If you’re a new Chief Information Security Officer (CISO) or taking on a new security leadership role, the first few months on the CISO roadmap job are critical to your future success. You’ll be judged, tested by your organization and staff, and put on stage to perform in front of your C-level peers. The precedent you set in your first 101 days of the CISO roadmap will dictate how your organization perceives you and whether your tenure is marked by early challenges or confident navigation of the job you were hired to do.
This CISO roadmap playbook for new executives outlines key initiatives and specific steps to help you find success in your first 101 days on the job. Don't have time to read now? Download the playbook to read on the go.
What is a CISO roadmap?
A CISO roadmap is a strategic plan that outlines essential initiatives, priorities, and actions to enhance an organization’s cybersecurity posture over a set period. This roadmap serves as a vital tool for CISOs to align security efforts with business objectives and ensure efficient resource allocation to mitigate risks.
The development of a roadmap starts with a thorough assessment of the organization’s current security state to identify vulnerabilities and gaps. It then outlines clear short-term, medium-term, and long-term goals focused on strengthening defenses, improving incident response, and ensuring regulatory compliance. It covers technological upgrades, process enhancements, staff training, and the integration of advanced security measures like artificial intelligence for threat detection.
Days 1-10: Laying the CISO roadmap groundwork
Take stock of the existing information security program
Start by taking inventory of all the components of your program, including direct and dotted line information security staff and responsibilities, established program capabilities and their maturity, and any available metrics on department performance. At a minimum, it’s critical to take a cursory inventory of services in your first week. As you meet with other business unit leaders you can start formulating a more vigorous and relevant information security strategy.
Get to know your colleagues
Don’t skip this step toward kindling meaningful working relationships. If you’re new to your company, be careful not to pass judgment during early discussions since you’ve had no experience with organizational politics yet. Use this time to build political capital by listening to your colleagues and showing empathy. Most importantly, take note of your colleagues’ goals and objectives so you can support their success when you launch an updated information security roadmap and strategy.
Hold a department meeting
Taking action on this step is a must. Your team may be apprehensive about new leadership and how your strategy and management style will affect their jobs. Give everyone a chance to talk and ask questions. Be sure to listen, express empathy, and advise that you’re still gathering information and not ready to make any decisions. This is a good opportunity to demonstrate your belief that everyone is on the same team and shares a common goal.
Review budget and metrics
Spend time dissecting your budget and breaking down capital and operating expenditures. You’ll likely face questions over the coming weeks about the financial footprint of the information security team. If a high volume of security and compliance spending has taken place before your arrival as CISO, you may be asked if capital expenditures can be reduced. If you’re building an information security function from scratch, there may be less scrutiny given that an initial capital spend is expected, but it would be smart to appropriately set expectations if you anticipate heavy spending.
Let people know you exist
Information security is pervasive—it requires that you interface with all departments, not just IT. Putting people on alert and driving awareness of your role will serve as an invitation for people to reach out and discuss security topics and concerns, or simply start a dialogue. Early outreach helps to enforce that you’re an approachable colleague.
Days 11-20: Building relationships and planning assessments
Queue up an information security assessment
At the beginning of week three, schedule an independent information security assessment. Depending on company purchasing requirements, coordination of the assessment could take a few weeks in addition to an assessor’s required lead time. This should be a holistic assessment of your information security program, not just a penetration test or vulnerability scan. Find a quality information security advisor who can review your overall program posture using a well-recognized framework, such as ISO 27001, and measure those controls in a business context so you can gain an accurate read on business risk and prioritize remediation plans accordingly.
Hold one-on-one meetings with your team
Begin meeting with individual members of your team. Start with your direct reports before working through the org chart. If your team is so big you can’t talk with everyone, make time to meet with frontline security staff even if it means skipping middle management tiers. Your frontline staff are the individuals who see issues and deal with problems and can offer a candid view of the challenges currently facing your new security domain. During these meetings, you should aim to build political capital and trust within your team. Ask for informed, fact-based opinions on departmental risks and seek insight on how they could be mitigated. Use these meetings to establish your approachability by actively soliciting feedback.
