Developing Your 60–90 Day Strategic Security Plan

As a security professional, I have worked in numerous business verticals in both the private industry and the federal government. I have led teams supporting thousands of employees in offices worldwide, and I have led teams supporting just a couple hundred employees in offices locally here in the United States. Along that career path of diverse roles and experiences, one of the questions I always get when interviewing for a CISO role is, “What’s your plan, what should we expect from you in your first 60–90 days”? My answer has always surprised my interviewers because I have a process that I have expanded on over the years. I have found it instrumental in developing an effective security program aligned to my company’s business operations.

Our discussion to follow is going to focus on my process and its four stages. I have developed this methodology through trial and error in my multiple roles as a security executive. As a CISO, leading and mentoring personnel requires you to create a plan to assess, implement, and manage your security program and communicate its purpose and be willing to change it when there is a business need. So keep in mind that as we go through my 60–90 Day Strategic Plan, it’s not written in stone; in fact, I like to say it’s malleable. In all five of my CISO roles that I have had the privilege of serving in, I have never used my plan the same way — each company and role has required its own approach to success.

My plan is broken into four parts: Partnership & Culture, Visibility & Growth, Insight & Assessment, and Planning & Communications. I have created a graphic for each of the four, which we will discuss in-depth. All pictures and a complete mind map of the strategic plan are available for download here.

Scenario: Let’s begin; you have been hired by a fantastic company <grin> to be their CISO. The company has a legacy security program that you’ve inherited, and you are tasked to assess and change where needed. The clock is ticking because current business initiatives in your new company’s pipeline will escalate the development of new products and expand operations. You are being directed to get the cybersecurity program ready to support these initiatives quickly. So with this context, let’s delve into how you would proceed to align your security program to the business and mature its services.

• **These stages are not sequential; however, they are designed to support each other.

1. Partnership & Culture

This first stage of my 60–90 Day Strategy Plan is focused on meeting specific groups of people. That’s correct; my initial step doesn’t involve making any changes to the security stack or any processes unless there’s a critical need. Instead, I recommend you contact your peers in the essential business units and meet them for lunch or an initial quick meeting, followed by a more extended discussion. The purpose is to establish a relationship, introduce yourself, and “listen.” In these discussions, I typically ask many questions and take notes because I am trying to learn from them what technologies, services, data, applications, etc., they currently use and any future projects to upgrade or decommission legacy technologies. So the purpose of these questions is to learn from them how they support the business and any issues they may currently have with your security program, so take notes and actively listen.

The next set of people you should reach out to and meet are the “critical people,” the subject matter experts, partners, vendors, etc., many of whom may not be in management positions. However, due to their knowledge and expertise, the business runs smoothly. You speak with them to understand the side of the company that’s not on the org chart. You must also meet champions within the departments who support your team and seek to meet board members if possible for an enterprise view of the business and where they believe it is going. Please note: I list specific departments that I feel are essential for a CISO to meet in the above picture. Some departments, like Information Technology, will be intertwined in everything the security team is doing, so I believe you must have a good relationship with that business unit. Other departments may be in more of a support role, like Procurement, but they control most everything a CISO will want to do, so you want an excellent relationship with them as well.

As we finish, I would be remiss if I forgot the Compliance and Risk stakeholders. As a new CISO, these are peers who will give you a good view of what they believe the company’s current risk posture is and what policies, processes, and controls are currently in place. This same group is also whom you should ask for previous breaches, assessments, and audits documentation. I will state these are people a CISO must have a good working partnership with, so be professional, listen to their input, and collaborate for the betterment of your security program and the company.

2. Visibility & Growth

The second stage is one of the longest and is focused on your security program and team. It consists of five components, and you will find this stage is a continuous process of assessment and review. As a CISO, you never stop reviewing your security stack or stop mentoring and leading your team. You will regularly review the budget and all current initiatives progress, and don’t be surprised how many committees and working groups you are volunteered to lead or attend.

