The First 30 Days as a CISO – Kicking Off Your Crucial 90-Day Journey to Cybersecurity Leadership

Author - Sahil Chadha

Stepping into a CISO or Security Executive role at a small startup or an established organization is both exhilarating and daunting. Whether you are the first CISO, or inheriting this position, you are taking a pivotal leadership role to safeguard and secure your organization. 

In this blog series, we'll explore the journey of a new CISO through their first 90 days, broken down into three critical phases. I will share what I have learned on how to build and scale security programs at multiple start-ups and enterprises, including tips and knowledge that I have gained from other amazing CISOs and security executives. So, let's begin with the first 30 days of your CISO journey - a period focused on building partnerships and addressing immediate concerns.

Strategic Priorities for a Strong Start 

1. 90 days vs 3x30 days: Work expands like gasses, and takes all available time for its completion, a principle commonly known as Parkinson’s Law. So, breaking the 90 days into three chunks of 30 days provides the opportunity to set short-term goals, be more agile, measure your success, and tweak the plan as needed. 

2. Understanding Business Objectives & Culture: It's easier to get pulled into tactical work especially when you are leading a Security function in a smaller start-up (100-500 people). However, it is crucial to take a step back, look at the business holistically, and understand its mission and vision to see how you can effectively support and enable it.

3. Quick Win: It's critical to pick a task or problem, preferably a low-hanging fruit, where you can make a positive impact with minimal effort. This will help you build credibility and strengthen relationships with key stakeholders. 

4. Listen more, say less: Absorb information through osmosis — understand where security has been a barrier or where it could unlock new revenue opportunities for the organization. By deeply understanding these dynamics, you can better identify areas where security can both address challenges and drive business growth.

5. Carrot and Stick Approach: Prioritizing revenue often overshadows security concerns. To align executives with this reality, focus on making compliance an attractive reward while emphasizing the financial and strategic consequences of non-compliance. 

Having established the key principles for your initial periods as a CISO, it is now essential to translate these into actionable steps. To effectively build your strategy, let's deep-dive into our 90-day plan and have a theme associated with each 30-day period.

First 30 days: Partnership and Firefighting

When you join a company, the urge to deliver value sometimes takes away time that should be spent on learning about the company, its mission, and its culture. That being said, if there is an unavoidable fire such as, all critical systems are unavailable due to a bug in an AV/XDR solution or a data security incident due to lack of MFA then yes, you would need to prioritize solving these problems. Other than that, you should focus on learning about the organization and building relationships.

Who are Your Partners?

Identifying your primary partners, such as peers in Product and Engineering, the rest of executive leadership, and Board Members, is great. At the same time, it is also important to go further to identify your secondary and tertiary partners.

The goal of engaging these partners is multifold. It starts with a brief introduction (putting a name to the face) and then has a more in-depth conversation to understand business operations and identify areas of collaboration and improvement. 

Expected Outcomes: Apart from building positive relationships, your conversations with partners should help familiarize and build an understanding of the company. Below is a networking hierarchy that provides insights into understanding your partners.

Firefighting — Avoid if you can! 

There would be situations where you may have to jump into tactical mode within your first 30 days. This can be challenging, as you're still building connections and haven't fully grasped how the team operates.

Often, you’ll find yourself with more questions than answers as you step in.  In large enterprises, you can rely on the Security Operation Center (SOC) team to handle any incident and keep you updated, with minimal guidance from you, whereas a smaller start-up may expect you to build the incident response process on the fly.

To effectively put out the fire you should:

1. Identify the Incident Commander: This person will oversee the tactical activities and keep you updated on the incident’s progress.

2. Define Incident Exit Criteria: The focus here is on managing and mitigating the incident, not fixing it. Set clear criteria to determine when to downgrade from incident to vulnerability.

3. Create an Incident Response Team: For smaller companies, involve your site reliability engineering (SRE) incident commander, leveraging their technical and operational expertise.

4. Establish a Communication Strategy: Designate one person—ideally the incident commander to provide continuous updates to key stakeholders, ensuring clear and efficient decision-making.

.

So, where does your experience help in this process?

1. Prioritization and Synthesizing Information: After considering all inputs you should assign a risk and priority level to the incident and provide high-level updates to the Board and the executive leadership team.

2. Collaboration with Industry Experts: Using your industry connections, you should work with your peers to identify if other organizations have been impacted by this issue, and how they are mitigating this incident

3. Future Improvements: After the incident has been mitigated, conduct a thorough post-mortem with action items to ensure that this issue does not happen again.

Final Thoughts

On the surface, the first 30 days may seem like a time to ease into the role. However, active Security Executives/CISOs use this period to build lasting connections and gain a deep understanding of the company's objectives, people, tools, and risk appetite. 

These insights will serve as the foundation for the security strategy that you'll begin to develop in the next 30 days. That being said, in our second part of the series, we'll delve deeper into the review and assessment phase that characterizes the next 30 days of your tenure. Stay tuned!!!