Elevate Security recently hosted a webcast event where I was fortunate enough to host Andrew Turner, CTO and Market Strategy Lead for Booz Allen’s Global Commercial business. In this Fireside Chat, we discussed how successful CISOs set themselves apart and make a strategic impact during their first 100 days. With the new U.S. presidential administration having just passed a similar milestone this week, our discussion topic of the First 100 Days was timely on a number of levels!
At Booz Allen, Andrew is responsible for market strategy and leading secure digital transformations for the company's global commercial clients. He has been a head of cybersecurity many times, including stints at Visa, Microsoft, and FIS.
A CISO’s honeymoon period is painfully short. Since the average tenure of a CISO is under two years, it’s important to hit the ground running.
Andrew discusses the importance of CISOs fitting with the company’s culture, even during the interview process. A CISO’s security strategy must fit the organization, or it will not succeed. Our exchange outlines the four quadrants of the Competing Security Cultures Framework, a model that defines security cultures along two distinct axes: internal/external and tight/loose controls. Hand in hand with culture is ascertaining your organization’s tolerance for business risk, how aggressive to be… or not.
Today’s CISO must balance many competing priorities. These include regulatory and compliance mandates along with supporting revenue growth. Building trust and credibility for security within the organization, while not damaging the company’s brand reputation in the market. Being seen as an enabler of the business, not a purely a technology function.
Many of the CISO’s challenges come down to managing perception. Andrew has two fundamental rules for security teams that he runs. First, never say “No”, outright. Second, avoid surprises. He believes it is important for the CISO to explain WHY the security team implements the policies and controls it does. This means communicating correctly to all levels of the organization: from the board of directors to the CEO and CIO, from management down to employees. Effective communication ensures that cybersecurity is seen as a strategic differentiator, not an impediment to the business. This was a highly interactive Q&A session. Some of the questions that Andrew and I address include:
- What’s the first thing a new CISO should focus on?
- How does the company’s culture inform the first 100 days agenda?
- When interviewing, or before starting a new position, what kind of prep work will set you up for success?
- What can you do to fix broken relationships and communication challenges within the organization?
- What are some techniques to build or change the internal brand of the security team?
- How can you measure the security posture of each department or region of the company?
- Why is it important to establish and market a personal brand as a leader?
- What are some techniques to communicate, build trust and transparency with employees?
- How should your approach differ working for a large enterprise versus a smaller one?
- How do you report out progress or updates to the organization and management?
This engaging and informative webcast is well worth the time investment. You’ll emerge with a list of concrete actions to take to improve your odds of a successful First 100 Days agenda.