Twosense Blog

From CISO to CISO: Navigating the Initial 100 Days in a BPO Setting

Written by Ivan Milenkovic | Sep 18, 2024 11:55:02 AM

Introduction

The position of Chief Information Security Officer (CISO) is critical, especially within Business Process Outsourcing (BPO) organisations that are continually challenged by a big range of cyber threats. Although there are multiple great articles and papers written on the topic of the first 100 days, I hope that the industry focus provides some additional value.

The specificity of the industry is that BPOs inherit almost the entire threat landscape of their clients. Hence, the CISO not only bears the responsibility for the protection of the organisation's information assets, maintaining operational resilience, and overseeing the reduction of cyber risks, but carries a heavy burden of ensuring that all clients’ data, and processes that often span multiple environments, are well protected. 

The initial 100 days for a new CISO in such an environment are therefore exceptionally vital as they establish their approach to leadership and define the security stance of the organisation. The stance that often defines how the BPO itself will be perceived by the market and clients...

Prepare, prepare, prepare

By failing to prepare, you are preparing to fail…

Although it is debatable if the above wisdom was really produced by Benjamin Franklin, the statement itself is undeniably and brutally correct. Once in the hot seat, a new CISO will be facing a multitude of challenges that, if not planned for in advance, can be overwhelming. Spending some time in advance, to plot the happy path, can yield significant benefits. Most authors on the topic agree about the big five themes that underpin a successful start. They might be called slightly differently but the gist is the same:

  1. Research and prepare
  2. Understand and assess
  3. Plan and prioritise
  4. Act and execute
  5. Monitor and report

And, it would be relatively easy to craft a nice plan based on those themes, given that there is a nice and natural flow. The challenge, however, lies in the fact that a new CISO does not really have 100 days to set things up. Choosing across the spectrum, from threat actors with funny code names including animals on one side, and disgruntled insiders on the other, no one will allow for a 100-day honeymoon. The action is required “yesterday”. Therefore, some hints and quick wins can buy enough extra time to settle in.

Research and Prepare

Before officially stepping into the role, a new CISO should engage in thorough preparation. This includes:

  • Company Research: Gaining an understanding of the organisation's mission, culture, and the role of security within it. This can be achieved by reviewing company reports, news articles, and other relevant documents, as well as the publicly available information. 

Hint: this is a great starting point as by researching with a “grey box” mindset, it is easier to understand what information could be available to the potential attacker. 

  • Outgoing CISO: If possible, the incoming CISO should learn from their predecessor's experiences, successes, and challenges. This can provide valuable insights into the organisation's security landscape and potential areas for improvement.
  • Mandate: (Another one for the “if possible” category - except it is rather critical) Clarifying the expectations for the role and understanding the key security issues that need to be addressed. This involves open communication with the board of directors and other key stakeholders. There is probably a good opportunity to start some of it during the hiring interview process, so do it!
  • Technology Familiarity: Gaining knowledge about the existing security tools and systems, prevalent technologies across the IT landscape and so on. This will help the CISO to focus on the most important areas once they start (and is a great opportunity to read up on the potentially obscure and less known tech that is frequently found across the industry - almost as a rule).
  • Stakeholder Insights: Identifying key stakeholders within the organisation and understanding their expectations and concerns related to information security.
  • Engagement: Scheduling initial meetings with the security team and key stakeholders to make introductions and establish presence across the business.
  • Client and industry Research: Gaining knowledge about who the important clients are (yes, ALL clients are important but there will inevitably be some tiering based on the size, strategic alignment or similar), as well as identifying if there is any clustering of clients in specific industries.

Understand and Assess

Once in, during the first few weeks, the CISO should focus on observing and establishing relationships, rather than making immediate changes. This includes:

  • Observation: Spending time with the security team, understanding their roles, responsibilities, and how they coordinate with other teams.
  • Team Dynamics: Assessing the strengths, weaknesses, and morale of the security team. This will help the CISO build a strong and effective team.
  • Building Relationships: Meeting with key stakeholders, including the CEO, CIO, and departmental heads, to grasp their viewpoints on cybersecurity. These discussions should uncover their strategic objectives, risk tolerance, and expectations for the CISO's role in achieving cybersecurity goals. 
  • Building Relationships II: Remember BPO specifics - client wants - client gets. And sometimes people can be scarily creative in delivering those wishes! Meeting with key stakeholders that are in charge of the operations side is key. COO, location, operations and “floor managers” - ignore them at your peril.

In the first month, the CISO should conduct a thorough assessment of the organisation's security processes and technologies, with a focus on safeguarding the key client interfacing processes, applications, platforms, customer databases, and any intellectual property that are vital for the business’s profitability. This includes:

  • Business Value Protection: Identifying the most critical information assets and ensuring they are adequately protected.
  • Risk Assessment: Identifying and prioritising the most probable and impactful cyber risks for a data-driven security strategy. This is crucial for maintaining client trust, as any security incident could potentially compromise their data.
  • Control Framework Assessment: Evaluating the current cybersecurity controls against standards like NIST CSF or ISO 27002 can be helpful.