Learn what projects or initiatives will be active within six months
In your busy third and fourth weeks, time permitting, start to understand new company initiatives or projects that will be active in the next six months. You’ll be steering these upcoming projects and initiatives once you’re fully embedded in your new position; building a strategy around their support will help you be purposeful and successful in your first 101 days. You’ll gain context for your one-on-one meetings and get a glimpse into your team’s plans and their tracking of associated risks.
Days 21-30: Creating structure and setting priorities
Prepare steering committee materials
If you have a security steering committee, you should begin preparing materials and framing the first meeting agenda. Your actual first meeting with the committee will come much later in your first 101 days, but if you’re inheriting an existing committee, carefully structure the first meeting to get off on the right foot. Note that there’s increased complexity if the wrong stakeholders are involved (i.e., committee members don’t have the appropriate seniority or experience). If you find yourself in this position, pause and critically evaluate whether you want to start over. Politically, it may be easiest to dissolve a legacy committee and develop sufficient political capital to rebuild. If you’re starting a new steering committee for the first time, in addition to framing the first meeting format, you should also actively promote membership to desirable committee candidates.
Hold one-on-one meetings with business leaders
Start meeting with peers and business unit leaders. These relationships are critical to your ongoing success. In addition to gaining the trust of your company’s business leaders, you should learn about their goals and objectives and incorporate them into your strategic plan and roadmap. This will help ensure your information security goals and initiatives directly correlate to business objectives. During these meetings, gather input on how the security team can help other business units.
Days 31-40: Building a strategy and aligning the team
Review the operational security budget
Hopefully, you’ve obtained a solid understanding of your budget in the first two weeks. With a month under your belt, you’re ready to start answering specific questions about your budget and the positive impacts of your spending. Your newly recruited financial analyst will validate budget planning and develop ROI metrics to demonstrate improvements in the finances of the evolving information security program.
Establish a program vision
Defining your program vision will shape your dialogue in the coming weeks. Based on your earlier conversations with business leaders, you should have an idea of what success looks like and how to help your company deliver on strategic goals and initiatives. While your vision may not be formalized, you’ll have plenty of time to firm it up in the coming months. Consider this a prerequisite to developing an overall information security program strategy.
Inventory security team skill sets and establish development plans
As you talk with your team, holding one-on-one meetings and observing performance, take an inventory of both technical and soft skills. Soft skills are more challenging to define and measure, but tested frameworks (e.g., Lominger competencies) can help evaluate. When creating a staff development plan, consider employee career aspirations to drive their skills development. You, as CISO, are an advisor and motivator, but development plans should be owned by the employee; they must be invested in the process and motivated to improve. Employee underperformance or negative attitudes will create (or perpetuate) bad feelings on the team—you owe it to your top performers to fix this immediately. Don’t spend all your time on the underperformers; each team member should receive equal attention. This may be one of your most important tasks, so take the time to get it right.
Begin your information security assessment
Kick off an independent review of your information security posture. While you may be qualified to perform the assessment, resist the temptation to do so. There’s an opportunity cost in self-assessment: valuable program and relationship development. Additionally, the independent lens of an impartial party will lend creditability to the findings. During this assessment, it’s critical to partner with your independent assessor and offer guidance to ensure the quality of the output. The assessor is most likely new to your organization, so helping them adopt the appropriate business and security context will ensure an accurate measure of risk. An information security assessment without business context is just a gap assessment, and you need a risk assessment to prioritize remediation efforts. Depending on your corporate procurement processes, a 31-40 day start time may be unrealistic, but this assessment is a prerequisite to formalizing your information security program strategy and should be performed as soon as possible.
