table of contents
A new CISO rarely gets a grace period. Before the first board update, people want answers on risk, recovery, and whether security will help or slow the business.
That pressure is why the first 90 days matter so much. You don’t need a grand redesign. You need a clear mandate, a hard look at facts, and a few visible wins that build trust. That’s the foundation for everything that follows.
Start with the mandate and the people who matter
Your first job isn’t choosing tools. It’s learning why the company hired you, and what problem they expect you to fix first.
Sometimes the answer is obvious, a recent breach, a failed audit, or customer pressure. Often, it’s mixed. The board may care about recovery and disclosure risk, while the CIO wants delivery speed and the CEO wants fewer surprises. That lines up with 2026 board focus areas from Ankura, where recovery speed and risk ownership matter more than alert volume.

So, spend your first two weeks in meetings, not in dashboards. Meet the CEO, CIO, CFO, general counsel, head of engineering, privacy lead, internal audit, and key business unit owners. Listen for patterns. Also listen for conflict. Misaligned expectations are often the real risk.
Ask direct questions like these:
- Why now? What event made this role urgent?
- What would hurt the business fastest? Revenue loss, outage, fraud, IP theft, or regulatory action?
- What promises already exist? Customer clauses, board commitments, or audit deadlines?
- Where is the team thin? Identity, cloud, AppSec, third-party risk, or incident response?
- If a major incident hits tomorrow, who makes each call?
Those answers tell you what kind of CISO job you actually took. They also help you avoid the classic mistake of solving the wrong problem first.
Build a fact base before you announce big changes
A strong new CISO doesn’t arrive with a 50-point fix list. First, build a short, defensible view of current exposure.
Start with six areas. Review program maturity, compliance obligations, identity and privileged access, AI use, third-party dependencies, and ransomware readiness. In 2026, those topics sit near the top because they affect both daily operations and board scrutiny. Security leaders are now judged on proof, not effort, a theme echoed in 2026 CISO priorities.
For maturity, don’t chase perfect scoring. Use a simple model. What works, what is weak, what is missing, and what has no owner? Then test the answer with evidence, not opinions. Ask for the last audit report, risk register, backup test results, asset inventory, incident runbooks, vendor list, and major security exceptions.
AI governance needs early attention. Inventory the AI tools, models, and agents already in use. Then ask what data they touch, who approved them, and how usage is logged. A surprising number of companies have AI exposure before they have AI policy.
Third-party risk also needs a fast pass. Which vendors can stop revenue, expose regulated data, or slow recovery? Annual questionnaires won’t tell you enough. Recent third-party risk examples for 2026 security teams show how one supplier problem can spread quickly.
Early credibility comes from naming the top exposures in plain business language.
Finally, test ransomware readiness with one simple standard: can the business recover, and can you prove it? If backups haven’t been restored recently, you don’t have recovery. You have hope.
A practical 30-60-90 day plan for a new CISO
A good first 90 days CISO plan should fit on one slide. If it needs a long speech, it’s probably too broad.

This framework keeps the work grounded:
| Phase | Primary goal | What to do |
|---|---|---|
| Days 1 to 30 | Understand and baseline | Confirm mandate, map stakeholders, identify crown-jewel systems, review open audits, inventory AI use, rank critical vendors, and validate backup status. |
| Days 31 to 60 | Reduce obvious exposure | Tighten privileged access, push phishing-resistant MFA where it matters most, remove stale accounts, set AI guardrails, and run an incident tabletop with legal, IT, and communications. |
| Days 61 to 90 | Show progress and set direction | Publish a one-page roadmap, define metrics, assign owners, align budget asks, and brief executives on top risks, quick wins, and next-quarter priorities. |
The key is pacing. Don’t launch ten projects at once. Instead, pick a few moves that lower risk and prove you can execute. Good early wins are often boring, which is exactly why they work. Think dormant admin cleanup, tested restores, vendor escalation paths, and better approval rules for sensitive AI use.
By day 90, you should have three things: a shared risk view, a short list of funded priorities, and evidence that the team can act. That’s enough to earn room for the harder work ahead.
Quick checklist before day 90 ends
Use this as a final gut check. If most of these are true, you’re on solid ground.
- One-page risk summary agreed with senior leadership
- Crown-jewel system list with clear business owners
- Compliance map showing deadlines, evidence gaps, and top obligations
- AI inventory and guardrails for approved use and sensitive data
- Top vendor list ranked by business impact and dependency
- Ransomware recovery test completed, or scheduled with a firm date
- Board-ready metrics that show outcomes, not activity
- Next-quarter roadmap with owners, budget needs, and trade-offs
If several items are missing, don’t hide it. Call it out, rank it, and assign a date. Clarity builds credibility faster than false confidence.
The first 90 days don’t reward the loudest CISO. They reward the one who reduces confusion, sets direction, and proves the business can recover when things go wrong.
If you’re stepping into the role now, book the interviews, test the backups, and publish the one-page plan. That’s how a strong start becomes lasting trust.


