Your First 100 days as a CISO. A practical approach.

Date
08.09.2025

You’ve been looking forward to today: your first day as the new Chief Information Security Officer (CISO)! You’re ready to save the world, and by “the world,” I mean your company’s most critical assets. You’ve ironed your fancy cybersecurity hero cape and are all set to talk strategy and business alignment. But how do you get started?

In this article, we’ll outline the key focus points for your first 100 days to help you establish yourself as a security leader, putting all the necessary pieces in place to make security and risk management drivers for success.

Ready? Set! Let’s make security strategy support business goals.

Building Strong relationships

In your first weeks in this new role, focus on building relationships and understanding the organization, its culture, and its business objectives. Your influence across the organization is directly connected to the strength of your relationships and, perhaps more importantly, the level of trust people have in you. Take the initiative to free up time in your schedule for both formal and informal touchpoints to align with your peers from every department. Instead of reacting to isolated incidents, look for patterns that could inform your risk assessment. Understand the compliance environment you’ll be working within. Analyze situations carefully before taking action. Identify metrics that support business leaders. Complement this with sharing your knowledge and expertise when appropriate, especially if you can make quick wins, as it will help solidify your relationships and provide a platform for change. Remember, while doing all this, your top priority is to be your authentic self. It enhances trust and acts as a force multiplier.

First Priority: Authentication

There’s a lot of debate about the balance between IT and Security when it comes to owning tools and functions in the infrastructure. Most breaches occur through compromised credentials. There should be no debate about Security being heavily involved in everything related to authentication (AuthN) and authorization (AuthZ). Collaborate with your IT Operations and DevOps teams to gain a basic understanding of the toolchain used across the organization. After understanding the tools and their fundamental functions, conduct an initial audit of who has access to what and map out the AuthN/AuthZ landscape. Key focus points in this process are as follows:

  • Verify Multi-Factor Authentication (MFA) coverage.
  • Verify Single Sign-On coverage.
  • Review access lifecycle management processes (onboarding, offboarding, mutation).
  • Inventory secrets and their management processes.

This should give you a clear understanding of what and how regarding AuthN/AuthZ, along with the associated risks. Focus your roadmap on this topic by reducing risk and enabling collaboration.

Must have: Vulnerability Management and Patching

Aside from credential misuse, many cyber breaches still involve exploiting known vulnerabilities. While “zero-day vulnerabilities” often capture headlines, organizations worldwide continue to face the more prevalent “everyday vulnerabilities.” These are older, well-known weak points that make out the majority of your attack surface and directly impact your current security posture. In your CISO role, you need a solid understanding of the real security risks. This task is much more complex than simply scanning everything and distributing PDF reports throughout the organization.

If there are no tools available, start with simple scanning that you can do both on infrastructure and application levels. Again, focus on patterns instead of individual findings. The data you collect will provide many insights if you look beyond the surface.

  • What is the status of your organization’s patching processes?
  • What is the condition of your external-facing infrastructure components?
  • Which parts of your organization are exposed?
  • Is there evidence of persistence or reoccurrence?
  • What are the top 10, 25, or 50 items that, if resolved, would greatly reduce exposure?

With that data in hand, you can engage in productive conversations with stakeholders across your organization. Remember, your role here is that of a curator rather than a reporter. Everyone probably knows that vulnerabilities exist. Your job is to curate the most critical vulnerabilities that reduce exposure and provide context, helping those responsible for mitigation do their work as effectively as possible.

Understanding Data across the organization

Every organization today revolves around data, making it a priority for you as well. As you build your social network within your new company, make sure that data remains a recurring topic with your stakeholders.

  • Do you have specific data compliance requirements?
  • How is data stored, processed, and transferred?
  • Where is the data, and who or what has access to it?
  • Is the data lifecycle management process straightforward?

This is also likely where you’ll review backup and restore activities and conduct your initial Data (Protection) Impact Assessments.

Building your Strategic Security Roadmap

As you gain a deeper understanding of the reality you’re working in, it’s time to develop your roadmap to move forward. I’d recommend avoiding a “big plan” approach. Instead, start with smaller iterative changes and improvements that clearly focus on reducing identified risks and making it easier to work within your company. The latter is often overlooked, but the cumulative effect of making “doing things securely” easier is significant. Small wins across security operations, incident response, and risk reduction will solidify your approach. You’re becoming an ally instead of building a security team that makes progress hard.

Conclusion

Firstly, I did not address compliance separately, and this is intentional. As a new CISO in your first days on the job, you depend on others within your organization to provide information on ever-changing requirements. This makes this topic a priority in your discussions with various stakeholders and contributors during your first 100 days. It’s clear that compliance, both legal and regulatory, is a major part of any security program these days but remember that compliance is not the same as security. In the long run, compliance should become a natural result of a focused and business-aligned security program.

Finally, I need to note that there is no single checklist for becoming a successful CISO, especially within a limited timeframe of 100 days. Remember that it is not a “big effect” effort. There will be big wins along the way, but your success depends on small, iterative changes that measurably improve things. Don’t feel discouraged if progress seems slow! Instead, celebrate the small wins with your colleagues and other teams involved.

Be better prepared to take on your role as CISO

Our full Certified CISO training programme provides you with an intense overview of the aspects it takes to get a helicopter view of the cybersecurity issues in your organisation in the function of Chief Information Security Officer.

Be at the top of your game and book the Certified CISO full track in one go!

Security Leader: Full CISO Certification Track 7 Modules

Date
08.09.2025

Laatste nieuws

Trainer in the spotlight: Bert Verschelde (DPO at DPG Media)
default-image
4 Pitfalls to Avoid on Your NIS2 Compliance Journey
default-image
Core Principles of a DPO
default-image
DPI and ISACA Join Forces: Elevate Your Learning Journey as a Security Leader

Stay informed via our newsletter

Stay connected with our latest news, offers and available training.

Newsletter
x

Stay informed via our newsletter

Stay connected with our latest news, offers and available training.

Newsletter
x

Enroll