the internal environment, you are swimming in dangerous waters: make the wrong call, and risk screwing up some essential service delivery or upsetting customers and shareholders. Each system, security policy, management team, staff policies, and internal procedures – to mention a few – are unique to every firm.
Sure, it’s a scene that we all want to avoid, but it is one you categorically do NOT want to contend with if you are newly appointed to look after information security for the organization.
The problem is that sometimes we trip over our own feet to secure an environment and our good intentions don’t always get noticed by the new organization. Here is a tried and tested method to getting started at in your new information security officer role.
First steps after joining as the CIO or CISO
We have curated a list of expert recommendations to help get to grips with your network quickly and effectively.
LISTEN: What is the perception of IT in the workplace?
As soon as you can, set up one-to-one meetings with a broad cross-section of employees and managers and stakeholders to understand what they expect from IT, who are the influencers, who champions or disses IT policies.
In cases where they have been without strong leadership before your arrival, the team will have a lot of IT issues they will want to communicate. Being that sounding board not only cements you early as someone who listens intently, but you will be able to more accurately piece together the information landscape, as it is perceived by your internal audience.
What to look for:
- IT goals
- IT frustrations
- staffing issues
- familiarity with information security
- budget and resources
- data and system access and availability
VERIFY: Get your own security baseline: strengths AND weaknesses.
Getting an accurate sense of your system’s risk posture is vital. Detailed risk assessments and penetration tests will flag policy shortcomings, vulnerabilities, questionable configurations, poorly protected routes into the network, etc.
It is important to conduct your own tests, unless previous assessments have been completed by an external firm that you know and trust personally. Those previously in charge may have had a different set of criteria or views as it pertained to risk.
Consider this scenario: your systems are superbly defended, but lax configuration options and poor login management means your network is much more vulnerable to an external attack or data leak. This could happen to any system that is not properly or regularly monitored.
Once your assessments are complete, check them against any previously conducted tests to map the changes and spot anomolies.
What to look for:
- external suppliers and contractors
- data collection and processing policy
- information security policy and implementation
- back up policy and implementation
- regulatory requirement oversights
- software licensing
- hardware lifecycles
STAY INFORMED: Regularly read cyber attack and data leaks reports
Sure the headlines will talk about the latest info horror that happened to company X, but as you know, the press tend to focus on the more sensationalist attacks, not the everyday ransomware attacks, password leaks or the importance of educating users, be they management or entry-level staff. Everyone has a role to play in defending the systems.
What to look for:
- information security meet ups and conferences
- peer networking opportunities
- security podcasts and videos
- analyst research
- academic research
- online discussion groups
- technology and security news
Once this information is collated and parsed, you can start thinking strategically. In other words in the next X period of time, your goals are the meet these Y objectives. The best in this type of role balance the actual requirements against the expectations of the stakeholders and users. Basically, try and focus on creating a win-win environment.
For example, image that you decide that all staff will be required to attend cybersecurity training once a year. Not only will this significantly reduce your risk posture, but it is also is a requirement for a number of regulatory bodies.
However, what if one of the problems you identify in the company is that IT is not perceived as approachable, mandating this type of training might not endear the department to the rest of the organization.
Thinking creatively about how to entice, rather than force, engagement might be a solution for you. For example, conduct the training during lunchtime on the first Monday of each month to a cross-section of employees. Providing a free lunch, or the chance to win a few prizes like movie tickets or a dinner voucher, can quickly take the sting out of this type of mandatory event.
Need some expert help?
Do you want some additional guidance? Get in touch. We are here the help.