Days 41-50: Establishing leadership and completing the charter
Write, review, and maybe rewrite the information security charter
You’ll want your charter approved by the CEO and board of directors, so it should be written at a high enough level that it communicates your mission and objectives, while providing enough detail to translate into an operational plan. Take the time to get this right the first time, because any changes or updates will need to be reapproved by the CEO and board. Many CISOs choose to have the charter approved by their security steering committee. If you’re inheriting an existing information security charter, take the opportunity to review and make necessary changes or modifications.
Appoint team leaders
By now you’ve observed team performance and potentially identified a few stand-out leaders. Keeping in mind your information security program strategy and direction, it’s time to put the right team in place to guarantee delivery. The leadership strength of those you select should inform the autonomy you afford them. Junior leaders will need more structure with work plans and project reviews. Senior leaders can work autonomously and will help you to coach those with less experience.
Be visible in established security projects
Whether you inherited a list of security projects or are preparing to kick off your own, judiciously select a limited number of important and strategic security projects to participate in. You may even choose to help a stalled project get back on track. While ramping up in your new role, you’ll gain credibility and loyalty with your team as you demonstrate that you’re there to help them succeed. Be careful not to overstep your project role and responsibilities; depending on your background and expertise, you don’t want to be perceived as commandeering the project. If you contribute too actively you may inadvertently skew responsibilities and derail progress. Establish personal participation guidelines for yourself. Your approach should be as a consensus builder rather than as a C-level overriding vote. There may be times when you need to pull your CISO card but only do it in dire circumstances.
Days 51-60: Securing buy-in and setting up awareness
Review the budget for the second month
Review your budget again and you may see trends in your expenditures. You should now have enough information to start making informed decisions about your expenses. During development plan conversations, look for qualified team members to whom you can delegate budget monitoring responsibilities as a growth opportunity.
Meet with the steering committee or board of directors
If you operate with a steering committee, you have flexibility as to when this meeting is scheduled because you drive the agenda and timing. Alternatively, if you have an opportunity to meet with the board of directors, you’ll have to work around their schedules. Depending on when the board meets and how it aligns with your start date, it could make sense to skip presenting at the first board meeting of your tenure to ensure your first impression is strong, fact-based, valuable, and relevant to the overall business strategy.
Obtain approval for your security charter
It’s time to get approval on the charter you drafted or updated in previous weeks. The date will be driven by the approving body’s (i.e., steering committee or board) schedule, but before requesting your opportunity, secure buy-in from any appropriate or influential reviewers. This will help establish support from the approving body to ensure a smooth approval process.
Form a security awareness team
This may be the most overlooked task in the new CISO’s playbook. Continuous development of new and engaging security awareness ideas, content, and engagement is demanding. It’s smart to enlist your marketing department to support creative content development and to structure effective messaging strategies. Take the time to give credit where it’s due and keep that collaboration going. All of members of the information security team are responsible for spreading your security awareness message. At a minimum, each should be required to deliver training annually.
Days 61-70: Finalizing your information security strategy
Formalize your information security program strategy
Two months for strategy development may seem lengthy, but you’ll need time to craft your program vision and complete the independent information security assessment before stringing these data points together. Your strategy is ultimately a roadmap for delivering your program, and should include the following:
- A security maturity model for each cybersecurity competency you plan to develop in-house
- A cost-benefit analysis of internal investment versus partnering with a Managed Security Service Provider (MSSP)
- Capital and operational investment for cybersecurity competency development
- Operational investment for staff development and streamlining business operations
It’s important to remember that information security is a risk management exercise, and risk mitigation costs time and money. In some cases, it makes sense to mature an information security competency to 90% of the potential capability because the last 10% is generally cost-prohibitive. Developing this roadmap and being purposeful about investment and ROI will generate traction for your future budget and improve your credibility with your executive peers.
Identify objectives for your information security team
Once your program strategy is complete, begin developing your annual information security playbook. This playbook should outline how your team delivers on your strategic objectives for the year, assigning team members in alignment with their respective professional development plans. Your playbook will also be your performance measurement and accountability data source.
