Stepping into the role of Chief Information Security Officer (CISO) is both an exciting opportunity and a daunting challenge. With cybersecurity threats evolving rapidly and organizations under increasing regulatory pressure, new CISOs must quickly establish their authority, assess risks, and build a resilient security program.
First tasks of new CISO first 90 days in the role are crucial in setting the tone for long-term success. This blog post will provide an actionable roadmap for new CISOs, covering the key priorities, the most effective first tasks, and how to measure success at the 90-day mark.
The First 30 Days – Laying the Foundation
Do Your Homework Before Day 1
Before officially starting, research the company’s industry, security landscape, past incidents, and regulatory obligations. If possible, request documentation about existing security strategies and policies.
Understand the Organizational Culture
- What is the leadership team’s attitude toward cybersecurity?
- How are security decisions made?
- What are the expectations regarding communication and reporting?
Understanding these dynamics early will help shape how you engage stakeholders.
Assess the Security Team
Evaluate the existing security team’s strengths and weaknesses:
- How effective is the current Security Operations Center (SOC)?
- Are the Governance, Risk, and Compliance (GRC) teams aligned with business objectives?
- Do incident response teams have well-documented processes?
Identifying gaps in personnel and capabilities early helps in resource planning.
Review Security Policies & Compliance
- Are policies aligned with industry standards (ISO 27001, NIST, DORA)?
- What compliance frameworks are in place?
- When was the last risk assessment conducted?
Conducting an audit of existing security documentation will provide a clear picture of what needs improvement.
Establish Key Relationships
Building alliances across departments is vital:
- CEO & Board: Understand their risk tolerance and security expectations.
- CIO & IT Leaders: Align security initiatives with broader IT strategies.
- Finance (CFO): Secure funding and demonstrate the ROI of security investments.
- Legal & Compliance Teams: Ensure security aligns with regulatory requirements.
30-60 Days – Implementing Quick Wins and Building Momentum
Conduct a Risk & Vulnerability Assessment
Perform a security audit to identify vulnerabilities and prioritize remediation efforts. Leverage frameworks like Continuous Threat Exposure Management (CTEM) which was introduced by Gartner to measure and address risks dynamically.
Validate Incident Response & Business Continuity Plans
- Review incident response procedures.
- Conduct tabletop exercises to simulate breach scenarios.
- Ensure disaster recovery (DR) plans align with business continuity goals.
Strengthen Cyber Awareness & Training
Security is only as strong as its weakest link. Implement or update security awareness training programs to educate employees about phishing, password hygiene, and social engineering tactics.
Implement a Threat Intelligence Program
Proactively monitor emerging threats by leveraging threat intelligence feeds, automated security tools, and Breach and Attack Simulation (BAS) platforms.
Secure Quick Wins
Delivering immediate results will build credibility:
- Patch high-risk vulnerabilities.
- Implement multi-factor authentication (MFA) if not already in place.
- Establish endpoint detection and response (EDR) solutions.
These quick wins demonstrate value to executives and reinforce your leadership.
60-90 Days – Measuring Impact & Demonstrating Effectiveness
Define Security Metrics & KPIs
To measure success, track Key Performance Indicators (KPIs) such as:
- Reduction in detected vulnerabilities
- Time to remediate critical risks
- Employee security awareness scores
- Incident response effectiveness
- Regulatory compliance improvements.
Report to the Board Effectively
The board is primarily concerned with business risk, not technical details. When presenting security updates:
- Use non-technical language.
- Align cybersecurity improvements with business goals.
- Show risk reduction trends using visuals like risk heat maps and scorecards.
Develop a Long-Term Strategy
With a clearer understanding of risks, teams, and business objectives, define a three-year cybersecurity roadmap:
- Adopt a risk-based approach to security investments.
- Improve threat detection and response through automation.
- Enhance compliance efforts to reduce legal exposure.
Secure Budget for Strategic Initiatives
CISOs must advocate for the resources needed to implement robust security programs. When requesting budget:
- Link investments to risk reduction metrics.
- Present cost-benefit analyses for new security tools.
- Show projected savings from preventing breaches.
Establish a Security-First Culture
A strong security culture is critical for long-term resilience:
- Embed security into business processes.
- Encourage executive buy-in for cybersecurity initiatives.
- Foster cross-departmental collaboration to ensure security is a shared responsibility.
Conclusion: Measuring Success at Day 90
At the 90-day mark, success can be measured by:
✅ A well-defined cybersecurity roadmap aligned with business goals.
✅ Early wins, such as closing high-risk vulnerabilities and improving compliance posture.
✅ Improved relationships with key stakeholders.
✅ A measurable reduction in risk exposure and improved response capabilities.
✅ A security-conscious culture beginning to take root.
Taking a strategic and methodical approach in the first tasks of new CISO’s 90 days will set you up for success, earning trust across the organization and positioning cybersecurity as a business enabler rather than an obstacle.
Ready for Cyber Resilience?
Learn more how our Managed Service can help you achieve Cyber Resilience and be an extension of your team without breaking the budget.
