Lessons learned from a CISO’s first 100 days

· 7 MIN READ · AMANDA FENNELL · JUL 11, 2018 · TAGS: Careers / CISO / How to

In this guest post, Amanda Fennell, CSO at Relativity reflects on what she’s learned.

I recently finished my first 100 days as Chief Security Officer (CSO) of Relativity. I’ve learned a lot. And while every new CSO faces unique challenges based on their organization’s mission and circumstances, with the benefit of hindsight (and a little time to breathe), I’ve come up with some recommendations to help new CSOs navigate their first few months.

Understanding the unique context of an organization is the first component of building a world-class security program. Our company, Relativity, is an e-discovery firm and creator of the industry-leading e-discovery platform used by over 170,000 users in 40+ countries. Our clients represent the highest tiers of government, public and private industry entities, including the Department of Justice, Deloitte and NBC Universal. Relativity’s cloud solution, RelativityOne, offers all the functionality of Relativity in a secure and comprehensive SaaS product. Our clients trust our tools to discover the truth within the massive amount of documents they review and manage during investigations, litigation and lawsuits. When handling billions of highly sensitive documents, security is of utmost importance to build and maintain confidence with our valued users.

Understanding the significance of security to Relativity was pivotal when I stepped into the role. Now that I’ve spent the past 100+ days working to gain a better understanding of how we do what we do, I also know how to make the security team a critical part of the organization. And that leads me to my biggest takeaway. The most important thing a new CSO (or any leader) can do in their first few months is to create a compelling vision and communicate it effectively.

With that, I have distilled my experience on reaching that outcome.

1. If you can, take your time

Relativity moves fast – that’s our culture. But if I had the chance to start this process again, I’d give myself more time. The design and implementation of a security roadmap must have defined milestones, but exist as a living document to align with the inherent impermanence of the field.

If you can, dedicate a defined period – ideally 30 to 90 days – to assess the current state and understand the interdependencies of the various teams in your organization. Even if you’ve got the techiest of CIOs (and we do), and you immediately click, you’re going to be responsible for security throughout your organization, and it takes observation and experience to understand how each team derives value from security. Understand that they have their own objectives, and roadmaps, and they’re having to add you in late to the game.

These first few months I was in a state of assessment and now we are moving to a state of measuring movements, growth and execution on our objectives. We have a strong team and we worked hard to assess key risks and adopt the mindset of an adversary working to breach Relativity and our clients. We completed our gap analysis with this in mind and addressed any perceived weaknesses. But I also spent my first days as CSO considering the role of security in the overall business and learning from a series of nearly 50 one-on-ones with directors and VPs to find out what matters most to folks across the company and how I could work effectively with each key stakeholder.

Something as simple as a survey can help establish a more complete sense of your new organization and provides a baseline reference for measuring the success of the program. Shortly after taking on this new challenge, we sent out a survey to get more information on what people thought worked, and what needed addressing. A few months later, we did a follow-up to measure success. That gave us a sense of how our internal customers viewed our security team, and it was very helpful in helping me identify initial priorities and course-corrections to seize early wins. Once you’ve gained an understanding of your organization’s challenges, you can begin creating a vision for security and refine it across your organization.

2. Aligning Security with the Business

I may not have had my final roadmap by day three, but I had started my research. I realized early-on that I wasn’t going to get anywhere without budget and resources – and the best way to get those was by connecting security to revenue. Since security is a key concern for our clients at Relativity, that meant connecting with our sales department. This gave us a direct route to treat security as a product that is constantly evolving, transparently reported and consumable by our end-users. To empower our clients to trust and understand how we secure their data, we needed our marketing and sales teams to offer insight and expertise on what we do, and why we do it.

I started meeting regularly with our marketing team to make sure they understood what we’re doing – and so I understood how they work. I talked with them about my vision of integrating security and sales, and I got crucial buy-in to establish this partnership.

