29 Mar Getting to know the Business in your First 100 days
Starting a new job in a new business can be overwhelming. Especially if you are expected to set up the foundations of a security program in your first 100 days.
It is easy to get carried away in your first few weeks and to start setting policies and requirements from the start. Identifying your mission and vision for the next few years is critical, but it needs to be built on good foundations.
I think it is imperative for your success, and the success of the security function, that you start off by getting to know exactly what it is you are protecting. You might already have a good insight from your interview, and from your research, but nothing beats getting your hands dirty.
Start building your foundations by speaking to the people on the ground, the people you are there to help support and protect. Doing this step right will set you up for success in your future endeavours, for the next 2-3 years. Below are some tips on how to do this.
Getting to know the people on the ground
- Get yourself acquainted with the company handbook and company policies, take your time to observe the way things work in your first week.
- Then start setting up 30-minute meetings across a span of 2-3 weeks, with stakeholders across the organisation.
- The HR Department should be your first go-to here. Get a copy of the organisation chart and analyse it well.
- Make a list of people you think can help you understand the business better, and set individual meetings with them over the next 2-3 weeks.
- Start off with the obvious – finance, internal IT, HR and if you have the opportunity to do so, meet your Managing Directors/CEO. Understand their focus, their priorities, their key processes.
- By now you should have started identifying the Mission Essential Functions of the business. Set meetings up with people within these units. Understand their processes, their challenges and their dependencies.
- Acquire any additional documentation, specific to the business units, and keep a reference to it.
- Take notes, you will need them in the coming months.
How to go about these meetings
- Go prepared with a set of questions that encourage discussion.
- I like to use the 4 Ws – Why, What, Where, When, and sometimes add in a How.
- Don’t go into the meeting with the objective of learning anything specific. Remember you are still new. Listening is key.
- Throughout the meetings, start building a list of technologies that people mention
- Ask the people you meet with to refer you to any other departments they think you should meet. Share with them what you have learnt so far, discuss and listen.
- In each meeting, introduce yourself and your objectives. Share with them your view of information security and how it should work in a company.
- Ask them what they believe are the main concerns around information security and what they think information security look like. Really understand their point-of-view.
- Give them the opportunity to ask you questions, about your role, about information security and about anything that concerns them.
- I always ask “how can I help?” because at the end of the day the security function should be a business enabler.
Key takeaways from this:
- You now have a better idea of the mission essential functions of the business, and the processes and technologies that they rely on.
- The company culture is becoming more clear and you have a better understanding of the business lingo.
- You have a more concrete vision and mission for the security function within your organisation.
- You have started planting the seed for some strong relationships.
- Represent yourself as a business enabler, you are there to support the business and to support the people. You are not there to identify what they are doing wrong, but to support them in continuous improvement.
Now that you have started understanding the business better, you should know the core security processes for your business should be. These might already exist and you just need to strengthen them, as your foundation. Or you might need to start building them from scratch. Whatever it is, you first need to decide what they are. I will share my insights on selecting the foundational security processes of a business in my next blog. Follow this space 🙂
If you are a new leader in a new company and are looking for someone to discuss your ideas and your next steps, feel free to contact me on firstname.lastname@example.org or fill in the form here, and I will get back to you.