You won't disagree: in an organization, the role of the CISO is central, particularly in the application and monitoring of internal cybersecurity best practices. Fromassessing the state of ITsecurity toanalyzing previous attacks, mapping critical assets, and continuing past actions related to risk analysis, the first 100 days of a CISO's tenure are crucial for the organization.
In this article, discover the results of a study conducted jointly by Tenacy and CESIN among 131 CISOs, who share the challenges and successes they encountered during this period. Priority tasks to be carried out, communication issues within the company... Between differing visions and a multitude of tasks, immerse yourself in the first 100 days of a CISO's tenure.
The CISO, a rare resource for companies
According to our study, a CISO remains in the same company for an average of 3.7 years. In addition, 32% of respondents say they have changed jobs in the last 12 months. While these statistics may raise questions, they can be explained by two economic factors.
The first is due to a labor market shortage of IT security experts, which is seeing salary levels skyrocket, automatically increasing turnover. An OpinionWay study conducted for CESIN in 2021 reported that the median salary for a CISO was €89,200, more than double the average salary[1] in France.
The second factor isthe exhaustion of some cybersecurity professionals, who are facing an upsurge in increasingly sophisticated cyberattacks. With the Log4Shell/Log4j (CVE-2021-44228), Microsoft Exchange Privilege Escalation (CVE-2022-41080), and VMWare File deletion (CVE-2023-20854) vulnerabilities in recent years, it has once again been a busy time for cybersecurity professionals. In 2022, Splunk announced in a report entitled "The State of Cybersecurity" that 73% of resignations among cybersecurity professionals in the US were due to burnout. This phenomenon is unlikely to diminish in 2024!
The qualities required of a CISO differ depending on the size of the company.
According to our study, companies with fewer than 5,000 employees primarily expect a CISO to have a cybersecurity culture that enables them to understand the specific risks facing the company and thus be able to advise teams on the actions and best practices to adopt.
For CISOs in large organizations, the first quality expected is to acquire a deep understanding of the company's business. Many sectors are subject to compliance constraints such as:
- the banking sector with DORA;
- the industrial sector with the Military Programming Law (LPM) and NIS 2;
- the healthcare sector with NIS 2 and the HDS (health data hosting) decree.
In some cases, these organizations use outdated production systems that require months of planning before any updates can be made. Without a deep understanding of the existing system and the constraints it imposes, the CISO will not be able to implement a security policy and cyber roadmap that are applicable to the company.
The study also identifies an essential quality expected of a CISO, regardless of the size of their organization: they must be able to implement appropriate regulatory monitoring and take it into account on a daily basis.
The priority is on structuring; the rest can wait.
During these first 100 days, the CISO focuses all of his attention on structuring the IS. Thus, for 55% of those surveyed, mapping vital business processes is a priority.
For 41% of respondents, familiarizing themselves with the IS map is also essential. This action is accompanied by an assessment of the security of the information system already in place. This assessment takes into account various topics, such as:
- internal processes and competencies;
- the security solutions used by the company;
- the governance in place;
- operational safety;
- compliance management.
Communication, a major challenge during the first 100 days
For 55% of respondents, it is essential to make themselves known as the CISO to all teams, partners, and subcontractors. Being recognized by company executives is essential for 65% of respondents. By advising company executives on the application of the Information System Security Policy (ISSP) and defining the cyber roadmap, the CISO raises awareness of the threat and strives to unite teams around this issue.
This communication stage also allows the CISO to meet with service providers and subcontractors working within the company's environment. Far from being an in-depth assessment, this meeting allows the CISO to gain a basic level of knowledge and awareness of how the company operates and its level of exposure.
However, this task is not a priority for decision-makers in the first 100 days, as only 23% of respondents say they prioritize this action as important and only 10% as essential. Rome wasn't built in 100 days: the CISO must also prioritize!
The analysis of audits and security incidents comes second.
Unfortunately for the CISO, the 100-day period is too short to allow them to address all issues. For our panel, analyzing past events is considered a lower priority. For 50% of respondents, analyzing past audits seems to be something that can be dealt with during this period; 16% consider it essential, while for the rest, it can wait.
Security incident analysis is also addressed later, as only 6% of respondents say it is essential and 35% say it is important.
During this initial 100-day period, the CISO must deal with a wide variety of issues:
- familiarize yourself with the tools and choices of past management teams;
- be recognized as an expert while communicating with company stakeholders;
- implement and monitor actions in terms of governance and compliance ...
For each one, they must impose their vision and make their mark while adapting to their new company. Compliance requirements related to the business, company size, etc. The expectations of organizations and the associated tasks differ for CISOs. To find out more (and see images) about how these first 100 days unfold, fill out the form opposite to receive the results of our study!
‍