Plan and Prioritise

By the end of the first quarter, the CISO should have a clear vision for the organisation's security and a plan to achieve it. This includes:

  • Strategic Security Integration: Embedding security early in business initiatives to enable, rather than hinder progress, ensuring security is a core part of the strategy.
  • Client Trust: (If not the case) Building a culture that stipulates transparency around security positions and challenges. Initially internally, and once everything is stable, externally with the clients. Openness and the right level of assurance that their processes and data are safe is the best recipe for building and maintaining clients’ trust.

Hint: To build relationships with clients, it is important to communicate security posture and initiatives in a way that builds trust and confidence. For example, establishing a structured way for sharing information about security certifications, compliance frameworks, and incident response plans is always received well (in many cases it is expected). Moreover, regular updates on security initiatives and metrics, such as the number of detected and resolved security incidents, that demonstrate ongoing commitment to security, can even lead to reduced load on external assessments and questionnaires.

  • Short-term Goals: Identifying quick wins that can improve security and build credibility. This includes:
    • Establishing and Implementing a Cyber Risk Quantification Framework: This involves using a data-driven approach to quantify cyber risks in financial terms. This will help the organisation make informed decisions about where to invest in security controls and how to prioritise risk mitigation efforts. The framework should be aligned with industry standards and best practices, and should be regularly reviewed and updated to ensure its effectiveness. 

Hint: It might not be obvious but, typically, the most important and valuable asset for a BPO company are its people. When they cannot work, the company does not make money. And it is rather easy to translate lost hours to $ value.

  • Validating and Enforcing Multi-Factor Authentication (MFA): Given the sensitive nature of data handled by BPOs, it's crucial to ensure that access to systems and data is secure. Validating and enforcing MFA across the entire estate will significantly reduce the risk of unauthorised access. This includes ensuring that MFA is implemented correctly, that all users are trained on its use, and that any issues or exceptions are promptly addressed. 

Hint: In the BPO world, MFA might not be as straightforward as in other places. Due to clients’ requirements, multiple solutions could be needed. For reasons such as fraud prevention, mobile devices are normally not allowed on the “production floors”. Hence, authenticator apps might not be a solution. Physical tokens often have a very high TCO. So choosing a viable solution can be challenging - make sure to consider a behaviour based one such as Twosense.

  • Medium-term Goals: Developing a plan to address significant security gaps in an affordable and efficient manner.
  • Long-term Goals: Planning for important, resource-intensive security improvements that will enhance the organisation's security posture in the long run.

It is important to clearly link the goals and priorities to business outcomes. 

Act and Execute

Once the plans are in place, the CISO should act and execute on them. This includes: 

  • Implementing Security Initiatives: This involves executing the plans for short-term, medium-term, and long-term goals, and ensuring that they are implemented effectively. 
  • Change Management: Managing the changes that come with implementing new security measures, including communication, training, and addressing resistance. This is important for maintaining client trust, as they need to be informed about any changes that could affect them. 
  • Vendor Management: Working with vendors to ensure that the organisation has the right tools and systems in place to support its security strategy.

Monitor and Report

After implementing security initiatives, the CISO should monitor their effectiveness and report on them. This includes: 

  • Establishing Metrics and KPIs: To measure the effectiveness of security initiatives and identify areas for improvement. This is crucial for maintaining client trust, as they need to be assured that the organisation is continuously monitoring and improving its security posture. 
  • Implementing Monitoring and Reporting Mechanisms: To detect anomalies and potential threats, and to provide visibility into the organisation's security posture. 
  • Continuous Evaluation and Optimisation: Based on the evolving security landscape, to ensure that the organisation's security strategy remains effective. This is important for maintaining client trust, as they need to be confident that the organisation is staying ahead of new threats and vulnerabilities.

Conclusion

In conclusion, the first 100 days of a CISO's tenure in a BPO setting are a critical period that requires a strategic and well-planned approach. The unique challenges of the BPO industry, including the inherited threat landscape of clients, make the role of a CISO even more vital to the success and reputation of the organisation. By focusing on researching and preparing, understanding and assessing, planning and prioritising, acting and executing, and monitoring and reporting, a new CISO can establish a strong security posture and build trust with clients.

It is essential to remember that a new CISO does not have the luxury of a 100-day honeymoon period. The need for action is immediate, and quick wins can buy enough extra time to settle in. Therefore, it is crucial to identify short-term goals that can improve security and build credibility, such as establishing and implementing a cyber risk quantification framework and validating and enforcing MFA.

Moreover, building relationships with clients is critical to the success of a CISO in a BPO setting. Communicating security posture and initiatives in a way that builds trust and confidence is essential. Regular updates on security initiatives and metrics, such as the number of detected and resolved security incidents, can demonstrate ongoing commitment to security and even lead to reduced load on external assessments and questionnaires.

In summary, a new CISO in a BPO setting must balance transparency, high standards, and a willingness to learn to lay the foundation for a successful tenure and a robust security posture for the organisation. By focusing on business value protection, cyber risk prioritisation, control framework assessment, and strategic security integration, a new CISO can contribute to the organisation's cybersecurity resilience and build and maintain the trust of their clients. The tangible short-term goals of establishing and implementing a cyber risk quantification framework and validating and enforcing MFA will provide immediate value and set the stage for long-term success.