The first 100 days of a startup CISO

Information security at a startup presents unique challenges. We look at what a newly appointed CISO should prioritise.

 min read

Every new employee wants to make an immediate impact. For those going into executive positions, this motivation often comes with the leverage to enact ideas and changes quickly. But opportunity can be a double-edged sword. For some functions, the stakes of getting things right from the get go are higher—no more so than with information security. Increasingly strict regulations and expectations around systems and data security do not pause for a new CISO to settle in. A solid start is not just desirable, but essential. 

The awaiting challenge is harder at a startup, or businesses moving into a scale-up phase.  For these organizations, the priority will have been growth, not security. As a result, a new CISO will often find the absence of mature security procedures and policies, and so will be playing catch-up from day one. They may also be faced with a culture that sees security in opposition to the agility and innovation that has brought success so far. 

So where should a new CISO of a startup focus their first 100 days? The answer depends on the organization; but a strategy that considers all stakeholders, and reaches beyond the technical security requirements to consider culture too, is more likely to succeed.

Here we look at some key themes for consideration. 


1. Get the lay of the land

A lot of factors will determine what a new CISO will be able to do, and not. Some of these are more obvious than others, such as budgets, who’s in the team, the business’s core activities, and the overarching corporate priorities. Others are more opaque, but no less important. For example, understanding where the real power is in the organization, departmental agendas that may conflict, or employee attitudes to change. 

The more knowledge a CISO can muster early on, the more likely that their InfoSec strategy will not only make sense on paper, but can be effected in reality. 


2. Set the right tone

Some employees may shudder at the sight of a new CISO coming in, fearing a litany of new rules that cut back their freedom, introduce new processes, and make more work. Others may simply be apathetic. Both are problems. 

Like all misunderstandings, engagement is what counts. A new CISO should set out to tell the positive story of security, and how (done well) it can enable growth by reducing complexities, making it easier to adopt new software, save time and cut costs. They must inspire colleagues to understand that security is not a siloed division that simply operates systems, but is an organization-wide activity where everyone’s behaviors matter. 

Language also counts. As with every business function, InfoSec has its own jargon, while many concepts will simply be incomprehensible to someone outside the profession. Test communications for clarity before going ahead with them.   


3. Find the quick wins

At some point, a full audit of the organization’s IT and date environment will be necessary. But this can be a largely invisible process, and take time. That creates two problems. Firstly, risks and vulnerabilities remain exposed. Secondly, the CISO loses the impetus from the fanfare of their appointment. Both can be addressed by identifying some quick wins. 

Begin by listening. Having conversations with colleagues about the software they use, how they use it, and their attitude to data and privacy can be a faster way than security analysis tools to learn about the most pressing threats. Deal with the ones that can be easily fixed, with little intrusion. 

If these are behavioral and widespread, then employee training will usually be quicker to organize than creating and enforcing new policies. 


4. Demonstrate progress

Ultimately, you’ve been recruited to stop bad things happening. But don’t presume that everyone knows when you’ve been successful at this. It’s hard to evidence the absence of something. 

Thankfully, help is at hand. Software, such as Metomic, can track where security improvements have been made, and present these to the whole organization in easy-to-read formats. For the C-Suite, this will show progress against industry standards and regulations that ensure organizational compliance. At a lower level, employees can understand their individual contribution (or shortcomings) to security.

What’s more, such software can automate security protocols at an individual user-level—for example, by leveraging existing collaboration tools such as Slack, Zendesk and Salesforce to send alerts and messages. When employees see security in action, they are more inclined to understand how it protects, and how integral it has become to the day-to-day operation.

Choosing and staying laser-focused on north-star metrics (like your company's Sensitive Data Footprint) can help you measure progress across the board. In addition, they make it easier to communicate how much safer your company has become thanks to your efforts. Rallying your team around one or several KPIs will also make it easier to show in which direction you want the team to move.

5. Automate what you can

Odds are, a CISO of a startup will be light on resources. So let automation take the load. Security automation software, such as Metomic, are easily deployed. They can look across your entire surface—from the infrastructure layer to applications, and across multiple environments—to identify and map sensitive data. And enforce policies, be it blocking data uploads to the wrong location, or automatically deleting sensitive data when it's no longer needed. And as we have just read, they can also take on the burden of communicating and educating colleagues when they are about to make a mistake. 

Key is the integrability of such software. They become more effective when they can automatically pull data from, and push actions to, other software and systems. But this benefit is diluted if you need to spend time creating and maintaining these integrations. Plug and play solutions, that leverage Open APIs for rapid deployment and interoperability, is how a new CISO can protect their organization at speed, while freeing up time and focus. Leaving them to get on with planning their next 100 days, and beyond.

Get in touch today for a chat with our team and a demo of our product.

Subscribe to our newsletter now!

Thanks for joining our newsletter.
Oops! Something went wrong.