Checklist: Your First 90 Days as a CISO

We get it, you're a new CISO or current head of the security practice at your organization. You're under a lot of pressure and you are being pursued by countless vendors, service providers, compliance standards, and internal requests. Whether you're just starting out or you've been at this for years and are looking for some clarity to cut through the noise; we've put together a quick checklist to get you back to the basics.

When starting as a Chief Information Security Officer (CISO) or Head of Security, the first 90 days are crucial for setting the foundation and establishing yourself in the role.

Here are five essential tasks you can prioritize during this period:


  1. Understand the Organizational Landscape:

    Invest time in comprehending the organization's structure, culture, and business objectives. This involves meeting with key stakeholders, executives, department heads, and the IT team. By doing so, you can gain insights into your organization's risk appetite, existing security practices, and identify any immediate concerns or priorities.
  2. Perform a Comprehensive Risk Assessment:

    Conducting a thorough risk assessment is vital to identify potential vulnerabilities, threats, and areas of weakness. Evaluate the organization's current security posture, assess the effectiveness of existing controls, and determine any regulatory or compliance requirements. This assessment will provide a roadmap for prioritizing security initiatives and allocating resources effectively.
  3. Develop a Strategic Security Plan:

    Based on the insights gained from the risk assessment, develop a strategic security plan aligned with the organization's goals. This plan should outline the vision, objectives, and specific initiatives required to enhance the organization's security posture. It should also include a prioritized list of projects, resource requirements, and timelines, taking into account both short-term and long-term goals.
  4. Build Relationships and Collaborate:

    Establishing strong relationships with key stakeholders across the organization is crucial for a CISO's success. The CISO should actively engage with executives, department heads, and IT personnel to foster collaboration and gain support for security initiatives. By demonstrating the value of security and cultivating a culture of security awareness, the CISO can garner cooperation and ensure security becomes an integral part of the organization's operations.
  5. Review and Enhance Security Policies and Procedures:

    Reviewing existing security policies, procedures, and standards is essential to ensure they are comprehensive, up-to-date, and aligned with industry best practices. The CISO should identify any gaps, ambiguities, or areas that require improvement. This includes policies related to data protection, access controls, incident response, and employee awareness. Enhancing these policies will help establish a strong foundation for the organization's security framework.


Remember, the first 90 days as a CISO lay the groundwork for a successful tenure and kickstarting your latest cybersecurity goals. By understanding the organization, assessing risks, developing a strategic plan, building relationships, and reviewing security policies, you can position yourself as a trusted leader who will effectively drive the organization's security initiatives. You've got this!