Chad LeMaire, CISO at ExtraHop and former CSO in the US Air Force, agrees that understanding the root cause of the disaster is mandatory, and it should guide the next steps. Any fixes, though, risk being superficial if they’re made without that deeper context. “When the CISO has a clear understanding of the business, culture, security program, security capabilities, and investments, root cause, and team skills, then the CISO will be armed with the necessary knowledge and understanding to rebuild the security program,” he says.
Part of that knowledge can be acquired from genuinely listening to people. Chuck Herrin, field CISO at F5, recommends new CISOs spend their initial weeks on the job in listening mode before making big changes.
“I’d start with short, focused listening sessions across the business – with security teams, IT, developers, and executives,” Herrin says. “Ask questions like: What worked? Where do we get in your way? How do we show you that we’re here to partner, not block? How do you measure the value we provide to you, your line of business, and your team?”
