The First 90 Days as a New CISO

Stepping into a new security leadership role is exciting and disorienting in equal measure. The pressure to prove yourself fast is real, and it pushes new leaders toward the wrong move, which is to start changing things before they understand them. The first ninety days are not for fixing. They are for learning what is actually true, so that when you do act, you act on reality instead of assumption.

Listen before you reorganize

Every organization has a story it tells about its own security, and that story is usually incomplete. The fastest way to learn the real version is to listen widely and early. Talk to your team, but also to the people outside security who live with its consequences. The frustrated engineer who routes around a slow process. The business leader who thinks security says no to everything. The frontline staff who quietly keep a risky workaround alive. They will tell you, often without meaning to, where the real gaps and the real friction live.

Find what could actually hurt the business

You will inherit a long list of issues, and you cannot fix them all at once, so resist the urge to try. Instead, find the small number of risks that could genuinely cause serious harm. Not the longest list, the heaviest one. What are the few scenarios that would damage the organization most, and how exposed are you to them right now? That short, honest answer becomes the spine of your early plan.

A new leader who tries to fix everything fixes nothing. The first job is to find the few things that matter and earn the right to address them.

Map the relationships that will decide your success

Security leadership is, to an uncomfortable degree, a relationship job. Your success depends on the legal team, the finance team, the heads of the business units, and your peers in technology far more than it depends on any control you deploy. Spend real time in your first ninety days understanding who holds influence, who trusts whom, and how decisions actually get made, which is rarely how the org chart suggests. The leader who skips this step finds out the hard way that good ideas die without allies.

Find a meaningful early win

Listening does not mean doing nothing visible. Somewhere in your first ninety days, find one improvement that is real, achievable, and meaningful to people outside security. Not a vanity metric. Something that reduces a genuine risk or removes a genuine pain, and that others will notice. Early credibility buys you the room to do the slower, harder work that follows.

Resist the pressure to perform certainty

You will be tempted to project total command before you have earned it. Do not. The strongest new leaders are candid about what they are still learning while being decisive about what they already know. That balance, confident where you have evidence and honest where you do not, is what builds the durable trust the role runs on. The same principle shows up in how you handle the board, which I covered in how to explain cyber risk to a board.