Execute Summary
We propose a set of recommendations based on hard lessons learned and a best practice approach.
1. Organise critical activities and initiatives for the first 100 days of a CISO; deliver final results by the end of 100 days.
2. Increase the chances of success, reduce the risk of failure and provide a platform for a new CISO to thrive in the role.
Based on a study conducted by the Enterprise Strategy Group and the Information Systems Security Association, the absence of coordination between the CISO, the business, the C-suite and the Board of Directors could result in a high turnover rate for the CISO role. Therefore, a new CISO must develop a well-thought-out plan and communicate it consistently to all the key stakeholders.
Below are the key Superp Phases and Recommended initiatives for the 100 days.
STARTUP Days 10 to 15
– Reach a common agreement on the role and scope of the Chief Information Security Officer (CISO).
– Provide a personal management system and access to relevant reports, shared spaces, support systems, tools, and other resources.
– Schedule key stakeholder meetings, invite CISO to existing security-related regular meetings/calls, and establish general lines of communication.
– Establish external associations, such as industry memberships, industry research/best practices, and information-sharing forums, to stay up-to-date with the latest trends and practices in the field.
UNDERSTAND Days 0 to 45
Gather insights on the following:
– The current state of maturity of the organisation
– The security program and its effectiveness
– The deployment of critical controls
– The top risks faced by the organisation
Identify what works well and what doesn’t, and find Centers of Excellence that could be replicated. It is important to align business unit priorities with overall corporate objectives.
Finally, identify any urgent issues that need to be addressed and longer-term strategic issues that require attention.
PRIORITISE Days 15 to 60
– Identified and agreed upon the top five strategic challenges for the next 12 months.
– Planned the operational security budget for the next two months, including an early indication of personnel organisation.
– Agreed upon at least three key issues, also known as “quick wins”, to be resolved within the next two months.
– Confirmed the availability of awareness and education resources both online and offline.
EXECUTE Days 30 to 80
– Get approval for the Information Security Charter, interim strategy and vision, and socialise it with key stakeholders.
– Lead security-related governance forums and committees.
– Deliver cybersecurity education to the business and executive team and take feedback on critical assets.
– Actively progress towards closing out quick wins by prioritizing the top three urgent issues.
RESULTS Days 45 to 100
– An initial status report for executive management
– Includes a maturity assessment, SWOT analysis, and critical control deployment
– Provides evidence of early progress and achievements
– Outlines measurable plans for the next 6 to 12 months
Reference : cyberleadershipinstitute.com