New CISOs should prioritise people over tech, report finds

A new report from Forrester suggests that new chief information security officers (CISOs) should be focusing on people rather than tech, at least in the beginning.

To reach this conclusion, dozens of security executives were interviewed.

During the interviews, the following two themes emerged.

First, developing human connections is more critical than mastering technical details.

Second, addressing the company’s major security challenges is not possible in the first 100 days, but it is possible to irreparably harm your security team’s brand in the eyes of colleagues and peers.

Therefore, it is important for new security executives to remain flexible in the first couple of months and to be ready to adapt as new information comes in.

Moreover, it is great to have a plan on how to communicate security issues.

Jeff Pollard, vice president at Forrester, believes that cultivating positive relationships remains key in the early months when a CISO assumes the new role.

The researchers believe that explicitly criticising a predecessor’s decisions or past policies might not be the best approach, and the same holds true for any kind of aggressive or hostile communication.

It is an unfortunate reality that many security teams are not popular within their organisation.

Often, this is due to being perceived as an obstacle to the implementation of new ideas or processes.

Pollard believes that in the first three months, parting ways with past practices should be done in a respectful and non-judgmental manner.

This is also a golden opportunity to become familiar with individual members of the team.

Rick Holland, CISO at Digital Shadows, believes that mapping out the threat landscape should be second to mapping out the motivations and needs of colleagues and peers.

According to Chris Morales, CISO at Netenrich, there is nothing worse than a newly hired CISO who tries to assert their own agenda without evaluating the current circumstances.