This is really the time-horizon over which the new CISO must start assessing their new position. Once again, many of the management tips we will be building up in this series could apply to any executive taking up a senior job in a new organisation. But the CISO role is often a complex transversal role; It is easy to get disheartened, particularly in large organisations, and indeed it becomes relevant to start paying attention if red flags start accumulating two months into the job.
At this stage, you should have started to get a feel for the organisation you have entered, and you would have established first contacts with key team members and your direct management.
You need to continue to meet with your team members, preferably face to face whenever possible. You should meet each team member, if the size and geographical dispersion of your team allows, even if it’s just for a very short introduction. Do not hint at any possible organisational changes, even if you start to sense that some will have to eventually take place.
If you identify personal or HR issues, consult with your direct line management and take guidance before jumping into action: Many of those issues are often rooted in a past that might be more complex than what was disclosed to you by the employee… If necessary, you should meet with the HR department, but only when in possession of all the relevant facts.
Expect that your team members (and others as you continue to meet people) will start bringing “problems” to you and will “test” you: That’s a good and natural reaction and you must play along: it is key for them to get to know you and to gauge your management style. At the same time, you have only been in the job for a few weeks and cannot make miracles (they must understand that, too).
Expect as well that many people will tell you what needs fixing, how to do it and why it hasn’t been done in the past. That is also unavoidable and a good sign. It will invariably bring a mix of real value and political noise, but you must listen to it.
Overall this is an opportunity for you to get to know the people around you, but you must not allow the short-term firefighting dynamics to take over: You need to continue discovering the true extent of your environment and meeting with key stakeholders around you outside your team should be the real backbone of those first six weeks.
You should identify primarily from the meetings with your staff who your key stakeholders are across the firm, and who are the key external third-parties and suppliers in your environment.
Apply the same approach you used for the meetings you held during your first week: Ask people what they expect from you, how you can help them, and more importantly listen to them.
Do not hesitate to travel during that phase, in particular, if your organisation has a large multi-national footprint. Travelling will introduce a different rhythm of work and may help you gather your thoughts.
In all cases, start organising the notes and observations you would have accumulated throughout your first few weeks and building your own assessment of the situation you have inherited. The focus of that first assessment will depend to a large extent on the key challenge of your role, as defined by your management and positioned during your first week:
Your strategic framework should express in simple terms what you want to do to address the challenge given to you. It should reflect the key findings of your assessment, and set directions, timeframes and high-level costs estimates for what you are proposing to achieve in response to your findings.
Make all necessary caveats around unknown aspects, and if necessary, offer multiple ameliorative options or action paths.
Trust your instincts, look over the right timeframes in terms of execution and do not focus only on alleged “quick wins”. There are things that can be done in six months and some that may take a year or two to be completed, depending on the complexity of your environment.
Most importantly, do not hint at organisational changes at this stage, even if your meetings so far have made it clear to you that some will have to take place. That should come next as a matter of execution of the strategic framework once agreed.
Share your strategic framework with your direct reports once advanced enough: Collect their feedback and make the necessary amendments, then take it to your boss for validation.
That validation meeting with your boss is really the objective you should have been working towards across the whole period. You should not fear it and if you have followed the approach highlighted here, you should have all the facts and the confidence to sail through it. Your case should be as strong as it can be, as long as it is clear, simple, rooted in the reality of your field observations and aligned with the challenges given to you.
The key things to worry about in the first 6 weeks (which should raise a red flag because they concern the real profile of your new role and management priorities)
- You are struggling to meet stakeholders; they say they haven’t got time to meet you
- Stakeholders openly reject any form of value proposition from you that steps beyond tactical firefighting
- You still haven’t got any form of clarity around budgets and nobody wants to talk to you about it; you have missed key budgetary deadlines and you will have to wait until the next round
The things NOT to worry about in the first 6 weeks (which are just management opportunities for you to address)
- Stakeholders don’t seem to understand what you say
- Your team members don’t seem to understand what you say
- You come across serious operational issues or acute immaturity problems that go way beyond what you were told or what you were expecting
The Business Transformation Network has posted this article in partnership with Corix Partners.
Jean-Christophe Gaillard is Founder and Managing Director of Corix Partners
He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.
He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine, Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.