Days 71-80: Monitoring and adjusting program delivery
Monitor your information security program delivery
With your information security program strategy and playbook available, you can now drive and track the progress of your strategic deliverables, measuring your program's success. Most importantly, you have an early warning system that will let you know if your program begins to deviate from the plan. Consider these tools a component of your overall information security governance structure.
Days 81-90: Engaging the broader organization
Continue monitoring information security program delivery
Depending on the number of initiatives in your information security playbook and the volume of senior leaders, you may need to help junior leaders with their early efforts to gain traction.
Present at a company-wide meeting
If you have the opportunity, take advantage of the visibility and broad audience of an all-hands meeting to talk about the information security program, including what employees can expect and how to engage with the information security team. The sooner you can get on the agenda, the better, and by now you’ve had enough time to create supporting material about your program vision and security’s role in advancing business objectives. While everyone on your team is responsible for spreading your security awareness message, this is your opportunity as CISO to introduce yourself and the information security brand to your company.
Days 91-100: Addressing business continuity and disaster recovery
Address business continuity planning and disaster recovery
If you have responsibility for business continuity planning (BCP) and disaster recovery (DR), it’s time to perform or refresh your Business Impact Analysis (BIA) for BCP. The level of effort required will depend on the size of your business and executive support. If you need to convince other executives to reallocate resources to support BCP and BIA efforts, it may take longer to complete. While you gather support for your BCP and BIA plans, start collecting your asset inventory for the complementary DR efforts.
Day 101: Celebrating success and looking forward
Celebrate your first 100 days
You’re on your way to building a top-notch security program. By this point you’ve completed significant tasks, including:
- Implementing an independent information security assessment of your organization
- Establishing solid working relationships with your colleagues, including other executives and the information security steering committee or board of directors
- Streamlining your information security budget
- Developing staffing development plans
- Creating an information security strategy and operationalizing an information security playbook
You’ve built a solid foundation for your company’s information security function and positioned yourself well for future growth and recruiting and retaining top talent.
Additional considerations for new CISOs
Here are a few more key areas to underscore that are critical for you to consider as a new CISO.
Engage with the leadership team on information security
Creating a solid cybersecurity program starts with engaging the leadership team. You need buy-in from the top to effectively drive your initiatives. Begin by building relationships with key stakeholders such as the CEO, CFO, and heads of other departments. These early connections will not only help you understand the existing culture but also give you insights into how information security ties into business goals.
As you conduct your comprehensive assessments, communicate the findings in a way that resonates with non-technical audiences. Presenting clear metrics and data on risks can help translate the importance of cybersecurity into terms they understand. By aligning security objectives with broader business goals, you'll not only gain buy-in but also demonstrate that security is a business enabler, not just a technical hurdle.
Build a security-conscious culture among employees
Employees are your first line of defense, so cultivating a security-conscious culture is a top priority. Begin by implementing strong training programs that cover the latest security threats, data protection practices, and the dangers of cyberattacks. Regular phishing simulations and awareness campaigns can go a long way in creating a workforce that is alert and proactive about security risks.
Engage with your employees at all levels, encouraging open communication about security concerns. Create channels for reporting potential security incidents without fear of repercussion. As the CISO, you're the leader, but you also need to be approachable and responsive. By building trust within your team and across the organization, you'll foster a collaborative environment where everyone feels responsible for maintaining security.
Assess technical information security maturity
Understanding your organization's current security posture is critical for building a comprehensive roadmap. Leverage established frameworks such as the NIST Cybersecurity Framework or CIS Controls to evaluate your security maturity level. These frameworks offer a structured approach to assess your governance, risk management, compliance, and technical controls.
Recognize that cybersecurity is a continuous journey. As threats evolve, so must your approach to security. Advocate for ongoing monitoring and refinement of security practices. Emphasize the importance of continuous improvement and encourage cross-department collaboration to share knowledge and drive innovation. This mindset will position you as a forward-thinking leader who can adapt to the changing cybersecurity landscape.
Don't miss another article. Subscribe to our blog now.
Included Topics
