When a CISO joins a new organization, it is important to start with basics. Following is a TODO list for every new CISO.
- Understand the business – where revenue comes from, who are major customers, meet internal stakeholders.
- Review CISO budget – How much is the budget, where it is spent (people, technology, services).
- Know team members – Get to know team members. In case of a large team, get to know key leaders but meet individual contributors to understand their challenges.
- Identify compliance and regulatory needs – Before creating strategy, list all compliance needs, their current status, next audit cycle timeline.
- Understand technology foundation
- Policy, standards and governance structure.
- Critical assets and asset management (what to protect).
- Identify key technologies used for protection (end point, network, applications, Cloud, Identity and access management).
- Security operations, threat detection, incident response
- Key vendors – Contact key vendors and identify how to get their help.
- Develop Strategy and Metrics – What needs to be done to build a security program, risk management strategy, and how to measure progress.
- Security team branding – Create a plan for marketing and branding of the security team.