CISO First 90 Days: What to Do and What to Avoid

The first 90 days as a CISO are not an orientation period. They are an audition. Your board, your CEO, your peers in the C-suite, and your own team are all forming opinions about whether you understand the business, whether you can be trusted with budget, and whether you will make their lives harder or easier. Most new CISOs fail this audition not because they lack technical knowledge, but because they treat the first 90 days as a discovery exercise instead of a leadership exercise.

The instinct to spend the first month listening and learning is correct. The mistake is treating that listening as passive. You are not just absorbing information. You are building a map of organizational power, risk tolerance, and political reality. Who controls the budget that funds your program? Which business unit leaders see security as a tax on their operations? Where has the previous CISO left landmines, either in the form of failed vendor relationships, deferred technical debt, or promises made to auditors that nobody can keep? These questions matter more in the first 90 days than any vulnerability scan you commission.

The second mistake is the opposite: moving too fast. New CISOs who arrive with a predetermined transformation agenda, a favorite vendor, or a framework they want to impose on the organization before they understand it will burn political capital they cannot afford to lose. The goal of the first 90 days is not to fix everything. The goal is to understand what actually needs fixing, earn the trust to fix it, and set up the conditions for a program that will still be standing in three years.

Before you run a single scan or review a single policy, you need to understand who actually makes decisions in this organization. Not the org chart. The real decision map. Who controls capital expenditure approvals? Who has the CEO's ear when security comes up? Which business unit leader has blocked security initiatives before, and why?

Schedule 30-minute conversations with every direct report, every peer in the C-suite, and at least three business unit leaders in your first two weeks. Ask them what security has gotten wrong in the past. Ask them what they wish security understood about their business. You will learn more from those conversations than from any maturity assessment tool.

Document what you hear. Not to build a report, but to identify patterns. If three different people mention the same failed project, that project is a political landmine. If nobody mentions a major compliance deadline, that deadline is probably being managed ceremonially. These patterns tell you where the real risk is.

Most security teams you inherit are overweighted in one direction. Either they are full of technical specialists who cannot explain risk in business terms, or they have been hollowed out by budget cuts and are running on contractors and tribal knowledge. Neither configuration is sustainable.

Apply the rule of thirds as a diagnostic lens. A functional security team needs roughly one-third technical operators, one-third risk and compliance advisors, and one-third people who can translate between security and the business. If your team is 80% technical operators, you have a communication problem that will surface every time you need budget approval or board support.

Do not make personnel decisions in the first 30 days. You do not have enough information yet. But do identify your two or three highest-leverage people, the ones who know where everything is buried and who the business actually trusts. Protect them. They are your institutional memory.

The average mid-size enterprise runs 40 to 70 security tools. Most CISOs who inherit a program find 15 to 20 tools with overlapping functions, three or four contracts up for renewal in the next six months, and at least one six-figure annual spend on something nobody can explain the business case for.

Pull every active contract in the first 30 days. Map each tool to a control objective. If a tool cannot be mapped to a specific risk it is reducing or a compliance requirement it is satisfying, that tool is a candidate for consolidation. That vendor's TCO calculator conveniently leaves out integration costs, staff time, and the opportunity cost of maintaining a tool nobody fully uses.

Do not cancel anything yet. Understand the renewal calendar first. Your leverage in vendor negotiations is highest in the 90 to 120 days before renewal. Use that window strategically. A vendor who knows you are evaluating alternatives will negotiate. A vendor who thinks you are locked in will not.

Most new CISOs make their first board presentation a tour of the threat landscape and a list of things that need fixing. The board hears this as: we have problems, we need money, and we are not sure how to measure progress. That is not a confidence-building message.

Your first board presentation should answer three questions. Where are we today, in terms of risk posture relative to peers in our industry? What are the two or three things that could cause a material business impact in the next 12 months? What is the plan, and what does it cost? Keep it to 10 slides. If you cannot explain your security program in 10 slides, you do not understand it well enough yet.

Boards do not want to understand security. They want to understand risk. Frame everything in terms of business impact, not technical severity. A critical vulnerability in a system that processes $200M in annual revenue is a business problem. Present it that way.

Day 1 to 30: Listen, map, and inventory. No major decisions. No new vendor commitments. No reorganizations. Your output at day 30 is a written assessment of the program's current state, the top five risks, and the political landscape you are operating in.

Day 31 to 60: Prioritize and validate. Take your top five risks back to the business. Confirm that the business agrees these are the right priorities. This step is not optional. If you build a roadmap in isolation and present it to the board, you will be asked why you did not consult the business. Do the consultation first.

Day 61 to 90: Commit to a plan. By day 90, you should have a 12-month roadmap with budget estimates, a set of quick wins you can point to, and a clear narrative about where the program is going and why. The quick wins matter. They prove you can execute, not just plan.

Quick wins are not about optics. They are about building the organizational trust that lets you take on harder problems later. A team that has watched you deliver something tangible in the first 60 days will follow you into a difficult 18-month transformation. A team that has only watched you hold meetings will not.

Good quick wins share three characteristics. They are visible to the business, not just to the security team. They reduce a real risk, not just a compliance checkbox. And they can be completed with existing resources, without waiting for new budget approval.

Examples that work: closing a set of high-severity findings from the last penetration test, eliminating a class of phishing risk through a targeted control change, or renegotiating a vendor contract that was clearly overpriced. Examples that do not work: launching a new awareness training program, updating a policy document, or completing a maturity assessment. Those are inputs, not outcomes.

First: do not inherit your predecessor's roadmap without questioning it. Every program has a history. The roadmap you inherited was built under different assumptions, different threat conditions, and different organizational priorities. Treat it as input, not as your plan.

Second: do not make enemies in the first 90 days. You will encounter business unit leaders who have been fighting with security for years. You will find IT leaders who think security is their domain. You will find compliance teams who have been running the show in the absence of a real security program. None of these people are your enemies. They are your future coalition partners. Treat them accordingly.

Third: do not overpromise to the board. The pressure to show confidence in your first presentation is real. But a board that has been told the program will be transformed in 12 months and sees no transformation in 12 months will lose faith in you faster than a board that was given a realistic 24-month timeline and saw it delivered.

Fourth: do not ignore the team you inherited. Your team knows where the bodies are buried. They know which controls are actually working and which ones are theater. They know which vendors are responsive and which ones disappear after the contract is signed. Invest in those relationships before you invest in anything else.

By day 90, you need a security narrative. Not a strategy document. A narrative. A clear, repeatable story about what the security program is trying to accomplish, why it matters to the business, and how you will know if it is working. This narrative needs to work in a 2-minute hallway conversation with the CEO and in a 20-minute board presentation.

The narrative has three components. The current state, described in business risk terms, not technical terms. The direction, meaning the specific outcomes you are working toward in the next 12 to 24 months. And the measurement model, meaning the two or three metrics that will tell you and the board whether the program is improving.

Most security programs fail to build this narrative and then wonder why they cannot get budget. The board is not withholding budget because they do not care about security. They are withholding budget because nobody has given them a clear reason to believe the investment will produce a measurable outcome. Your narrative is the answer to that problem.

The first 90 days as a CISO are not about proving how much you know. They are about proving that you understand the business, that you can be trusted with resources, and that you will build a program that actually reduces risk instead of just managing the appearance of security. The CISOs who survive and build lasting programs are the ones who spend the first 90 days earning the right to lead, not just assuming it. Listen more than you talk. Deliver something tangible before you ask for something big. Build your narrative before someone else builds it for you. And remember that the program you build in year one is the foundation everything else sits on. Get the foundation right.