First 60 Days as a CISO – The Security Audit: Evaluating Tools, Processes, and Vulnerabilities

Author - Sahil Chadha

Welcome back to our exploration of a CISO's first 90 days. Having laid the groundwork in your initial 30 days as a CISO, you're now poised to dig deeper into the intricacies of your organization's security landscape. The relationships you've built and the initial insights you've gained will prove invaluable as you move into this critical phase of review and assessment.

By now, I hope you were diligently taking notes and jotting down important things and feedback from your discussions with your team and various partners, as we will be putting all that information to good use from hereon.

Security, like any other business unit, operates with a budget, headcount, and an expected Return on Investment (ROI). To assess where we stand, we'll break down the review into five key categories: Financial, People, Technology, Risk, and Processes. Each of these areas provides crucial insights into the effectiveness of your security strategy, highlighting where adjustments need to be made to align security efforts with business goals. 

Financial Review 

1. Budget: Review your team’s historic spending across vendors, tools, people, and any other G&A expenses that may be part of your budget to estimate your budget for next year.

2. Headcount Cost: Review your current and open headcount, and estimate the total cost associated with your team members.

3. Vendor Expenditure & Renewals: Review your vendor expenditure from highest to lowest spent. Also, review upcoming renewals for vendors to identify the ones that should be consolidated, which ones require active negotiations, and which ones should be terminated.

4. Internal Services: Review security services that you are providing within the company (internal customers), and whether these services should be considered as “chargeback” to other business units.

People Review

1. Team: Review your team’s skill set and job description to ensure everyone in the team has their roles & responsibilities aligned with their skill set. Also, review their previous performance evaluations and feedback to identify their strengths and areas of growth. Set up skip-level 1x1s with employees to gain insights into your direct reports and open up communication channels for your team.

2. MSP/Account Executives: Crowdsource feedback related to critical Managed Service Provider (MSP) consultants and key vendor Account Executives(AEs) to ensure that your team is getting the required support or if there is a realignment required.

3. Open Roles: Review the open roles and get a sense of the individual hiring pipeline to ensure alignment with the broader vision and goals, and identify any opportunities where roles may need to be consolidated or diversified.

Technology Review

1. Security Stack: Review the current security stack with stakeholders from IT, DevOps, Finance, HR, and others to understand if the current stack is meeting the risk management goals set for the organization. Also, evaluate the reported topline metrics associated with various tooling to ensure you have security insights, logging, and monitoring across product, infrastructure, and G&A (HR, Finance, Legal, IT) tooling. Additionally, review any high-level reports/dashboards that have been shared with the executive leadership team in the past.

2. Tech Stack: Review the tech stack alongside insights from your discussions with the CTO and key architects to understand the direction the company is moving towards, whether its adoption of Kubernetes or preference for a specific cloud provider, or a single tenant vs multi-tenant environment, or a hybrid infrastructure.

Risk Review

1. Past Risks: Review the results of the last risk assessment conducted, and which risks were mitigated, eliminated, transferred, and accepted, following the META model.

2. Incidents: Review critical security, compliance, or privacy incidents that happened in the last 12 months and evaluate how they were mitigated.

Project, Processes, Policy Review

1. Planned Deliverables: Review the planned security & compliance deliverables for the current quarter and year, and ensure these are in line with the company’s mission and vision. 

2. Processes in place: Review established processes such as vendor risk assessment, threat modeling, incident management, communication processes, etc to ensure they capture the most important outcomes and are viewed positively by your key stakeholders.

3. Policy Alignment: Review the current set of policies such as acceptable use, clean-desk, backup, change management, etc to ensure that these policies are apt to the size of the organization. I have seen cases where policies for a 200-employee company were a replica of a policy for a 10000+employee company, which resulted in unenforceable policies.

Assessment

Till now you have been drinking from the firehose, and learning about the business, people, and the current security posture of the company. A few glaring gaps should be obvious by now but without conducting a thorough risk assessment, it's almost impossible to know the security risks that an organization faces and to build an effective security strategy with the prioritized deliverables. At the minimum, you should be conducting the following assessments:

1. Internal Risk Assessment: If the last risk assessment is older than six months, it's a good practice to conduct a new risk assessment, as this will help you understand the company’s gaps and risks in detail. Also, pick a risk assessment framework that aligns best with your needs. I recommend NIST CSF, which is flexible and can be applied to companies of different sizes. The goal of this risk assessment is to identify the top risks to the company that will influence your strategy going forward.

2. Compliance & Regulation Assessment: It's important to assess whether there are specific compliance and regulatory requirements for your business. For example, if you are a SaaS startup selling your product in Europe, you may be asked about ISO 27001 certifications, and how your product is compliant with GDPR (non-compliance is not an option, it's a law). For customers in California (USA), you may be asked how you comply with CPRA, if you meet certain thresholds. If you are selling a product to the Federal Government expect FedRAMP-related requirements. This is why it's important to conduct a thorough compliance & regulation assessment.

3. Business Goals Assessment: Security is often seen as a cost center or a blocker. However, as a Security Executive, this is your chance to demonstrate how security can enable the business. Engage with key stakeholders and peers to understand business goals deeply, and focus on how you, as a CISO or Head of Security, can support those goals. Always remember — "Security is for Business, Business is NOT for Security."

Final Thoughts

As we conclude this phase of your journey, you've gained a comprehensive understanding of your organization's security posture. This knowledge forms the bedrock upon which you'll build your strategy in the final 30 days of your initial quarter. In our next and final installment, we'll explore how to translate these insights into action, developing and communicating a robust security strategy that aligns with your organization's goals and addresses its unique challenges. Until then, stay tuned!!!