Stepping into a Chief Information Security Officer (CISO) role is like being handed the keys to a fortress—one that may have hidden vulnerabilities, outdated defenses, and internal politics shaping its security posture. The first 90 days are critical. It’s when you set the foundation for success, establish credibility, and begin aligning security with business objectives. So, where should you start?
Many security leaders step into new roles with a list of immediate concerns: Are we already breached? Are we compliant? Does the team have the right skills? These are pressing questions, but they need a structured approach. The goal in these first 90 days isn’t just to react but to build a security strategy that balances business needs with risk mitigation.
Here are the five most important tasks every new CISO should focus on.
1. Conduct a Comprehensive Security Assessment
The first step is understanding what you’re protecting and how well it’s currently protected. Without a clear view of your organization’s security posture, you’ll be operating in the dark.
Start with a compromise assessment—this goes beyond a traditional vulnerability scan and checks for signs of existing breaches. Attackers can lurk in networks for months before detection, so validating your environment’s integrity is crucial.
Beyond that, review all security policies, incident response plans, and compliance documentation. When were these last updated? Do they align with current threats and regulatory requirements? Engage penetration testers to assess vulnerabilities and understand the effectiveness of existing controls.
Most importantly, don’t assume past assessments are still valid. Security landscapes shift rapidly. Your goal here is to build a data-driven, up-to-date understanding of risk.
2. Build Relationships with Key Stakeholders
Security isn’t just about technology—it’s about people. You can have the best tools in the world, but without buy-in from leadership and collaboration across departments, your efforts will hit roadblocks.
Meet with executive leadership early on. Understand their business priorities and risk tolerances. How do they view security? As an enabler or a cost center? Their perspective will shape how you communicate security’s value.
IT, operations, and compliance teams are also key allies. Understanding their challenges and concerns will help align security with business objectives rather than operating in a silo. And don’t forget front-line employees—do they feel security is a help or a hindrance? Culture matters more than many security leaders realize.
Your success as a CISO isn’t just about technical expertise. It’s about influence.
3. Identify and Prioritize Risks
Risk management is the backbone of cybersecurity leadership. But to manage risk effectively, you need a clear framework for identifying and prioritizing threats.
What are your organization’s most valuable assets? How are they currently protected? Where are the biggest gaps? Not all risks are equal. A low-risk vulnerability on a critical system may need more urgent attention than a high-risk one on an isolated server.
A strong CISO quickly establishes a repeatable process for assessing risk, prioritizing threats, and aligning mitigation strategies with business goals. This isn’t a one-time exercise—it’s an ongoing function that will shape decision-making throughout your tenure.
4. Define a Cybersecurity Strategy
The best CISOs don’t just react to threats—they build forward-looking security programs that evolve with the business. Within your first 90 days, you should define a clear cybersecurity strategy that aligns with organizational goals.
What is your vision for the security program? Where does it need to go over the next 12 to 24 months? What initiatives will drive the biggest impact?
Your strategy should cover key areas like:
- Threat detection and response capabilities
- Security awareness and training
- Cloud security and third-party risk management
- Compliance and regulatory adherence
Most importantly, your strategy needs to be actionable. Leadership doesn’t want a vague commitment to “improve security.” They want a roadmap, a timeline, and clear outcomes.
5. Assess Your Security Team’s Capabilities
People are the heart of your security program. You need to know if you have the right talent in the right roles—and where gaps exist.
Evaluate your team’s skills, strengths, and weaknesses. Are there critical roles that need filling? Do you have the right balance of offensive and defensive security capabilities?
Training and development are just as important as hiring. The security talent shortage isn’t going away, and upskilling your team may be more realistic than recruiting new hires. Identify areas where automation or managed services can help fill gaps.
This assessment isn’t just about technical skills—it’s about leadership, communication, and adaptability. A strong security team isn’t just technically proficient; it understands the business and can advocate for security at all levels.
The First 90 Days Define Your Legacy
Many security leaders enter new roles with a reactive mindset—focusing on putting out fires rather than building a long-term strategy. But the best CISOs approach their first 90 days with a clear plan.
Understanding your security posture, building relationships, defining a risk framework, setting a strategy, and evaluating your team aren’t just tasks—they’re foundational to success. The goal isn’t just to survive the first 90 days—it’s to position security as a business enabler, not just a cost center.
Are you stepping into a new CISO role? What challenges have you faced in your first 90 days? Let’s discuss.
