Many of the management tips we will be building up in this series could apply to any executive taking up a senior job in a new organisation. But the role of the CISO is particularly sensitive in many aspects and has its own dynamics. It is often poorly understood by management and still seen by some as a necessary evil, or as an imposition by auditors or regulators. Even where threats are understood and the need to protect the firm against cybercrime is on the Board’s agenda, what the role exactly entails is not always clear for all stakeholders (as may be the case for a CFO or Head of HR position). So the need to effectively engage all parties from the start is key for the new CISO.
The Month Before
Your first week in the new job starts a long time before you arrive. You’ll need to understand the true nature of the new business you’re getting into, its culture, its geographical footprint, and all the aspects that will help you “hit the ground running”.
It should involve true and solid homework, but more importantly, you must try to network with ex-colleagues and contacts who work or have worked there and get as much insider information as you can
Expect the first few months to be hard work: Not all firms are well managed, and you cannot expect security to be well managed in a firm that isn’t. Likewise, you cannot expect good security governance where corporate governance is poor. You might have been hired to “sort security out”. Do not expect this to be easy.
6 Days (the first week): The Firm and its People: Positioning the Challenge
You need to have a clear understanding of your reporting line and meet with your direct boss face to face (NOT REMOTELY) straight away. Personal interactions are key in senior roles and you’ll have to develop a direct and strong relationship and personal bond with your line management. Those things are rarely built up over conference calls.
In large firms where you may have to contend with a matrix organisation and a functional manager, you need to meet with them too and understand how the matrix model really works. You’ll need to gauge the relative strength of each matrixial direction, and whether they complement or antagonise each other. If your functional boss is not based where you are, you should at least speak to them during your first week, then immediately schedule a trip to visit them.
You must hear from your management directly in their own words what the true dominant challenge of your role is: Build a security practice? Rebuild it? Run it? Optimise it? Transfer it to another part of the organisation? What happened to the person previously occupying your role? What amount of legacy do you have to deal with and what is the perception your management has of it?
Those first meetings must be clear, open, and unencumbered on all sides. Crucially, they must happen straight away.
You should schedule periodic meetings with your management at the same time. A monthly frequency is probably best to start with. It will give you an immediate target to work against (i.e. your next meeting with them). Those meetings do not need a fixed agenda to start with as it is obvious that you will be on a discovery and planning phase for a while.
Of course, you would have been told all sort of things throughout your hiring process and you would have gathered your own “intelligence” about your new organisation as part of your own preparation phase, but now you will start to see it from the inside: You will need to assess the politics and the rules of internal power, understand your bosses’ reporting line, the overall structure of the team you a part of and the key players around you, as well as the current structure of your own team (if you have one).
If you have a team structured under you, you should, of course, meet with all your team members in due course (size permitting), starting immediately with your own direct reports. You should meet face to face with all those who are based where you are, and speak to all the others. More than mere introductory opportunities, those meetings are the ideal vehicle to gauge personalities and hear grievances. It obviously goes both ways and your staff will forge their “first impression” of you through those meetings. Don’t talk too much. Simply ask them what they expect from you and listen to them.
There will be a fine line not to cross as you must not give them the sense that you are committing to fix all their problems (which may or may not be well founded, and you’re unlikely to have all the facts to be the judge of that). Expect politics may be played and some may try to test you. Worry not: You will get a lot more of that in the weeks to come…
During this first week, you also need to identify the budget you have (if any) and how it is managed. You should meet with your departmental Finance team and understand straight away where you stand with regard to the current and next budget cycles: How much was your department allocated in the last budget? How much has been consumed? What are the rules to authorise spending? What is your signing limit (if any)? When does the next budgetary cycle start and when are the next budgetary submissions due?
Without autonomous resources, you’ll be dependent on others. This is a key aspect to address upfront.
That’s quite a lot to cram into a few days, but should you achieve it, you’ll be off to a good start.
The key things to worry about in the first week (which should raise a red flag because they concern the real profile of your new role and management priorities)
- Your direct boss hasn’t got time to meet with you.
- You are not allowed to schedule travel to meet your functional boss on the ground of costs.
- You haven’t got a proper budget or cannot identify the right Finance team to talk to.
The things NOT to worry about in the first week (which are just management opportunities for you to address)
- Your direct boss cannot articulate clearly his priorities with regards to your role.
- Your functional boss is OK to meet you but didn’t know you had been hired.
- Your own direct reports do not open up and you do not learn much from meeting them.
The Business Transformation Network has posted this article in partnership with Corix Partners.
Jean-Christophe Gaillard is Founder and Managing Director of Corix Partners
He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.
He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine, Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.