You won't deny it: in any organization, the role of the CISO is central, particularly in the application and monitoring of internal cybersecurity best practices. From taking stock of ISsecurity andanalyzing previous attacks, to mapping critical assets and ensuring the continuity of past actions linked to risk analyses, the first 100 days of a CISO's tenure are decisive for the organization.
In this article, we present the results of a study carried out in collaboration with Tenacy and CESIN, involving 131 CISOs, who share the challenges and successes they encountered during this period. Between diverging visions and multiple missions, we take a look at the first 100 days of a CISO's new position.
CISOs: a rare resource for companies
According to our survey, the average CISO stays with the same company for 3.7 years. What's more, 32% of respondents say they have changed jobs in the last 12 months. If these statistics raise questions, they can be explained by two cyclical factors.
The first is due to a job market with a shortage of IT security experts, which is seeing salary levels soar, mechanically increasing turnover. An OpinionWay survey conducted for CESIN in 2021 revealed that the median salary for a CISO was €89,200, more than double the average salary[1] in France.
The second factor is theexhaustion of some cyber professionals, who are faced with an upsurge in increasingly sophisticated cyber attacks. With the Log4Shell/Log4j (CVE-2021-44228), Microsoft Exchange Privilege Escalation (CVE-2022-41080) and VMWare File deletion (CVE-2023-20854) vulnerabilities, the last few years have once again been a busy time for cybersecurity professionals. In 2022, in a report entitled "The State of Cybersecurity", publisher Splunk announced that 73% of resignations among cyber professionals across the Atlantic were due to burn-out. A phenomenon that is unlikely to abate in 2024!
The qualities required of a CISO differ according to company size
According to our survey, companies with fewer than 5,000 employees expect CISOs to have a culture of cybersecurity that enables them to understand the risks specific to the company, and to advise teams on the actions and best practices to adopt.
For CISOs in large organizations, the first requirement is to acquire a deep understanding of the company's business. Many sectors are subject to compliance constraints, such as :
- the banking sector with DORA ;
- the industrial sector with the LPM (military programming law) and NIS 2 ;
- the healthcare sector, with NIS 2 and the HDS (healthcare data hosting) decree.
In some cases, these organizations integrate obsolete production systems that require planning months in advance before any updates can be made. Without a thorough understanding of the existing situation and the constraints it imposes, the CISO will not be able to implement a security policy and cyber roadmap that are applicable to the company.
The study also identified an essential quality expected of CISOs, whatever the size of their organization: they must be able to set up an appropriate regulatory watch and take it into account on a daily basis.
Priority is given to structuring, the rest will have to wait
During the first 100 days, CISOs focus their attention on structuring the information system. For 55% of those surveyed, mapping vital business processes is a priority.
For 41% of respondents, it is also essential to take stock of the information system's mapping. This action is accompanied by an inventory of the information system security already in place. This inventory takes into account a number of different themes, such as :
- internal processes and skills ;
- security solutions used by the company ;
- governance in place ;
- operational safety ;
- compliance management.
Communication, a major challenge for the first 100 days
For 55% of respondents, it is essential to make oneself known as CISO to all teams, partners and subcontractors. For 65% of respondents, it is essential to be identified with the company's senior management. By advising the company's management on the application of the IS Security Policy (ISSP) and defining the cyber roadmap, the CISO raises awareness of the threat and strives to unite teams around this issue.
This communication phase also enables the CISO to meet the service providers and subcontractors present in the company's environment. Far from being an in-depth assessment, this meeting at least provides an initial level of knowledge and awareness of how the company operates, and its level of exposure.
However, this task is not a priority for decision-makers in the first 100 days, with only 23% of respondents declaring this action to be important, and only 10% indispensable. Rome wasn't built in 100 days: CISOs need to prioritize too!
Analysis of audits and security incidents is a second step.
Unfortunately for CISOs, the 100-day period is too short to allow them to take all issues into account. For our panel, it is the analysis of past events that is judged to have the lowest priority. For 50% of those surveyed, the analysis of past audits seems to be an action to be dealt with during this period; 16% define it as indispensable, while for the others it will have to wait.
Security incident analysis is also a secondary concern, with only 6% of respondents declaring it to be of primary importance, and 35% important.
THE LAST WORD
During the first 100 days, CISOs must deal with a wide variety of issues:
- learn about the tools and choices of past management teams ;
- be identified as an expert while communicating with the company's stakeholders;
- implement and monitor governance and complianceactions...
For each of them, they have to impose their own vision and imprint, while adapting them to their new company. Compliance requirements linked to business activity, company size... the expectations of organizations and the associated missions diverge for CISOs. To find out in detail (and in pictures) how these first 100 days unfolded, please fill in the form opposite!
[1] Source: https://business-cool.com/decryptage/salaire/salaire-moyen-median-france/