In Development

Receive Invite When Available

For a security leader, the first three months on the job are a honeymoon period that can pass by in a blur. A new CISO can be overwhelmed by numerous initiatives, handovers and other demands for time. It becomes important to remember that a key objective in the first three months should be to focus on establishing credibility that can be leveraged for the rest of the tenure, says Tom Scholtz, research vice president at analyst firm Gartner.

"You need to do three key things," he says in an interview with Information Security Media Group. "The first is to establish and maintain relationships with key stakeholders and key influencers. The second is to articulate and communicate where you want to take the security program. The third is to identify five projects you want to look at in the next 12 months. Of those, pick two key projects that you will either be able to complete or show meaningful progress in the first three months."

The CISO has to wear many hats today, and communication is an important skill. So it's a good idea for a new CISO to get some communications training, considering the multiple stakeholders with which a CISO needs to engage, Scholtz says. When it comes to presentations to senior executives, a key tip is to get somebody from the business to act as a sounding board for the first draft, and then channel that feedback into your communication, he adds (see: Articulating Security's Business Value).

Avoid the Blame Game

One of the common mistakes that new CISOs make is blaming their predecessor for things gone wrong. This should be avoided, Scholz says, because it sets a negative tone for the security function. The second common mistake, he says, is trying to do too much. And another big issue is focusing too much on the technical aspects of security, neglecting the people and process aspects. "As a new security leader, keep in mind that effective security is based upon a balance of people, process and technology," Scholz stresses.

In this exclusive audio interview (see audio player link below image), Scholtz shares his views on how security leaders can build the right kind of credibility and vision in their early days on the job. He discusses:

The areas a new leader should focus on; Establishing effective lines of communication; Common mistakes CISOs make in the first three months on the job.

As research vice president at Gartner, Scholtz advises clients on security management strategies and trends. He is an authority on information security policy design, security organizational dynamics and security management processes. Scholtz is a regular presenter at European industry events and has more than 20 years of experience in information security and systems management. His background includes extensive technology experience in the utility and banking industries. Scholtz has been with Gartner since 2005 with the acquisition of META Group, where he was an analyst for eight years. Before META Group, he served in various IT architecture and operations roles for a number of South African companies.

An analysis of U.S. Republican presidential candidate Donald Trump's understanding of cybersecurity leads the latest edition of the ISMG Security Report.

In the report, you'll hear:

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our Sept. 2 and Sept. 6 reports, which respectively analyze a conversation with internet co-founder Vint Cerf and comments by Federal CIO Tony Scott, who partly blames the way Congress funds IT for the Office of Personnel Management breach. The next ISMG Security Report will be Tuesday, Sept. 13.

Theme music for the ISMG Security Report is by Ithaca Audio under the Creative Commons license.

Awareness & Training , Cybersecurity , Education

How Cyber Hygiene Away from Job Supports Workplace Security Summit Keynoter Steve Durbin on the Need for New Type of Awareness Training Eric Chabrow (GovInfoSecurity) • September 9, 2016     Steve Durbin of Internet Security Forum

Those who are trained on how to embrace good cyber hygiene in their personal lives are likely to be more aware of information security on the job as well.

See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry

That's the takeaway from a conversation I had with Steve Durbin, the managing director of the Internet Security Forum, who'll deliver a keynote address at Information Security Media Group's Fraud and Breach Prevention Summit in Toronto, to be held Sept. 13 and 14..

In our chat, Durbin cited a program called "5 to 9" implemented at one organization. The enterprise provided employees with training on ways to enhance secure computing when away from the workplace - from 5 p.m. to 9 a.m.

This awareness program suggests ways, for instance, to keep employees' children away from dangerous websites. In teaching their children about cybersecurity, the employees' own security awareness grows, not only at home but in the workplace, too.

"The impact on the employee was that they became very much more aware of security," Durbin says. "They started to talk about it more in their office environment. The employers saw an uptick in security hygiene. There were not as many [spear phishing] files being clicked on."

Corporate, Personal Environments Blur

Such awareness programs are becoming more important because a growing number of employees are using personal devices for work. "There's been this blurring of the corporate and the personal environment, which has created challenges," Durbin says.

The CISO's office should drive such awareness programs but seek help from those outside of the IT and security departments, Durbin says.

"You have to understand your environment; you have to work collaboratively," he says. "So, if you are looking for how you can [relate] the concept of security to a bunch of individuals, why not talk to the marketing department? They're used to promoting products, services on a daily basis. It's their job. They can help you in that space."

Keynote Address

In his keynote address, "The Emerging Threat Landscape: How To Keep Ahead in Cyberspace," Durbin will discuss:

Cybercrime vulnerabilities caused by mobility and other emerging threats, as well as mitigation strategies; How best to protect mission-critical information; and Processes for identifying the data and systems in need of protection. "We have to ... understand what an appropriate level of protection might be against the backdrop of some of the threats we see," he says.

The Internet Security Forum, which Durbin directs, is an international, independent, not-for-profit association of organizations that investigates, clarifies and offers solutions to key cybersecurity challenges. Founded in 1989, it develops best practices, methodologies, processes and solutions for its members.

Click here for more information on the Fraud and Breach Prevention Summit in Toronto, which features a long list of expert presentations and panel discussions. Another featured keynoter, Gord Jamieson, Visa's head of Canada and North America acquirer risk services, will focus on: "Securing Data in the Future: Lessons from the Payment Card Frontlines."