The role of the CISO is central, particularly in the application and monitoring of best cybersecurity practices within the company. From taking stock of IS security and analyzing previous attacks, to mapping critical assets and ensuring the continuity of past actions based on risk analysis, the first 100 days of a CISO's employment are crucial for the organization. In this article, we present the results of a survey conducted in collaboration with Tenacy and CESIN, involving 131 CISOs who share the challenges and successes they encountered during this period. We take a look at the CISO's first 100 days in the job, and examine the challenges of communicating with the organization, between divergent visions and multiple missions.

 

CISOs remain a rare resource for companies

According to our survey, the average tenure of a CISO within a company is 3.7 years. What's more, 32% of respondents say they have changed jobs in the last 12 months. If these statistics raise questions, they can be explained by two cyclical factors. The first is due to the shortage of IT security experts in the job market, which is seeing salary levels soar, mechanically increasing staff turnover. An OpinionWay study for CESIN, carried out in 2021, revealed that the median salary for a CISO was €89,200, more than double the average salary[1 ] in France.

The second factor is the exhaustion of some of these professionals, who are faced with an upsurge in increasingly sophisticated cyber-attacks. With the Log4Shell/Log4j (CVE-2021-44228), Microsoft Exchange Privilege Escalation (CVE-2022-41080) and VMWare File deletion (CVE-2023-20854) vulnerabilities, the last few years have once again been a busy time for cybersecurity professionals. In a report entitled "The State of Cybersecurity", Splunk announced in 2022 that 73% of resignations among cybersecurity professionals across the Atlantic were due to burn-out. A phenomenon that is unlikely to abate in 2023!

 

The qualities required of a CISO differ according to company size

According to our survey, companies with fewer than 5,000 employees expect CISOs to have a culture of cybersecurity that enables them to understand the risks specific to the company, and thus be able to advise teams on the actions and best practices to adopt.

For CISOs in large organizations, the first requirement is to acquire a deep understanding of the company's business. Many sectors are subject to compliance constraints, such as the banking sector with DORA, the industrial sector with the LPM (military programming law) and NIS2, or the healthcare sector with NIS2 and the HDS (healthcare data hosting) decree. In some cases, these organizations integrate obsolete production systems that require planning months in advance before any updates can be made. Without a thorough understanding of the existing situation and the constraints it imposes, the CISO will not be able to implement a security policy and cyber roadmap that are applicable to the company.

The study also identified an essential quality expected of a CISO, whatever the size of the organization. A CISO must be able to set up an appropriate regulatory watch and take it into account on a daily basis.

 

Priority is given to structuring, the rest will have to wait

During these first 100 days, CISOs focus their attention on IS structuring actions. For 55% of those surveyed, mapping vital business processes is a priority.

For 41% of respondents, it is also essential to take stock of the information system's mapping. This action is accompanied by an inventory of the information system security already in place. This inventory takes into account a number of different themes, such as: identification of internal processes and skills, security solutions used by the company, governance in place, operational security and compliance management.

 

Communication is a major challenge for the first 100 days

For 55% of respondents, it is essential to make oneself known as CISO to all teams, partners and subcontractors. For 65% of respondents, it is essential to be identified with the company's senior management. By advising company management on the application of the IS Security Policy (ISSP) and defining the cyber roadmap, the CISO brings a culture and awareness of the cyber threat.

This communication phase also enables the CISO to meet the service providers and subcontractors present in the company's environment. Far from an in-depth assessment, this meeting at the very least provides an initial level of knowledge and awareness of how the company operates, and its level of exposure. However, this task is not a priority for decision-makers in the first 100 days, with only 23% of respondents declaring this action to be important, and only 10% indispensable. Rome wasn't built in 100 days - CISOs need to prioritize too!

 

Audits and security incidents cannot be analyzed within the first 100 days

Unfortunately for CISOs, the 100-day period is too short to allow them to take all issues into account. For our panel, it is the analysis of past events that is considered to be the lowest priority. For 50% of respondents, the analysis of past audits seems to be an action to be dealt with during this period, 16% define it as indispensable, while for the others it will have to wait. The analysis of security incidents is also dealt with later, with only 6% of respondents declaring it essential and 35% important.

 

In conclusion

During the first 100 days, the CISO has to deal with a variety of issues (learning about the tools and choices of past management teams, making a name for himself while communicating with the company's stakeholders, applying and monitoring governance and compliance actions, etc.), each of which requires him to impose his own vision and imprint, while adapting it to his new company. Compliance requirements linked to business activity, company size, the expectations of organizations and the associated missions diverge for CISOs. To find out how these first 100 days work in detail, please fill in the form opposite.


[1] Source: https://business-cool.com/decryptage/salaire/salaire-moyen-median-france/

If you are interested in this topic our webinar
SUCCESSFULLY TAKING UP A NEW POST: THE WORDS OF RSSI


Organized in partnership with CESIN, this webinar gives the floor to CISOs who have recently changed positions. Our guests will look back on this pivotal period. They'll discuss the challenges they've had to face, and share their dos and don'ts.