Ravi Ithal is cofounder and Chief Technology Officer at Normalyze, a data-first cloud security provider for the digital enterprise.
getty
Pity the new CISO. Being a chief information security officer is a tough job that's getting harder, and the pressure to perform starts on day one. It's like a sprint, with success or failure popularly gauged by results earned in the first 100 days. That's barely enough time to create a strategy, much less win the judgment sweepstakes for foiling pesky attackers!
Joking aside, a CISO's strategic role is deadly serious, so let's take a step back and explore how a new CISO can make the biggest and most valuable impact right out of the gate.
Why The 100-Day Deadline Is Too Long
First, let's clear the air about the magical 100-day deadline. It debuted 90 years ago when newly elected President Franklin D. Roosevelt summoned the U.S. Congress for a special 100-day session to urgently address the Great Depression. Roosevelt pushed 15 new bills through Congress during this time, with the New Deal setting the start of economic recovery. The "first 100 days" took on symbolic significance, which many people today still use as a benchmark of early success for a new leader.
For cybersecurity, I contend this artificial deadline is a complete bunk. Cybercriminals do not say, "Oh, XYZ Company has a new CISO. Let's give them 100 days to come up to speed and then turn the screws!" Attackers' screws are already turning on a 24/7 basis with continuous, automated probes. A new CISO does not have 100 days to get started. In most cases, effective action is required ASAP.
Distilling The Top Priority
Time is of the essence, yet a new CISO cannot do everything at once. Out of curiosity, I hit Google and ChatGPT to learn what a new CISO should do first and got 100 different ideas. No wonder CISOs are leading a new great resignation. Some of the ideas were strategic and process-oriented, such as Gartner, Inc.'s Prepare, Assess, Plan, Act, and Measure model. Others were a laundry list of tasks that cyber pros do every day. There's even a 170-page CISO handbook. Too many to-dos!
Then I recalled some wise advice for time management: Pick the most important thing on your list and focus on that. It's OK if you can't work on others, too, because you're addressing the top priority. Nothing else is more important.
The primal question is, what is the top priority for a new CISO?
Turning The Focus On Vital Data
Priority is determined by the phrase "thrive and survive." What does your organization need most to thrive? What loss would block its survival? For a modern, model-driven business, the most valuable asset is not physical such as buildings, inventory, equipment or infrastructure. The most vital element is invisible—your organization's data, especially sensitive data. In this new age of AI-powered possibilities, your data are the crown jewels and should be the top priority.
As the highest-value asset, it's ironic how easy it is to lose sensitive data. One reason is the growing movement of sensitive data into public clouds. Multi-cloud environments pose an especially steep challenge to know with certainty where sensitive data moves and resides. According to an ESG survey that we co-sponsored, "86% of respondents said they have sensitive data stored in a data lake, data warehouse or data lakehouse." A startling 84% said data loss has occurred more than once in the last 12 months, and 23% said they lost sensitive data from a public cloud store four times.
Protecting sensitive data is an obvious requirement, but new CISOs must beware of falling into a common trap. A new CISO's typical process flow goes something like this.
1. Identify stakeholders.
2. Review policies and procedures.
3. Confirm or deploy fundamental security applications such as vulnerability management, patch management, configuration management databases and so forth.
4. Inventory the organization's IT assets.
5. Conduct a risk assessment.
6. Examine identities and who has access to which data, and develop policies.
7. Identify sensitive data, classify the data and map access rights to applications and data.
Step 7 is finally getting to the most important asset. Why is so much attention diverted first to less important issues? Sure, understanding infrastructure is hard (especially for a new CISO getting familiar with a new organization), but if data is the top priority, the new CISO should logically invert this process as follows.
1. Discover sensitive data everywhere it exists in the environment.
2. Classify sensitive data, especially if it is subject to government or industry regulations.
3. Determine access governance to sensitive data to ensure proper privileges are aligned with user/role/resource.
4. Detect risks, and remediate vulnerabilities and cloud misconfigurations.
5. Verify compliance with laws and regulations.
6. Continue with other security priorities.
The typical process flow takes a new CISO too long to get to the important stuff. The inverted process flow tackles the most important task first and gets you there faster.
Making Data The New Priority For Security
The second process flow above is the essence of data security posture management (DSPM), a data-first approach to securing cloud-resident sensitive data. Implementing DSPM can entail repurposing older security tools and/or the use of newer tools focused on this domain.
Describing details of potential DSPM solutions and process flows is beyond the scope of this article. However, considering the two flows listed above, starting with a focus on sensitive data is the most important philosophy for securing your organization's most valuable asset. This can allow DSPM to discover, classify, govern, detect, remediate and comply in hours or minutes for what used to require weeks, months or years.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
