The role of any security leader – be it the CISO, CIO, VP Security, or even Director of Security, is that of a grandmaster in chess. Every move in the first phase sets the tone for the game, and the world of cybersecurity is no different. As a new security leader, your first 90 days can either establish a robust defense against cyber threats or leave your company vulnerable to myriad of threats.
The CISO is evolving to become a key player in the boardroom who governs cyber risk management, builds organizational resilience, and influences business outcomes. CISOs are now pivotal in defending against advanced cyber threats, adhering to compliance requirements, and ensuring that the business stays ahead of disruption. If you’re joining as a new VP or Director, you may report to a CIO, who is then responsible for reporting to the board.
As a CISO with 20+ years of experience, I've learned how to balance the immediate need to protect against the strategic foresight required to anticipate cyber threats. It’s not an easy job, but the first 90 days can set the tone of how much buy-in you’ll get from your leadership team, the challenges you’ll face, and how you’ll overcome them.
Let's dive into the critical phases that mark the beginning of a security leader’s tenure.
First 30 Days: Establish the Foundation Through Listening and Relationship-Building
The first month is about laying groundwork — not just in understanding technical systems, but in grasping the human element of the organization. Forging strong relationships within the company is as critical as understanding the architecture of the network.
During this time, it’s critical that you get to know everyone on the security team as well as the key players at all levels of the company and make sure they understand you’re their partner. . This includes the developers, the engineers, and those who have been at the company for a long time who can give you the real lay of the land.
Meet and Greet: Get to Know the Team
It begins with a series of deliberate meet and greets. I start at the top, understanding the perspectives and expectations of the leadership, then work my way through the ranks. This isn't about learning names and titles; it's about discovering allies, potential resistors, and the informal power structures that dictate how things really get done.
Take the time to learn each team member’s responsibilities, how they assess success, their levels of knowledge and skillset (e.g., soft vs. technical), and where the security expertise gaps might be.
Understand the Business: Align Cybersecurity with the Overall Mission
Every security leader must deeply understand the business mission and goals. In these discussions, I listen for what's said and what's not — gauging what keeps stakeholders up at night. This helps tailor the security program to safeguard your company's interests effectively.
The key here is to make yourself visible, set up open lines of communication, and solve other leaders’ challenges. So, try to understand your department’s goals and missions, long-term priorities, and how the IT/security function can help other leaders achieve their business goals.
Risk Conversations: Discover the Known and Unknown
Risks are not just digital — they're operational, reputational, and strategic. I ask pointed questions to find the main risks as perceived across the organization, setting the stage for a comprehensive risk assessment process.
First 60 Days: Assess the Landscape
With relationships established and a preliminary understanding of the business, it's time to assess the current state of cybersecurity at your organization.
During this time, I’m focused on understanding the current operating model for the security function: the strategic goals and corresponding tactical initiatives, whether the security program is proactive or reactive, any specific cybersecurity frameworks we align with, and whether there’s a security committee that helps the overall strategy remain on track.
Review the Security Program: Set Up a Baseline
First, I comb through our policies, procedures, and standards to understand our posture and pinpoint areas for improvement. I’m looking to answer the following questions:
- Is our security program reactive or proactive? In other words, is your team merely responding to past and current threats, or are you able to anticipate future threats?
- Is it built upon a solid, industry-standard framework (e.g., the NIST framework)? If so, is that framework impactful on your program? You’ll need to be able to figure out where the existing gaps and weaker control areas are so you can prioritize accordingly.
- What are the compliance requirements that we need to adhere to and who are the program owners?
- Is there documentation I can review for all the requirements that outlines the policies, procedures, and standards?
- What are they key controls for each compliance and regulation?
Understand Reporting
Next, I take the time to understand the frequency and metrics for security reporting to the CEO and board. This gives me insight into the organization's security maturity — what metrics are valued, whether the metrics are at the right level (vs. being too operational), if the metrics are understood well, and how aware the company is of its security posture.
I also take the time to evaluate whether the operating model of the security team is aligned with the security stakeholders (i.e., the CEO and board members) and make sure it’s collaborative with the business. In other words, how are other departments prioritizing internal cybersecurity awareness and adhering to policies and practices?