• Review Current Contracts — this first component is all about collecting current contracts that are part of your team’s budget. I would suggest you read through them to verify all of the technologies you are paying for have been delivered and used by your team. I would also state you should review these contracts to understand who your partners are at each of these vendors and if they have specific service level agreements that apply to the services they are providing your company. Reviewing these documents lets you know if you are locked in the long term or if you can make a change; plus, they may also list provisions that must be met if you are going to cancel the contract. This data is essential, and as the CISO, you should understand the impact on your budget if the company doesn’t follow these guidelines.
• Review Current Budget — for this section, I typically ask for the current budget and any previous budgets. I am looking to see if there are any patterns in growth or changes to technology strategy. As the CISO, you will want to review this and keep it close to you for continuous monitoring as you proceed to finish current initiatives and plan future projects. I typically review and see what funds are allotted for specific technologies and then seek to get discounts from vendors to save money. I try to use these savings to pay for emergent issues or help pay for the security team’s training. One other option to keep in mind when you review the budget is the concept of “chargebacks.” Is your team providing services that could be charged to other departments? If allowed, you will need to track how much “security services” each department requires, and your team will need to accept that employees are now their customers.
• Review Security Stack — is one area I truly enjoy because I came from network engineering to security, and I am fascinated at how enterprise networks are built and the data flows that traverse through them. Even though you are reviewing the security stack in this section, you should always check the technologies integrated into it and those it monitors. To be effective, you will need to bring stakeholders such as IT, Software Development/Engineering, Operations, and Risk, to name a few. As the new CISO, you should review current projects and know the value they are expected to bring to the company. It would be best if you also understood the infrastructure and operations of your stakeholders so you can evaluate if your inherited security stack is appropriately tuned to monitor for the correct risks and threats. In this stage, you should document any metrics or reports you are expected to generate from the data your security stack creates and assess if these reports still provide business value.
• Review Admin & Documentation — this next area is about collecting documents and information to establish a current view of the organization’s security and risk posture. You will note in the mind map image above I recommend reviewing previous assessments. I also suggest reading all existing policies that both security and IT have, so as a CISO, you perceive the business’s approach to risk and note any gaps that may need to be addressed. Finally, in this area, you should review all network and security drawings to ensure they are current, and I would highly recommend you check the CMDB to verify it is accurate for software, hardware, and cloud service assets. Note that it’s not uncommon to find areas here that are immature and will need work. That’s ok; document it and add it to the list of issues that will become part of your 36-month security strategic plan, which we will discuss in a moment.
• Team Assessment — this final section is about meeting your team, and it can be done when you first arrive, or you can gradually do it over time to establish yourself as the CISO and get to know your people. From experience, I would suggest you review the job descriptions each team member is hired under and annotate changes HR needs to make, so they are current. Next, I would recommend reading through your team’s individual resumes to get a sense of skillsets, experience, education, and certifications. Finally, review evaluations, note those working to correct issues and those that are core performers, and then meet your team without the managers present. This gives them a chance to talk unhindered, and you may find some information about your direct reports that surprise you or not. After meeting with them, it’s time to meet with your managers; I suggest you meet with them as a group to give them your vision of where the team is going and then listen to their feedback. Then do a follow-up and meet with each manager in a 1:1 and actively listen to them. Let them provide you their insight into how they lead, hear any issues or concerns, projects they are working on, and their hopes for the team with your leadership.

In closing, remember as a leader, not only do you set the tone and drive vision, you also must give your direct reports room to grow, so be willing to delegate and allow them to learn from experience.

3. Insight and Assessment

By this stage of the process, it’s time to increase your knowledge of the business and any current risks or regulations that may impact its success. Much of this stage is reviewing documentation that other stakeholders may manage, such as the Risk or Compliance teams, which is why I said you need to have a positive relationship with them. You should end this stage better informed about the company, the environment it operates in and be ready to conduct an internal assessment to establish your view of its threats, risks, and security control deficiencies.

• Recent Security/Risk Assessments — as stated previously, this is where you want to collect previous assessments, review what was in scope during the audit, what controls were found mature, and what recommendations were made by auditors for improvement. This is also an excellent time to investigate if previous findings were reported to the leadership team and were remediated. Be aware, from experience; you will find there are outstanding issues from the most recent audit. Just document them and add them to the strategic security plan you will build later. Remember, don’t get entangled in the minute issues you find; record them for later.
• Regulations/Compliance — As the CISO for your new company, you should already know what compliance regimes or regulations apply to your company from your interview. Plus, now that you have reviewed your security architecture and have spoken with peers about the data and services they use within their departments, you know what data/services are sensitive. This context should help you review how this sensitive data is created, changed, used by 3rd parties, stored, protected, and reported if there is an incident. If the business lacks in meeting its compliance requirements for this data, document the risk exposure and add it to your growing list of initiatives to be addressed as part of the strategic security plan.
• Business Goals — I am a firm believer that CISOs are business executives. As more of our peers become board members, board advisors, and leadership team members, it becomes evident that one of the core skills strategic CISOs develop and use to be effective in understanding their company’s business goals and then aligning their security program to support the vision of their company. So in this step, you need to revisit speaking with your stakeholders and any available senior leadership to increase your knowledge and awareness of the companies future goals and initiatives.
• Conduct Internal Assessment — by this final step; you have reviewed previous assessments. You know what regulations and compliance requirements your company must meet and know enough about the business to know which security controls significantly impact or support operations. Now it’s time as the CISO for your new company to conduct your own internal assessment. This effort will provide you insight into the maturity of the security program you inherited. I approach this step by using the Center for Internet Security (CIS) — 20 risk controls to ensure my organization meets baseline security hygiene requirements. The rule I follow, based on experience, is if my organization has implemented enough of the CIS controls to score a 65% or better, then the company is mature enough for using NIST CSF or ISO 27001. If the business scores below 65%, I delay looking at a more mature risk framework and instead focus my security program, resources, and team on implementing critical core controls that must be installed to create the foundation for our growing security program.

