The first 100 days: Where trust is won or lost: Quite a lot of that disconnect is effectively built up in the first 100 days of the CISO.Many CISOs come into a new job with pre-conceived views, sometimes created at interview time: Things that have worked elsewhere, pet subjects, vendors or consultants.Many also feel that they have to prove themselves as specialists in their first 100 days. That’s a mistake. Competence is assumed in the first 100 days (you’ve just been hired). The challenges lie elsewhere.The first 100 days are about proving your ability to fit in the organisational structure of the firm and act as a leader.That starts by listening, in my view: Listening to stakeholders and sponsors, understanding their expectations, their pain points, what has worked in the past, what hasn’t and why, what happened with your predecessor”¦ Sometimes “what can I do to help you?” is simply the best question to ask”¦This process should initiate a journey of co-construction of the cybersecurity narrative, and beyond that, of the firm’s cybersecurity strategy.If objectives are shared with stakeholders and sponsors, friction is reduced; over time, business champions emerge who relay the cybersecurity narrative, not because it’s the CISO’s but because it’s theirs.The process should also embed the CISO in the governance and leadership dynamics of the firm.By listening truly, identifying and following the cultural currents across the firm, the allegiances, the informal networks of trust where real decision-making happens, the CISO becomes a trusted player for business leaders.At that point, budgetary discussions become two-way discussions between trusted partners, not adversarial situations where one party has to win over the other.Conversely, CISOs who approach their first 100 days looking to prove themselves tactically run the risk of ending up trapped in operational firefighting: This is a situation from which very few escape. They may be seen as a safe pair of hands in the end, but that’s unlikely to get them accepted at the strategy table.This is the type of situation where a CSO role becomes a necessity, as I advocated in “Is the CISO role broken,” to orchestrate business protection at the corporate level and ensure all regulatory obligations are met.But it is not a fatality.Ultimately, the future of cybersecurity leadership will belong to those CISOs who recognize that building influence and trust has to precede action and investment.Boards no longer need to be convinced that cyber risk matters, they need confident, culturally attuned leaders who can navigate complex corporate dynamics, build trust with all stakeholders and orchestrate delivery across silos.The first 100 days set the tone: Not through technical demonstrations or budgetary battles, but through listening, aligning and co-creating a narrative that business leaders feel ownership over.In doing so, CISOs move from pleading for resources to shaping strategy as true executives, not firefighters on the sidelines, but architects of resilience at the heart of the enterprise.This article is published as part of the Foundry Expert Contributor Network.Want to join?
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4104251/cybersecurity-isnt-underfunded-its-undermanaged.html
