This is the point when you really get stuck in. By now, you would have been in the new CISO job for about 2 months and it should start to feel less and less like a new job. Of course, this is not really about 100 days, and you should also start to realise it.
Over the past 6 weeks, you would have met with your management and your team. You would have met with key stakeholders around you and developed a sense of the challenges ahead, including the cultural and geographical diversity of your new organisation. You would have built a sense of what needs to be done, where you are in terms of budgetary cycle and the resources you have or could claim to deliver. You would have consolidated all that into a strategic framework that you would have presented back to your management, taking into account their objectives for your role, and the expectations of all stakeholders. It would have been hard work and it probably feels like you have already been there for a long time. You are ready to go.
At this point, we have to assume that your management has broadly accepted your assessment of the situation, and the approach you proposed to move forward. If that’s not the case, you need to examine the points of divergence and decide the best course of action. If those are too salient, you should leave. Period. Everybody can make a mistake, and this is probably best for all parties if those issues are highlighted early on. If you believe there is still room for maneuver and the adjustments are positive, you should play on. This is for you to judge and no-one else.
If you stay on, the first thing you need to put in place at this stage, is the governance model that will carry you through the execution of your strategic framework.
It needs to fit within the organisation around you and you must start by understanding the structure of existing management committees, their membership and terms of reference. You will need a senior security management committee to supervise your strategic delivery and arbitrate on conflicts, but you must avoid excessive and useless committee duplication. It needs to be chaired by the most senior stakeholder you can convince, ideally a board member and your bosses’ boss. This is key to showcase the importance and value of security for the firm. You should draw on the contacts with stakeholders built up during your first weeks to identify the people who are the most likely to help you move forward, and you must not compromise on the seniority of the membership. Schedule the first committee meeting as soon as possible. This is your true starting point. An overview of your strategic framework and high-level timeframes should offer a natural agenda. Their formal endorsement of your objectives and their ongoing oversight will be the backbone against which all your actions will rest.
In parallel, you need to build the target operating model that will support your strategic delivery. This is entirely dependent on your strategic objectives in terms of content and structure, but it needs to be clear and simple. This is to some extent related to your reporting line, and very likely to be influenced by your relationship – personal and functional – with the CIO.
You will need to validate the target operating model with your management, your senior team members, and key stakeholders. Depending on your corporate employment culture and the extent of the changes you are proposing, you may need to consult with the HR department. In turn, you may need to involve employee representatives or workers councils. It will take time, which is why you need to get this started as soon as possible and keep it as clear and simple as possible. This is also why you need the backing of the most senior executives you can gather around your project.
It needs to be a mid- to long-term move rooted in your strategic assessment of the situation you found and aligned with your transformation objectives over the same time horizons.
Once all is agreed, align the structure of your own team, update job descriptions, performance metrics and where necessary salaries and compensation levels at the first opportunity. You may need to hire and – maybe – fire, which will also take time and efforts. Another reason to get to this point as quickly as you can.
It should now be clear that this period of several months following the conclusion of your assessment phase, should be about installing the execution framework that will carry your strategic delivery plan.
During that phase, you must stay focused on your mid- to long-term management objectives and resist being drawn or pushed into tactical delivery. There may be urgent issues requiring your time and attention, or incidents to deal with, but they are just that — tactical diversions. They are not what you are here for. You are here to deliver the strategic framework agreed upon with your management and the senior security committee.
At the same time, set expectations at the right level: True and lasting change takes “the time it takes” and it is irremediably killed by short-termist flip-flopping. If you need to deviate tactically from your long-term goals, make it clear this is only tactical and temporary and in due course get back on track. Make it clear to all stakeholders that you will stay in the job for the time it takes: That’s the true “secret sauce” to real and lasting transformation.
And now, get things underway: Clarity should be there over what needs to be done, by whom and over what timeframes. Keep things simple, break them down into small chunks as much as you can and get them done one after another. That’s the only way to “eat an elephant” as the old joke goes…
The key things to worry about in the first 6 months (which should raise a red flag because they concern the real profile of your new role and management priorities)
- You cannot attract or retain the right senior stakeholders at the security management committee, in particular as the chairperson
- Organisational rigidity and HR constraints prevent you from making the necessary adjustments to your team
- Tactical firefighting is still the only thing stakeholders around you associate with security (instead of the structured and pro-active protection of the business from real threats)
The things NOT to worry about in the first 6 months (which are just management opportunities for you to address)
- Progress is slow
- You lose more team members than expected (or some you didn’t want to lose)
- Fundamental business changes (mergers, acquisitions) seem to disrupt everything around you (those are often the best times to drive real transformation)
JC Gaillard
Managing Director
Corix Partners
Find out more about how your business can truly protect its future from cyber threats by contacting Corix Partners.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Security Strategy, Organisation & Governance challenges.