Guest Blog, Leadership Development /

The First 100 Days of the New CISO: From Tactical Firefighter to Change Agent (and why it matters to get your hands dirty)

ciso change agent

Dealing with the tactical aspects of the function during your first weeks in the job doesn’t have to be detrimental to the success of a longer-term transformative agenda

Much has been written about the Chief Information Security Officer and how to best transition into the role for an incoming executive. A somewhat recurring theme to many pieces on the topic revolves around the balance to be found between short-term firefighting and the need to build a strategic elevated vision.

Spending your first weeks in the role dealing with ever-arising tactical issues could indeed steer you away from the longer-term, transformational agenda which is often the reason you’re in the job in the first place.

Based on my interviews with several CISO’s about their first months in the role, I would like to propose a slightly less dramatic attitude towards tactical firefighting. Turns out that dealing with the day-to-day tactical aspects of the function during your first weeks in the job doesn’t have to be detrimental to the success of your longer-term, strategic agenda, and your elevation to the status of change-agent.

In fact, it might be quite the opposite. You should see getting your hands dirty handling day-to-day emergencies as a way towards becoming a successful CISO.

First of all, being able to observe the current reaction and appetite of your organization to tolerate risk and crises will help you tremendously in your assessment work.

Tactical firefighting is arguably the best way to learn about how cybersecurity is actually implemented, pinpoint what doesn’t currently work, and help shape your transformation to deliver better outcomes. Pretty much like a real-life fire-safety drill. This can complement – and possibly prove much more informative than – any stakeholder interviews and meetings you will be conducting.

A healthy amount of tactical firefighting will also help you determine the appropriate levels of acceptable and tolerated risk, and come up with a more value-added and focused transformation plan – which is what you’re looking for, after all. Taking into account how various stakeholders within the organization approach the topic of cybersecurity allows the design of a strategy that’s both easier to implement and more efficient.

A particular occurrence of firefighting could serve as a springboard for constructive discussions and some amount of useful storytelling to help design a plan that fits perfectly with the organization’s aspirations and needs.

Similarly, this could dramatically help you get your message across to key stakeholders and gather support around your transformation agenda. Indeed, if everything was all rosy and good in the organization, people would likely not put security on top of their priorities. Instead, people will know you, and you in turn will know people. An ambitious transformation plan will also be an easier sell as your usefulness and your reason for being in the role becomes clear to key decisionmakers within the organization.

At least one of my interviewee attributes her lack of success to the fact that she was not able to gather the stakeholder support needed to get the job done, so that’s something you should not overlook.

Balancing between tactical firefighting and a strategic agenda remains as important as ever, especially once you realize how the former might help the latter.  You will need to win the hearts and mind of your stakeholders, understand the culture of the organization to then be able to drive change and make it stick.

Use it to your advantage to build a security transformation vision that drives value, achieves quick wins, and speaks the business language.


Natasha NcCabe


Natasha McCabe was the CISO at Royal Mail Group from 2012 shaping and driving the security transformation agenda across the Group and established executive level governance and oversight of cyber security.  She then took on the role of Head of Digital Business Transformation and Change, focusing on delivering the strategic implementation of transforming Royal Mail into a customer centric, digitally enabled agile business.

Natasha is passionate about security, digital transformation and change; and loves making security engaging, relevant to business and building relationships across the enterprise to put security on the agenda. Natasha believes it’s all about creating and sustaining a healthy and positive security culture to actively contribute to support and enable business outcomes.

This article was written in collaboration with Vincent Viers.

The opinions expressed by guest bloggers are their views and do not necessarily reflect the opinions of Corix Partners.