I’m fortunate in my role. I’ve got a CEO who is extremely technical, committed to security and willing to put the time and resources into implementing the best possible solution for our clients. I inherited a top-notch product security team. But a CEO is just one person, and a company is more than security, sales and marketing. The next objective was to sell my vision of security integration across the company. From the insight gained from those initial meetings with our stakeholders, I understood the motivations and drivers for directors and VPs across the organization. I also seized the opportunity to polish my strategy and developed ways to pivot into company-wide contributions. Relativity has spent considerable effort recruiting the best minds in our industry, and they were quick to challenge my assumptions and objectives to gain a sense of my approach. Confidence in my strategy, along with passion for our mission, helped me make a convincing case.

The connection between security and the business may not be as direct in your organization as it is at Relativity. But I guarantee there’s a connection to a department outside of your own. You’re assuredly not in a vacuum and you exist to secure your company. You fundamentally provide a service and how do you know how you’re doing? How do we get things accomplished? By being part of a team. Having stakeholder meetings, SLA’s and KPI’s. If it seems elusive, use your one-on-ones in the first 60 days to connect the dots and push yourself to find the direct connection and identify the business questions you’ll need to answer effectively.

3. Create ambassadors

Once I had my vision, my strategy was relatively simple: because security is a top consideration for any company considering Relativity, the team members on our front line need to be confident when speaking to complex security topics.

I made a business goal to work with our sales team to help them truly understand how we keep data secure. We’re starting to host real, in-depth technical training sessions – not just, “hey, read this deck and watch this video,” but actual lessons on how the customer’s data is protected, how encryption works and what monitoring with our cloud security team actually looks like.

By integrating with our sales and marketing team, we enable and empower them to do their jobs even better than before. Nobody has to call the security team to ask, “Hey, which datacenters have we got located where?” They can provide a comprehensive, accurate and appropriate answer in real-time. We now have a sales team that works as an extension of our security team.

If your road to connecting security to revenue doesn’t go through the sales or marketing organization itself, the same principle applies. Figure out who cares about security (and who ought to). Then, get personally involved in making sure they understand your vision and can educate the team or client that needs to know. Another great example is IT. Our IT department has provided a great deal of support to prioritize security initiatives and make our vision tangible. Why? Because they care about security. You’ll find solid partners in IT and engineering teams – smart, savvy and a healthy dose of paranoia about securing things. That’s a great start to a partnership!

4. Pick concrete collaborators you can trust

Several core values here at Relativity create a spirit of transparency. We’re feedback driven. We want our people involved in the process of developing our business, which means we want everyone on the same page. That’s true across teams, as well as with our third-party partner relationships.

We’ve selected a great set of vendors we collaborate with including Palo Alto Networks, Recorded Future, RedLock and Splunk. We made these decisions after careful review and analysis about what would be the best fit for our company, product and teams.

We also wanted someone who used those products across multiple environments and industries – to give us a more diverse perspective. So we began to seek options for managed security providers. As we weighed our options, we evaluated the capabilities and strategic direction of well-known vendors and newer players. We ultimately selected Expel because of their passion and approach – particularly their transparency – was so aligned with our own principles. And we weren’t disappointed. From deeply technical team calls to midnight consults via Slack, they’ve got as much passion as we do, and we really understand each other. This produced an organic and collaborative solution to one of the most important functions of our work: ensuring that we keep our customers’ data secure.

5. Invest where it counts … in people

If you’ve built a compelling vision, aligned security with the business, and communicated broadly, this one should be a cinch. But beware, when it comes to building your team, everyone will want to talk to you about HR banding and competitive pricing. But my advice on this one is simple: pay for talent. Period. You absolutely must have talented employees to build the best possible team. As much as I love and appreciate technology, I know that no tool will ever replace an amazing, talented rock star on your team. And when you can build a team of rock stars … there’s nothing better.

So, there you go. Those are my five key takeaways. I guarantee – even if this is your third or fourth rodeo in the CSO saddle – the first hundred days will be overwhelming, exhausting and exhilarating. But if you give yourself a little breathing room at the start and invest some time in doing your homework, you’ll get what you need to develop and sell your vision for success.

Relativity has a lot of great information about how they approach security on their website.