Through this series, we have examined how an incoming CISO can create the conditions to truly make a difference in their new job.
Of course, as we stated in the introductory article, all companies are different from one another and so are most individuals. Each will be at their particular stage in terms of security or managerial maturity.
But beyond the journalistic “100 days” cliché, there is real and strong management common sense in having the objective of making a real impact over a 6 months horizon (which is not so far from 120 – business – days after all !!!).
The CISO role, irrespective of its actual exact content and reporting line, will always be peculiar: It is not a true C-suite role, and security topics can have the tendency to scare senior executives who associate them with problems and costs.
So creating a strong bond of trust with all stakeholders will be key to the success of the new CISO. This will come through patient listening, the development of a clear vision, achievable transformation objectives over realistic timeframes, and a sense of leadership which puts clarity, simplicity and consistency at the core of your daily work.
We have said it repeatedly in earlier articles: This is a complex role which requires extensive management experience, personal gravitas, political acumen and a solid grasp of the internal workings of an organisation (particularly in large firms). It requires the real field experience of a battle-hardened professional. This is not a job for an ex-auditor or a life-long consultant.
Staying the course will also be paramount: In essence, what gets mapped out and put under way at the end of the first 6 months is the first cycle of work.
It will now have to be delivered and it is likely to be a multi-year effort. Management acumen, staff focus, and budgetary resources will have to be sustained. Tactical disruptions will have to be handled. The whole show will have to stay on the road and success will have to be sold.
To achieve real and lasting change, the CISO must not leave at the end of this first cycle but stay through the transition period that will follow, map out, and drive – or at least supervise – the following cycle. True and lasting transformation will come out of that second cycle of change, as the impact of the first one gets accepted and stakeholders start getting used to working differently with a security practice that is coherent and brings value.
Once the initial vision has been established and stabilised, it will have to be optimised. Each of these cycles – creation, stabilisation, optimisation – could last 2 to 3 years in any complex organisation. So, the real tenure of the transformational CISO has to be considered on a 6 to 9 years horizon, and certainly nothing much shorter if the change objectives are to be lasting and fundamental.
It is a very significant commitment for the CISO, who will have to be rewarded and incentivised to stay the course. It will also be very significant for its management and many organisations are simply incapable of thinking over such a long-term horizon. But those which can, will reap the rewards and build for themselves a true security culture that can only be a competitive advantage in today’s world.
So, 6 days, 6 weeks, 6 months, 6 years … Beyond 100 days, here is probably the real timeline to consider for the transformational CISO.
The Business Transformation Network has posted this article in partnership with Corix Partners.