Your single source for new lessons on legal technology, e-discovery, and the people innovating behind the scenes.

Lessons Learned from a CSO's First 100 Days

Amanda Fennell

Editor’s Note: Originally published by Expel, this abridged article by Relativity CSO Amanda Fennell features some interesting takeaways for other information security professionals, especially in the technology industry. Read the full story on Expel’s blog.

I recently finished my first 100 days as chief security officer (CSO) of Relativity. I’ve learned a lot. And while every new CSO faces unique challenges, with the benefit of hindsight (and a little time to breathe), I’ve worked with my team to come up with some recommendations to help new CSOs navigate their first few months.

Remember that the security team is a critical part of any modern organization. The most important thing a new CSO (or any leader) can do in their first few months is to create a compelling vision and communicate it effectively to coworkers in all departments.

Here’s how I came to learn that lesson.

1. If you can, take your time

If you can, dedicate a defined period—ideally 30 to 90 days—to assess the current state and understand the interdependencies of the various teams in your organization. You’re going to be responsible for security throughout your organization, and it takes observation and experience to understand each team. They have their own objectives and roadmaps, and they’re having to add you in late to the game.

Something as simple as a survey can help establish a more complete sense of your organization and provides a baseline reference for measuring the success of the program. Initial and follow-up surveys, as well as one-on-ones, gave me a sense of how our internal customers viewed our security team, and it was very helpful in helping us identify initial priorities and course-corrections to seize early wins.

2. Align security with the business

You aren’t going to get anywhere without budget and resources—and the best way to get those is by connecting security to revenue. For my team, connecting with our sales department gave us a direct route to treat security as a product that is constantly evolving. To empower our clients to trust and understand how we secure their data, we needed help from our marketing and sales teams.

I started meeting regularly with our marketing team to make sure they understood what we’re doing—and so I understood how they work. When we talked with them about our vision of integrating security and sales, my team got crucial buy-in to establish this partnership.

The connection between security and the business may not be as direct in your organization as it is at Relativity. But I guarantee there’s a connection to a department outside of your own.

3. Create ambassadors

Once we had our vision, my team's strategy was relatively simple: because security is a top consideration for any company considering Relativity, the team members on our front line need to be confident when speaking to complex security topics.

We’re starting to host real, in-depth technical training sessions with lessons on how our customers’ data is protected, how encryption works, and what monitoring with our cloud security team looks like.

As a result, we now have a sales team that works as an extension of our security team.

Even if your road to connecting security to revenue doesn’t go through the sales or marketing organization, the same principle applies. Figure out who cares about security (and who ought to). Then, get personally involved in making sure they understand your vision and can educate the team or client that needs to know, too.

4. Pick concrete collaborators you can trust

Several core values here at Relativity create a spirit of transparency. We’re feedback-driven and we want everyone on the same page. That’s true across teams, as well as with our third-party partner relationships.

With that in mind, and after careful review, we’ve selected a great set of vendors we collaborate with including Palo Alto Networks, Recorded Future, RedLock, and Splunk.

We also wanted a more diverse perspective, so we began to seek options for managed security providers. We ultimately selected Expel because of their passion and approach—particularly their transparency—were aligned with our own principles.

5. Invest where it counts … in people

If you’ve built a compelling vision, aligned security with the business, and communicated broadly, this one should be a cinch. But beware, when it comes to building your team, everyone will want to talk to you about HR banding and competitive pricing. My advice on this one is simple: pay for talent. Period. You absolutely must have talented employees to build the best possible team.

As much as I love and appreciate technology, I know that no tool will ever replace a human rock star. And when you can build a team of rock stars … there’s nothing better.

Mission Update - Cloud Security in RelativityOne

Amanda Fennell is chief security officer and chief information officer at Relativity. In her role, Amanda is responsible for championing and directing our tech and security strategy, including risk management and compliance practices. She has a masters degree in forensic science, and has 15+ years of experience in forensics and cybersecurity.