New CISOs: how to achieve success in your first 100 days

Gartner has developed a roadmap for CISOs to help them succeed in their new role. The first 100 days in the chief information security officer (CISO) role are an opportunity to establish credibility and elevate the security organisation’s internal brand. The first 100 days, described by Gartner as a “short ‘honeymoon’ period”, allows CISOs to define their role, develop a strategy, build professional relationships, secure leadership support, establish trust with the new team and signal their leadership style.

William Candrick, Director Analyst, Gartner, said that those who approach the role with a strong, strategic plan for the first 100 days are likely to be successful, adding that this is especially true if the enterprise needs a major overhaul to cyber risk governance or better security program maturity. The CISO role is increasingly critical and often costly for organisations to hire for — which means CISOs must prove their worth quickly.

A successful CISO is primarily a leader, a manager and a communicator, not a technologist. Early success depends on the CISO’s ability to establish a personal brand of credibility and leadership, and lay the foundation for a defensible security program. Gartner has categorised the CISO’s first 100 days into five phases, each with critical target outcomes, actions and ideas to consider.

Prepare (before Day One)

Gartner advises CISOs not to wait until their first day to get started; before beginning, CISOs should seek to understand their enterprise and identify key stakeholders. Connect with them on LinkedIn and prepare a succinct biography, questions and talking points before the initial round of meet-and-greets. The first phase focuses on listening and learning, not decision-making. Avoid making sweeping announcements or decisions in the first few weeks in the CISO role. The objective is to develop a common understanding of the role, a set of expectations of stakeholders, and a basic engagement plan to meet with leadership and staff.

Assess (Weeks 1–4)

The second phase, Assess, involves understanding the current maturity and performance of the security function. CISOs should decide what’s working and what isn’t, and what to prioritise for the first three to six months. Gartner also recommends seeking out an executive mentor who can provide insight into the culture of the enterprise. CISOs are advised to confirm the resources available to them — including funding, headcount and technology. Then, use formal maturity assessments, team conversations and stakeholder engagement to surface gaps in the security program. CISOs should also use this time to create a prioritised list of three to five strategic priorities that address those gaps.

Plan (Weeks 3–6)

This is when CISOs turn what they’ve learned into a blueprint for action. CISOs should share their security program vision with their team, line managers and business stakeholders. In this phase, CISOs can design and refine their new security organisation. By the end of this phase, CISOs should have a documented security strategic plan that prioritises two or three security initiatives for their first 100 days, and a loose roadmap for their first year. They could also have a security budget that ensures sufficient resources to achieve priorities. If resources are lacking, then the strategic plan should be adjusted accordingly to make it achievable.

Act (Weeks 5–12)

This is when CISOs have the first opportunity to deliver visible results. Actions in the first 100 days should focus on tangible accomplishments that establish personal credibility and improve security’s standing in the enterprise. Gartner explains that initial success secures more buy-in, which supports more success — thus creating a cycle of improvement and achievement for CISOs and their team.

Measure (Weeks 11–14)

In the final phase, CISOs should start providing evidence of their impact, and define a portfolio of security metrics and develop an executive reporting process so that others know what to expect of them. Gartner advises highlighting early wins and challenges as they emerge; measurement and communication are hallmarks of a successful CISO, and CISOs should therefore dedicate more time to them throughout their tenure.

Image credit: ©stock.adobe.com/au/chinnarach