First 90 days as CISO — the working playbook

Play CISO Game free Free · no signup · plays in 30–45 min

The first 90 days as a new CISO are about inheriting, not changing. Audit what exists (the risk register, audit findings, team, budget, contracts, regulatory clocks), build relationships with the CFO, CTO, General Counsel, CEO, and board chair, and stabilize anything actively burning. New strategies and big-bet investments wait until day 91 onward, after the inheritance is fully understood. New CISOs who announce strategy before they've finished listening usually regret it within six months.

If you've just been hired into your first CISO role — or are negotiating one now — this is the working playbook. The mechanics are the same whether you're inheriting a 200-person scale-up's first security program or a multinational's mature one. The pacing changes; the principles don't.

Days 1-30: Inherit

The first month is listening, reading, and inventorying. The output is a single document that lives on your laptop and nobody else sees yet — call it the inheritance audit.

The register. What risks are tracked? When was the register last reviewed? Who owns each entry? What's the scoring methodology? Most programs have a register on paper that nobody actually maintains in practice — find out which one this is.
Audit findings. Open SOC 2, ISO 27001, internal-audit, and regulator findings. Read every one. Note the ones approaching their remediation deadline.
Regulatory clocks. Are there any open SEC Item 1.05 (8-K) materiality assessments? GDPR Article 33 windows? NYDFS Part 500 obligations? OCR HHS exposure? The new CISO is the named accountable person on these the moment they sign the offer letter.
The team. Org chart, hiring requisitions, attrition history (last 24 months), one-on-one notes from the prior CISO if available. Skim level 1 and 2 deeper than level 3.
Budget. Annual budget, year-to-date burn, committed spend through year-end, vendor contracts and renewal dates. Most CISOs find one or two contracts they wouldn't have signed.
Vendor / tool stack. What's deployed, who owns it, what's the renewal calendar look like, which tools are shelfware.
Active incidents. What's burning right now? Anything in the post-incident phase from the last 6 months? IR retainer status?

By day 30 you should be able to answer, in two minutes, on a whiteboard: here's what I inherited, here's what's burning, here's what I don't yet know.

Days 1-30: Relationships

Run in parallel with the inheritance audit. Ten 30-45 minute conversations in the first month, each with a specific intent:

CEO — what does success look like at year-end? what does failure look like?
CFO — how do they think about security spend? what's the CFO's relationship with the prior security program (warm/cold/transactional)?
CTO — where are the architectural debt landmines? what does the engineering org find friction-painful about the security program today?
General Counsel — open litigation, regulator interactions, any active disclosure questions, how the GC defines materiality.
Board chair (and audit-committee chair if separate) — what level of detail does the board want? what was the prior CISO's reporting cadence?
Each direct report — what's working, what's blocked, what would they change.
One key skip-level per direct-report — cross-reference what you're hearing.
Top 3 business-unit leaders by revenue contribution — how does security currently land in their world?

Days 31-60: Stabilize + diagnose

Take action on anything actively burning. Resolve open critical audit findings nearing their deadline (or formally accept the residual risk in writing). Defuse any active incident or near-incident. Renegotiate or cancel one obviously-bad contract before its renewal hits. None of these are strategy — they're operational hygiene the board can see.

This is also the diagnostic phase. By day 60 you should be able to write a one-page assessment of the program: maturity per CSF function (use the NIST CSF 2.0 structure), top 5-10 risks ranked, biggest people/process/tool gaps, three things working that should be preserved. Your first board meeting is built on this document.

Days 61-90: First board meeting + stake-in-ground decisions

The first board meeting is most CISOs' biggest first-90-day milestone. Don't waste it presenting a multi-year strategy — you don't have the credibility yet to defend a strategy under question. Instead, present:

The inherited state — what you found in the first 60 days, framed honestly. Don't blame your predecessor; don't oversell either.
The top 5-10 risks ranked by exposure, with current Composite Posture (or whatever metric the prior CISO used — don't change the scorecard in your first meeting).
One clear stake-in-ground decision. Examples: "We're moving the IR retainer renewal up by 90 days because the current contract caps activation hours below my acceptable level." "We're closing two of four open SOC 2 findings before audit." "We're hiring one Detection Engineer in Q1 because the existing SIEM is shelfware without it."
What you'll come back with at the next board meeting — usually a 12-month roadmap.