As we finish “Insight and Assessment,” we have completed our internal assessment, and we have a list of security disparities that need to be reviewed and prioritized for action. This effort is the final part of my process, so let’s begin with “Planning & Communications.”

4. Planning and Communications

This final stage is all about business alignment. It is about how you, as the CISO, develop a vision for your security program and a strategic plan that will be used as its roadmap. To begin, you should take a moment to review all of the documentation you have collected. You should now have an aggregated list of concerns you gathered through reviewing previous assessments & audits, current policies, and finally, your recent internal CIS 20 assessment. This stage is focused on three areas where you will use stakeholders to prioritize and align your findings, then concentrate them into a 36-month plan, and finally communicate that plan to evangelize the business’s path forward — so let’s get started.

• Stakeholder Review — in this stage, it’s focused on asking peers from the various business units to help you review your list of findings. As the security leader, you will have a natural affinity to look at the list of security gaps you have and prioritize them based on security best practice and their impact on your team and regulatory requirements. However, this view is not the optimal approach for a security executive because you must instead think about the effects on the business, current initiatives, vendors, partners, and future company plans. To do this effectively, you need your stakeholders’ input. Their input will provide you business context. An example of why their assistance is required: you see a critical control on your list that needs to be implemented to reduce risk, but several of your peers in the essential business units such as Dev, Engineering, Production, Operations, etc. see a new process that may impact teams who generate revenue — guess who wins that discussion <grin>? That is why this stage will take time to collaborate with stakeholders and compromise on which findings have priority. So be patient, listen, take notes, make your case when needed, and in the end, you will have a deliverable designed to account for business needs. One final note about this process is getting stakeholders to assist you. They now have buy-in on you creating your strategic security plan and understanding your security program’s focus. So leverage that, mature those relationships, and ask them to join your security review committee as well.
• Areas for Impact — this is the fun part; your stakeholders have helped you “rack-and-stack” your list of findings and align them to the company’s needs, but now you must break the list down into three 12-month increments. This selection is vital because, as a new CISO, you are creating your 36-month strategic roadmap, and those initiatives you select for the first 12 months will not only influence the vision you have for your team but also impact your team’s current resources. From experience, I have found there are core technologies/processes within a security stack that should be focused on first if found to be on your list. These technologies are:
• Data & Application Governance — SaaS applications, data management, DLP, insider threat, etc.
• Endpoint Hygiene — inventory, patch management, AV/EDR, vulnerability scanning, encryption.
• Data/Network Access — SASE, RBAC, VPN, remote access, data replication/backup.
• Identity & Access Management — 2FA/MFA, SSO, Zero Trust, PAM, password/passwordless management.

This list isn’t meant to be the definitive statement for where you should start; instead, it should be a marker to help you think about the business, its operations, its compliance requirements, and if you find weaknesses in the core cyber hygiene areas, get these corrected first, so you have a stable foundation to build on. By the end of this process, you should have your plan for the next 12 months, which can also develop your new budget. You will also have a long-term strategic plan laying out all 36-months’ worth of initiatives that can be used to brief your team and leadership staff which we will cover next.

As I finish this discussion, I will repeat that this process is flexible and continuous. Just as cybersecurity is a revolving life-cycle of risk management, this process for developing your plan to manage risk is never-ending, and you will at times revisit sections of it to update your knowledge or adjust your strategic plan. In no way am I stating this is the only process for a new CISO to follow for evaluating their security program and developing a strategic plan. In fact, I am sharing my thoughts on this because I am a perpetual learner <grin> and not only is it my hope this knowledge helps our community, but you as my peers may have other insights to share that I can add to streamline my process for the betterment of my team, my company, and the cybersecurity family at large.

****This article, pictures, and mindmap is available for download.

***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2 and the author of The Essential Guide to Cybersecurity for SMBs and Developing Your Cybersecurity Career-Path. For those of you that have asked, all four books are available in print and e-book on Amazon. To see more of what books are next in our series, please visit the CISO Desk Reference website.