The first 90 days as CISO are not about fixing things. They are about earning the right to fix things. That distinction is the single thing that separates the new CISOs whose three-year tenure goes well from the ones who burn out in 14 months. The stakeholders who hired you are watching, but so is every team that has watched previous CISOs come in promising change and leave without delivering it.
Days 1–30: Listen, Inventory, Resist Reorganising
The temptation in the first month is to make visible moves quickly — a new framework, a tool consolidation, a hire. Resist. The first month is for understanding what already exists, what works, and where the genuine pain is. Schedule one-on-ones with every direct report, every C-level peer, internal audit, legal, the board chair if you have access. Ask the same five questions to everyone. The pattern in their answers is your real situation report.
Inventory: what controls exist, what is being measured, what compliance commitments are already in flight, what incidents have happened in the past 12 months and how they were handled. Pay particular attention to commitments that were made but never funded — they are about to become your problem.
Days 30–60: Diagnose and Quick Wins
Now you have a picture. Categorise issues into three buckets: things that are broken and dangerous (find them early; do not let them blow up under your watch unaddressed); things that are working well and just need protection from being changed; and the larger structural problems that need investment to fix.
Identify two or three quick wins — measurable improvements that can ship within 30 days using existing budget and people. The point of quick wins is not the wins. It is demonstrating that your team can ship. That credibility is the currency you will spend on the larger initiatives later.
A trap that catches many new CISOs: spending the first quarter writing a strategy document. Strategy documents are evidence of work, not work. The board does not want a 40-page deck in month two. They want confidence that you are competent and that your team is moving. Save the strategy for when you have the relationships and credibility to actually get it adopted.
Days 60–90: Frame the Strategic Conversation
By the third month you should be able to articulate the security program in business terms: what risks the organisation actually faces, what the current programme covers and does not, where the meaningful gaps are, and what investment level is required to close them. Not a 40-slide deck — a sharp 6–8 slide narrative.
This is the conversation that sets up the next two years. If you do it well, you get budget alignment, executive sponsorship for the hard initiatives, and a clear mandate. If you do it badly — too detailed, too defensive, too disconnected from business priorities — you get told to come back next quarter, and momentum dies.
Things to Decide About Yourself, Not Just the Programme
- Who are your three internal allies? You need them before the first incident, not during
- What is your relationship with the CIO? It is the most important peer relationship you have
- How will you handle the board? Quarterly reports are not enough — they need preview between meetings
- How will you handle a major incident in month four? Have a draft playbook before you need it
- What do you not know? Hire to that gap, do not pretend to it
A Useful Rule for the First 90 Days
Do not commit to anything in the first 30 days that you cannot deliver in the next 60. Do not start anything in the first 60 days that you cannot finish in the next 90. Do not promise the board anything in the first 90 days that you cannot fund and staff with what you actually have. Conservative early, ambitious from month four. The CISOs we have seen succeed underpromise on their arrival and overdeliver on their first year. The ones who do the opposite spend year two explaining why.