Insights

Some Useful Advice for Newly-Appointed CIOs and CISOs

J.S. Held Releases Insights on Risks & Opportunities Expected to Impact Organizations in 2025

Read More close Created with Sketch.
Home·Insights·Articles

For the newly appointed CIO or CISO, being hit with an unexpected information security problem can be daunting. Not only do they have to think on their feet and make decisions confidently and swiftly, but if they are still unfamiliar with the internal environment, they face several risks: making the wrong call, disrupting an essential service delivery, or upsetting customers and shareholders. Systems, security policies, management teams, staff policies, and internal procedures--to mention a few--are unique to every firm.

Sure, everyone wants to avoid these issues, but it is especially important if a CIO/CISO is newly appointed to look after information security for the organization. Even with the best intentions and plans, things may still go awry. As such, here is a tried and tested method to getting started in a new information security officer role.

First Steps After Joining as the CIO or CISO

Below we have curated a list of expert recommendations to help get familiar with a new network quickly and effectively.

LISTEN: What is the perception of IT in the workplace?

As soon as possible, set up one-on-one meetings with a broad cross-section of employees, managers, and stakeholders to understand what they expect from IT. Who are the influencers? Who champions or contests IT policies?

In cases where the company has been without strong leadership before your arrival, the team may have a lot of IT issues they will want to communicate. Being that sounding board not only cements you early on as someone who listens intently, but you will be able to more accurately piece together the information landscape as it is perceived by your internal audience.

What to look for:

  • IT goals.
  • IT frustrations.
  • Staffing issues.
  • Familiarity with information security.
  • Budget and resources.
  • Data and system access and availability.

VERIFY: Get your own security baseline, including strengths and weaknesses.

Getting an accurate sense of your system’s risk posture is vital. Detailed risk assessments and penetration tests will flag policy shortcomings, vulnerabilities, questionable configurations, poorly protected routes into the network, etc.

It is important to conduct your own tests unless previous assessments have been completed by an external firm that you know and trust personally. Those previously in charge may have had a different set of criteria or views as it pertains to risk. Consider this scenario: systems are superbly defended, but lax configuration options and poor login management mean the network is much more vulnerable to an external attack or data leak. This could happen to any system that is not properly or regularly monitored. Once your assessments are complete, check them against any previously conducted tests to map the changes and spot anomalies.

What to look for:

  • External suppliers and contractors.
  • Data collection and processing policy.
  • Information security policy and implementation.
  • Back up policy and implementation.
  • Regulatory requirement oversights.
  • Software licensing.
  • Hardware lifecycles.

STAY INFORMED: Regularly read cyberattack and data leak reports

Headlines tend to focus on sensational attacks, not everyday ransomware attacks, password leaks, or the importance of educating users, be they management or entry-level staff. Everyone has a role to play in defending the systems.

What to look for:

  • Information security meetups and conferences.
  • Peer networking opportunities.
  • Security podcasts and videos.
  • Analyst research.
  • Academic research.
  • Online discussion groups.
  • Technology and security news.

Once this information is collated and parsed, you can start thinking strategically. In other words, in the next "x" period of time, your goals are to meet "y" objectives. It is a good practice to balance the actual requirements against the expectations of the stakeholders and users. Basically, try and focus on creating a win-win environment.

For example, imagine that you decide that all staff will be required to attend cybersecurity training once per year. Not only will this significantly reduce risk posture, but it is also a requirement for a number of regulatory bodies.

However, what if one of the problems you identify in the company is that IT is not perceived as approachable, and mandating this type of training might not endear the department to the rest of the organization?

Thinking creatively about how to entice (rather than force) engagement might be a solution for you. For example, conduct the training during lunchtime on the first Monday of each month to a cross-section of employees. Providing lunch or other incentives can quickly take the sting out of this type of mandatory event.
 

Acknowledgments

We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.

Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.

Kevin can be reached at [email protected] or +1 843 890 8596.

Find your expert.

This publication is for educational and general information purposes only. It may contain errors and is provided as is. It is not intended as specific advice, legal, or otherwise. Opinions and views are not necessarily those of J.S. Held or its affiliates and it should not be presumed that J.S. Held subscribes to any particular method, interpretation, or analysis merely because it appears in this publication. We disclaim any representation and/or warranty regarding the accuracy, timeliness, quality, or applicability of any of the contents. You should not act, or fail to act, in reliance on this publication and we disclaim all liability in respect to such actions or failure to act. We assume no responsibility for information contained in this publication and disclaim all liability and damages in respect to such information. This publication is not a substitute for competent legal advice. The content herein may be updated or otherwise modified without notice.

You May Also Be Interested In
Perspectives

Greenhushing: What It Is & Why It Matters

The consequences of greenhushing as they relate to litigation, reputational risks, and progress toward global sustainability goals....

Perspectives

Data Privacy for the Future: Strategies to Limit Digital Risk and Liability

This article examines how to limit the digital risk and liability while protecting data privacy and looks back at previous data privacy predictions....

Perspectives

2025 J.S. Held Global Risk Report

J.S. Held’s Global Risk Report explores the most influential topics presenting global business risk and opportunity to help clients anticipate, adapt, and advance in 2025. ...

 
INDUSTRY INSIGHTS
Keep up with the latest research and announcements from our team.
Our Experts