J.S. Held Releases Insights on Risks & Opportunities Expected to Impact Organizations in 2025
Read MoreFor the newly appointed CIO or CISO, being hit with an unexpected information security problem can be daunting. Not only do they have to think on their feet and make decisions confidently and swiftly, but if they are still unfamiliar with the internal environment, they face several risks: making the wrong call, disrupting an essential service delivery, or upsetting customers and shareholders. Systems, security policies, management teams, staff policies, and internal procedures--to mention a few--are unique to every firm.
Sure, everyone wants to avoid these issues, but it is especially important if a CIO/CISO is newly appointed to look after information security for the organization. Even with the best intentions and plans, things may still go awry. As such, here is a tried and tested method to getting started in a new information security officer role.
Below we have curated a list of expert recommendations to help get familiar with a new network quickly and effectively.
LISTEN: What is the perception of IT in the workplace?
As soon as possible, set up one-on-one meetings with a broad cross-section of employees, managers, and stakeholders to understand what they expect from IT. Who are the influencers? Who champions or contests IT policies?
In cases where the company has been without strong leadership before your arrival, the team may have a lot of IT issues they will want to communicate. Being that sounding board not only cements you early on as someone who listens intently, but you will be able to more accurately piece together the information landscape as it is perceived by your internal audience.
What to look for:
VERIFY: Get your own security baseline, including strengths and weaknesses.
Getting an accurate sense of your system’s risk posture is vital. Detailed risk assessments and penetration tests will flag policy shortcomings, vulnerabilities, questionable configurations, poorly protected routes into the network, etc.
It is important to conduct your own tests unless previous assessments have been completed by an external firm that you know and trust personally. Those previously in charge may have had a different set of criteria or views as it pertains to risk. Consider this scenario: systems are superbly defended, but lax configuration options and poor login management mean the network is much more vulnerable to an external attack or data leak. This could happen to any system that is not properly or regularly monitored. Once your assessments are complete, check them against any previously conducted tests to map the changes and spot anomalies.
What to look for:
STAY INFORMED: Regularly read cyberattack and data leak reports
Headlines tend to focus on sensational attacks, not everyday ransomware attacks, password leaks, or the importance of educating users, be they management or entry-level staff. Everyone has a role to play in defending the systems.
What to look for:
Once this information is collated and parsed, you can start thinking strategically. In other words, in the next "x" period of time, your goals are to meet "y" objectives. It is a good practice to balance the actual requirements against the expectations of the stakeholders and users. Basically, try and focus on creating a win-win environment.
For example, imagine that you decide that all staff will be required to attend cybersecurity training once per year. Not only will this significantly reduce risk posture, but it is also a requirement for a number of regulatory bodies.
However, what if one of the problems you identify in the company is that IT is not perceived as approachable, and mandating this type of training might not endear the department to the rest of the organization?
Thinking creatively about how to entice (rather than force) engagement might be a solution for you. For example, conduct the training during lunchtime on the first Monday of each month to a cross-section of employees. Providing lunch or other incentives can quickly take the sting out of this type of mandatory event.
We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.
Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.
Kevin can be reached at [email protected] or +1 843 890 8596.
The consequences of greenhushing as they relate to litigation, reputational risks, and progress toward global sustainability goals....
This article examines how to limit the digital risk and liability while protecting data privacy and looks back at previous data privacy predictions....
J.S. Held’s Global Risk Report explores the most influential topics presenting global business risk and opportunity to help clients anticipate, adapt, and advance in 2025. ...