table of contents
are you looking for a talent to recruit?

discover how we help you!

A new CISO rarely gets a grace period. Before the first board update, people want answers on risk, recovery, and whether security will help or slow the business.

That pressure is why the first 90 days matter so much. You don’t need a grand redesign. You need a clear mandate, a hard look at facts, and a few visible wins that build trust. That’s the foundation for everything that follows.

Start with the mandate and the people who matter

Your first job isn’t choosing tools. It’s learning why the company hired you, and what problem they expect you to fix first.

Sometimes the answer is obvious, a recent breach, a failed audit, or customer pressure. Often, it’s mixed. The board may care about recovery and disclosure risk, while the CIO wants delivery speed and the CEO wants fewer surprises. That lines up with 2026 board focus areas from Ankura, where recovery speed and risk ownership matter more than alert volume.

Modern illustration of four diverse executives discussing around a conference table with agenda notes, coffee cups, and highlighted documents; side view emphasizing collaboration in soft office lighting.

So, spend your first two weeks in meetings, not in dashboards. Meet the CEO, CIO, CFO, general counsel, head of engineering, privacy lead, internal audit, and key business unit owners. Listen for patterns. Also listen for conflict. Misaligned expectations are often the real risk.

Ask direct questions like these:

  • Why now? What event made this role urgent?
  • What would hurt the business fastest? Revenue loss, outage, fraud, IP theft, or regulatory action?
  • What promises already exist? Customer clauses, board commitments, or audit deadlines?
  • Where is the team thin? Identity, cloud, AppSec, third-party risk, or incident response?
  • If a major incident hits tomorrow, who makes each call?

Those answers tell you what kind of CISO job you actually took. They also help you avoid the classic mistake of solving the wrong problem first.

Build a fact base before you announce big changes

A strong new CISO doesn’t arrive with a 50-point fix list. First, build a short, defensible view of current exposure.

Start with six areas. Review program maturity, compliance obligations, identity and privileged access, AI use, third-party dependencies, and ransomware readiness. In 2026, those topics sit near the top because they affect both daily operations and board scrutiny. Security leaders are now judged on proof, not effort, a theme echoed in 2026 CISO priorities.

For maturity, don’t chase perfect scoring. Use a simple model. What works, what is weak, what is missing, and what has no owner? Then test the answer with evidence, not opinions. Ask for the last audit report, risk register, backup test results, asset inventory, incident runbooks, vendor list, and major security exceptions.

AI governance needs early attention. Inventory the AI tools, models, and agents already in use. Then ask what data they touch, who approved them, and how usage is logged. A surprising number of companies have AI exposure before they have AI policy.

Third-party risk also needs a fast pass. Which vendors can stop revenue, expose regulated data, or slow recovery? Annual questionnaires won’t tell you enough. Recent third-party risk examples for 2026 security teams show how one supplier problem can spread quickly.

Early credibility comes from naming the top exposures in plain business language.

Finally, test ransomware readiness with one simple standard: can the business recover, and can you prove it? If backups haven’t been restored recently, you don’t have recovery. You have hope.

A practical 30-60-90 day plan for a new CISO

A good first 90 days CISO plan should fit on one slide. If it needs a long speech, it’s probably too broad.

Modern horizontal timeline illustration featuring 30-60-90 days with simple icons for planning, wins, and roadmap, using green bars on a neutral background.

This framework keeps the work grounded:

PhasePrimary goalWhat to do
Days 1 to 30Understand and baselineConfirm mandate, map stakeholders, identify crown-jewel systems, review open audits, inventory AI use, rank critical vendors, and validate backup status.
Days 31 to 60Reduce obvious exposureTighten privileged access, push phishing-resistant MFA where it matters most, remove stale accounts, set AI guardrails, and run an incident tabletop with legal, IT, and communications.
Days 61 to 90Show progress and set directionPublish a one-page roadmap, define metrics, assign owners, align budget asks, and brief executives on top risks, quick wins, and next-quarter priorities.

The key is pacing. Don’t launch ten projects at once. Instead, pick a few moves that lower risk and prove you can execute. Good early wins are often boring, which is exactly why they work. Think dormant admin cleanup, tested restores, vendor escalation paths, and better approval rules for sensitive AI use.

By day 90, you should have three things: a shared risk view, a short list of funded priorities, and evidence that the team can act. That’s enough to earn room for the harder work ahead.

Quick checklist before day 90 ends

Use this as a final gut check. If most of these are true, you’re on solid ground.

  • One-page risk summary agreed with senior leadership
  • Crown-jewel system list with clear business owners
  • Compliance map showing deadlines, evidence gaps, and top obligations
  • AI inventory and guardrails for approved use and sensitive data
  • Top vendor list ranked by business impact and dependency
  • Ransomware recovery test completed, or scheduled with a firm date
  • Board-ready metrics that show outcomes, not activity
  • Next-quarter roadmap with owners, budget needs, and trade-offs

If several items are missing, don’t hide it. Call it out, rank it, and assign a date. Clarity builds credibility faster than false confidence.

The first 90 days don’t reward the loudest CISO. They reward the one who reduces confusion, sets direction, and proves the business can recover when things go wrong.

If you’re stepping into the role now, book the interviews, test the backups, and publish the one-page plan. That’s how a strong start becomes lasting trust.

post tags :

Leave A Comment