Now that I know I have the job, it’s time to really learn about the business. What are the most obvious asset targets, who are the key executives, and what are the key initiatives of the business? Any policy decisions need to be aligned to key people, process and assets of the business so it will be good to get continue my interview research before day one.

The next thing I need to do is to think of about as assessment methodology. I’ve used a few frameworks, vendors and partners in the past so I want to start reviewing my knowledge and materials. CIS has had some updates, and MITRE is always refining and introducing new tools. I’m going to refresh my knowledge and refine my assessment templates. I want to identity key applications, cloud partners, vendors, tools, etc. so I want to have be ready with discovery questions.

Business and tech are certainly important, but I’ll go nowhere without the team. I need to know who is leading security architecture, operations, app infrastructure, identity, blue/red/purple teams, and any other key leaders. I know I’ll have some flexibility if I need to make changes, but I have to give the team the benefit of the doubt for a while, and learn all I can.

Lots to think about, but I’m getting excited to start. The last company I worked for didn’t invest in cyber and didn’t take risks seriously. They had one near miss with ransomware, and refused to make changes in the program, so I knew it was time to leave. I need to write down the top 10 lessons learned from the last job. I need to improve my approach, so I need to be as honest as I can about my successes and failures.

More to come….