In your first six months in a new Chief Information Security Officer (CISO) role, you will often be tasked with building a security program. For some of us this is the most exciting part of the job, but it can also be stressful. You’re probably working under a deadline. Plus, it can be difficult to affect change while you’re learning the corporate culture.

In my role as CISO at Mainstay Technologies, I run a team that is responsible for security for each of our clients. I’ve learned a lot about what it takes to create a security program that’s sustainable in different organization types, sizes and industries. In this post, the second in the CISO Stressbusters series, I’ve distilled my learnings into four tips that you can apply to your own organization.

1. What makes your organization tick?

An effective security program requires participation from people across the organization. If you understand what drives decision-making and behavior, it will help you develop a scalable and sustainable plan that will be implemented and accepted into your culture. Talk with and interview team members at all levels of the organization and across departments to understand the shared values that drive the company. Identify how the organization collaborates, how decisions are made, and what your company’s risk tolerance is.

2. Do you know where all your data is? Are you sure?

Before you can implement a new program, you need to understand your current state and the gap that exists between where you are today and standards that must be met. You may need to lower real-world risk, satisfy compliance demands, or likely, both.

Start by identifying data privacy laws that you must comply with (i.e., California Privacy Protect Act or Massachusetts 201 CMR 17) and compliance frameworks that you may be contractually obligated to adhere to (i.e., DFARS NIST 800-171 or CMMC) or select a standard you will align yourself to (i.e., the NIST Cybersecurity Framework). The data that you are trying to protect must be at the core of a discovery effort. Are you protecting classified information, controlled unclassified information, patient health information, personally identifiable information, etc.? Classify it, then identify how it flows and where it lives. Then build defensive layers to protect it.

A risk assessment should be completed that includes your compliance gap analysis as well as a detailed analysis of internal and external threats and vulnerabilities (technical and organizational). This will also help to generate your risk profile: Risk equals probability multiplied by impact.

It’s also helpful to gather tangible evidence when conducting your assessment. Vulnerability, account control, and role-based access reports should all be standard. During your interviews you may hear about very organized data flows. Run a data discovery scan to see what type of data is actually being stored in which locations. Do you know how well trained your staff is? Think about integrating a red team exercise or include physical security tests. Or consider starting with something basic like phishing tests.

When Mainstay engages with a new client, we interview stakeholders to understand how they manage and protect data, and then we verify. When the assessment is complete, we move into mitigation and remediation strategies. This includes developing plans to close technical, administrative, and physical gaps. If you don’t have written information security policies and a system security plan, this should be evident in your assessment and will be part of your remediation strategy. If you don’t know who is in your building or connected to your network, physical controls, and network access controls should be implemented. We often find that data controls aren’t nearly as strong as people think, so when it comes to assessment the best approach is trust but verify.

Microsoft Defender Advanced Threat Protection (ATP) is a great technical example of software that can help you identify and manage threats and vulnerabilities in your environment.

3. Mind the gap

A thorough risk assessment gives you the data you need to start building your information security program. From there, highlight your gaps and build a remediation roadmap with milestones.  Your security posture should increase each step of the way. Work towards a continuous monitoring strategy. Define where you would like your security program to be in six months vs. two years, align with your stakeholders, and build momentum. Prioritize quick wins that you can close out now to help reduce risk immediately.

4. Map everything to the “Why”

Upfront legwork to understand the corporate culture will pay off when it’s time to establish new security policies and training. You will need to embed operational change throughout the organization. To do so requires company buy-in and participation.

Educate executives and business leaders on risk management. Show them how the changes you are recommending will improve ROI. Develop a cross-discipline governance team that reports on cybersecurity risk management at the leadership level. Conduct regular training and check ins to make sure processes are being followed. By distributing the responsibility, you will alleviate the pressure on you and your team, and it will help you build a security culture. A win-win!

Looking ahead

The job of a CISO is stressful. Don’t do it alone. Ally with people in your organization who share your values and can help you achieve your goals. Connect with CISOs from other companies who can commiserate and share advice. And stay tuned for the next CISO Stressbuster post for more advice from other CISOs and security professionals in the trenches.

Did you find these insights helpful? What would you tell your fellow CISOs about overcoming obstacles? What works for you? Please reach out to Diana Kelley on LinkedIn if you’re interested in being interviewed for one of our upcoming posts on CISO insights and stressbusters.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.