Risk Register Review: Identify Immediate Threats
The risk register often reveals the pressing issues that need immediate attention: Are there any ticking time bombs? Past breaches or significant incidents that were mishandled? Any failed audits? These findings are crucial for finding gaps within the security program, prioritizing the course of action, and setting your team on the path to resolving the gaps effectively.
For that reason, review the latest cyber risk assessment and audits conducted and if there are no recent ones, prioritize conducting a cyber risk assessment. At this time, you also need to identify the threshold for acceptable amount of risk and tailor it to your organization’s overall risk tolerance. Use peer benchmarking to figure out how security can balance risk based on your industry expectations as well.
Determine the Company’s Security IQ
Given that users are the weakest link in any security program, one of the most crucial things to look out for is the organization’s security IQ. That is, how much cybersecurity awareness does every single employee have and how are they prioritizing staying ahead of cyber threats?
To determine the security IQ, ask the following:
- Do executives support regular phishing and cybersecurity awareness trainings?
- Is there any history of past trainings? If so, when was the last training conducted?
- What metrics are used to track progress and have they improved?
- What percentage of the workforce is engaged with the training program?
- Where are the gaps and opportunities for improvement?
First 90 Days: Craft a Comprehensive Cybersecurity Strategy
Translating assessments into a coherent strategy isn't just about fixing what's broken; it's about setting a vision for the future of cybersecurity within your organization. As such, the final phase of the first 90 days is about translating assessments into a coherent cybersecurity strategy.
Lay Out Initial Responsibilities
Security is a team sport, and everyone needs to know their position on the field. I clarify roles and responsibilities across the team to ensure a cohesive effort in protecting our digital and physical assets. If you need to work with your team to adjust their roles based on skillsets, take the time to do so.
I actively define these roles, not just in terms of job descriptions but in the context of our overall security posture. This means ensuring that everyone knows the part they play in incident response, the importance of adherence to policy, and the necessity of ongoing vigilance. It's about creating a framework where responsibilities and accountability are clear, empowering team members to act decisively and proactively.
Develop Your Mission and Roadmap
With identified gaps, I develop a mission statement that includes the priorities of our security program and a roadmap that not only addresses immediate deficiencies but also aligns with the long-term vision of the organization. This roadmap is a living document that not only provides a clear direction but is flexible enough to adapt to the rapidly changing threat landscape.
It includes immediate actions to address critical vulnerabilities and a phased plan for advancing our security maturity. It’s designed to align with the organization's long-term vision, incorporating industry best practices, and compliance requirements while supporting overall business growth.
As you develop the roadmap, make sure you address the following:
- The cybersecurity framework you’re aligning the greater security program with.
- Perform an analysis of the biggest risks and define desired future state.
- Perform a mapping exercise between existing gaps within the security program and their impact on the overall strategy.
- Devise a thorough plan with tangible immediate vs. long term items.
Once you’ve created your mission and roadmap, make sure you socialize, communicate, and negotiate with your stakeholders for what’s needed to put the plan into action.
Prepare a Board Presentation to Secure Your Mandate
Presenting to the board is more than a formality; it's about winning trust and securing the resources necessary for implementation so it’s the most critical step you’ll take in the first 90 days. The goal is to leave the board not only informed but also assured that the proposed strategy will lead to a more resilient and secure organization. As a result, this is where you’ll secure the mandate and the resources to implement the strategy.
Here, I articulate the value of cybersecurity not as a cost center but as a business enabler. It's my opportunity to show how a strong security posture can be a competitive advantage and prove how strategic investments in cybersecurity can reduce cyber risk, protect the brand reputation, and ensure business continuity.
The presentation is crafted to resonate with the board's priorities, translating technical risks into business impacts, and outlining a clear, actionable strategy that includes not just technical measures but also awareness training, culture change, and process improvement.
Final Thoughts
The first 90 days as a new security leader are intense and demanding, but they're also incredibly rewarding. This period sets the stage for the type of leader you’ll be and how you’ll enable the business to grow by keeping cybersecurity top of mind.
By listening, assessing, and strategizing efficiently, you can secure not just systems, but also the confidence of the team and the trust of the board, which are essential ingredients for any successful security leader.
