There is some form of management reality beyond the “100 days” journalistic cliché: How does an incoming executive make an impact in a new role? What are the real timeframes to look at? What can be expected, and over what horizon? What are the key issues that should raise a red flag during the first few months in a new senior position? and those which can be ignored? Those are the themes we will be exploring in this new series around the specific role of the CISO.
The Person, the Role and the Culture of the Firm
It is alas necessary to start this series with a long list of caveats and questions: Every person is different, every organisation is different and to a large extent, every CISO role is also different.
Although we will be identifying common trends in the coming articles — looking in turn at the first 6 days, 6 weeks and 6 months of the incoming CISO — they must be understood and placed by the reader in their specific personal context and in the specific context of their organisation. In particular, the heterogeneity in maturity levels among firms in terms of security management must be acknowledged.
The following guiding questions are key for each reader to relate the series to their personal frame of mind:
- Is this your first CISO job? What were you doing before? Are you coming into this from an IT background or not?
- Is this your second CISO job? What happened in the first one? Why did you leave? How long did you stay?
- Is this your third CISO job (or more)? (then why are you reading this?)
- Is this an internal move? Upwards? Sideways? Or are you joining a new firm?
- What are your expectations for the new job? Was it a real positive decision to move into Security? Or just a holding pattern waiting for better things to emerge? Was the decision made for you? (were you pushed into this? did you have a choice?) Was it a political calculation? (“Security people don’t get sacked”)
- What motivates you? Building teams? Managing people? Doing stuff?
- What are your timeframes with regards to the new position? How long do you see yourself staying in the job? What would be your next job after this one? Is your career something you care about and actively build? or do you take a more passive approach to career-building?
The above is not just an endless HR checklist, but the real context in which each reader should place this series.
The CISO role is not just another senior management role: It can be an extremely complex and transversal position, where you may be expected to articulate security concepts from the Board down across all layers of the enterprise, juggling between technical and business terms while always remaining credible.
You will have to deal with data breaches one day and compliance problems the next, while battling with cognitive or emotional biases at a managerial level above you and besides you. You may feel exposed or vulnerable.
Your reporting line, the personality of your boss, the skills and structure of the team you inherit – if any – will only be pieces of a much bigger jigsaw. In large firms, you will be immersed in a complex political game across the GRC galaxy, in a context where the “three-lines-of-defence” model is rarely applied in its purest form, and sometimes poorly understood. And there may be international or multi-cultural aspects to contend with as well.
All that in the specific security maturity context of each organisation. A context that will vary from firm to firm and will be the sum – for better or worse – of all your predecessors’ actions as well as countless management decisions around the security space spanning the best part of the last 20 years.
Those decisions and attitudes will have created a culture around security that the incoming CISO needs to grasp quickly, because everything they do or say during their first few months will be seen internally through that prism.
Unsurprisingly, listening will be key throughout that phase until all challenges are clearly positioned and the new CISO can start articulating a strategic framework to address those challenges and then a model for its execution.
Those are the topics we will be exploring in the next articles in this series.
The Business Transformation Network has posted this article in partnership with Corix Partners.
Jean-Christophe Gaillard is Founder and Managing Director of Corix Partners
He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.
He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine, Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.