Your First 100 Days as a New Chief Information Security Officer

Your first 100 days in the chief information security officer (CISO) role are an opportunity to establish your credibility and elevate the security organization’s internal brand.

This short “honeymoon” period allows you to define your role, develop a strategy, build professional relationships, secure leadership support, establish trust with your new team and signal your leadership style.

“Those who approach the role with a strong, strategic plan for the first 100 days are likely to enjoy success,” says William Candrick, Director Analyst, Gartner. “This is especially true if the enterprise needs a major overhaul to cyber risk governance or significantly better security program maturity.”

Download eBook: 2021 Top Priorities for Security and Risk Management Leaders

The CISO role is increasingly critical and often costly for organizations to hire for — which means you need to prove your worth quickly.

A successful CISO is primarily a leader, a manager and a communicator, not a technologist. Early success depends on your ability to:

1. Establish a personal brand of credibility and leadership
2. Lay the foundation for a defensible security program.

Gartner breaks down the CISO’s first 100 days into five phases, each with critical target outcomes, actions and ideas to consider.

Prepare (Before Day One)

Don’t wait until your first day on the job to get started. Before you begin, seek to understand your enterprise and identify key stakeholders. Connect with them on LinkedIn, and prepare a succinct biography, questions and talking points before your initial round of meet-and-greets.

This phase focuses on listening and learning, not decision making. Avoid making sweeping announcements or decisions in your first few weeks in the CISO role.

Your objective is to develop a common understanding of your role, a set of expectations of stakeholders and a basic engagement plan to meet with leadership and staff.

Assess (Weeks 1-4)

Next, you’ll need to understand the current maturity and performance of the security function. Decide what’s working and what isn’t, and what you’ll prioritize for the first three to six months.

Seek out an executive mentor who can provide insight into the culture of the enterprise. Confirm the resources available to you — including funding, headcount and technology. Then, use formal maturity assessments, team conversations and stakeholder engagement to surface gaps in the security program. Create a prioritized list of three to five strategic priorities that address those gaps.

Plan (Weeks 3-6)

Turn what you’ve learned into a blueprint for action. Share your security program vision with your team, line managers and business stakeholders. This is your chance to design and refine your new security organization.

By the end of this phase you should have:

1. A documented security strategic plan that prioritizes two or three security initiatives for your first 100 days, and a loose roadmap for your first year.
2. A security budget that ensures sufficient resources to achieve priorities. If resources are lacking, then the strategic plan should be adjusted accordingly to make it achievable.

Act (Weeks 5-12)

This is your first opportunity to deliver visible results.

Actions in your first 100 days should focus on tangible accomplishments that establish personal credibility and improve security’s standing in the enterprise. Initial success secures more buy-in, which supports more success — thus creating a cycle of improvement and achievement for you and your team.

Measure (Weeks 11-14)

Start providing evidence of your impact. Define a portfolio of security metrics and develop an executive reporting process so that others know what to expect from you.

Highlight early wins and challenges as they emerge. Measurement and communication are hallmarks of a successful CISO, and you should dedicate significant effort to them throughout your tenure.

This article has been updated from the September 2016 original to reflect new events, conditions and research.