The board reads first-meeting CISOs as either confident-and-deliberate or anxious-and-grandiose. Aim for the first.

The three decisions that compound

Most CISO tenures are shaped by three decisions made in the first six months:

Reporting cadence and scorecard. Quarterly, with a one-page CSF-aligned dashboard, is the modern default. Establish it now and don't change it for at least 18 months — boards develop pattern recognition and changes break it.
Team archetype. Operational (detection-led, IR-led) vs governance-led (compliance, audit, board-facing). Most programs need both, but one always leads. The decision is usually made by who you hire as your first deputy.
The vendor philosophy. Best-of-breed versus platform consolidation. There's no right answer; there's only the answer that matches your operational maturity. The CISO budget framework covers this in depth.

Common 90-day mistakes

Announcing a vision before understanding the inheritance. Boards read this as overconfidence. Listen first.
Restructuring the team in week one. Most week-one restructures are wrong. Wait until day 60+ when you have signal.
Buying tools to signal action. The previous CISO already bought tools. Your value at this stage is operational, not procurement.
Going completely silent. Listening for 90 days with zero visible output makes the board nervous. Quarter-one needs at least one shipped deliverable, even if it's just "I closed three open audit findings" or "I renegotiated this contract."
Failing to defuse the open landmine. Most inherited programs have one obvious problem the prior CISO was avoiding. The board will judge you on whether you noticed it within 60 days.

Where to test this in CISO Game

The Post-Incident Recovery scenario simulates exactly this — you're a new CISO three weeks after a public breach, with low board confidence, depleted budget, and an open finding clock. Play the scenario to see how the first-90-day choices compound across the next 19 quarters. The mechanics are calibrated to the same dynamics this guide describes.

Related guides

First-90-day decisions compound across the entire tenure. Run the Post-Incident scenario to feel them play out across 5 simulated years.

Frequently asked questions

What does a new CISO do in their first 90 days?

The first 90 days as a new CISO are about three things in order: inherit (audit what exists — register, controls, team, budget, audit findings, vendor contracts), build relationships (CFO, CTO, GC, CEO, board chair, key business unit leaders), and stabilize (resolve any open critical findings, defuse any active incidents, lock in budget for the rest of the year). New programs and big-bet investments wait until day 91 onward, after the inheritance is fully understood.

What should a new CISO present at the first board meeting?

The first board meeting belongs to the inheritance, not the new strategy. Present what you found in your first 60-day audit: the top 5-10 risks ranked by exposure, the state of audit findings, the open regulatory clocks (SEC Item 1.05, GDPR Art. 33, etc.), the team you have versus the team the program needs, and a single-slide statement of where the program is on a maturity scale. Don't present a multi-year strategy in the first meeting — you don't have enough context yet, and the board reads premature strategy as overconfidence.

How does a new CISO build credibility quickly?

Three patterns work consistently: (1) close one visible audit finding within 60 days — small, fully-resolvable, board-noticed; (2) show up to one major incident war room as the calm voice, even if you didn't trigger the call — incidents are where credibility either accumulates or evaporates; (3) deliver one concrete budget cut or contract renegotiation in the first quarter that funds something visible the board cared about. None of these need a new strategy. They demonstrate operating discipline, which is what the board hires CISOs for.

What are the biggest mistakes new CISOs make in the first 90 days?

Four common ones: announcing a strategic vision before understanding the inheritance; firing or restructuring the team in week one (you don't yet know who's a problem versus who's been blocked); buying tools to signal action (the previous CISO already bought tools — your value is operational); and taking the first 90 days to listen so completely that you produce nothing visible in quarter one. The first 90 days are about inheriting, not changing. Quarter two is when the first deliberate decisions start.

How does a new CISO assess the inherited team?

Spend 30-45 minutes one-on-one with every direct report and skip-level in the first 30 days. Ask each person: what's working in this program, what's blocked, what would you do if you were CISO, what should I not break. Cross-reference the answers — patterns reveal who has clarity, who has been blocked by leadership, and who is part of the dysfunction. Wait until day 60+ before making any team-shape changes. Most new CISOs who restructure in week one regret it; most who restructure in month four are right.

Play CISO Game free →