Module 01 · Lesson 08
The CISO first 100 days playbook
The clock starts now. The first 100 days define your tenure — build credibility or lose it, make allies or enemies, set the tone for your program.
How CISOs Get Hired
Three paths to the role
60-70%
Reputation & Network
Board member knows someone who knows you. Speaking, writing, visible incident leadership. Starts years before the search.
20-30%
Executive Recruiters
Specialized cybersecurity recruiters maintain shortlists. Build the relationship before you need it.
10-20%
Internal Promotion
VP/Director steps up. Requires executive visibility and demonstrating business leadership skills.
The person who recommends you for a CISO role is more likely to be a CEO than a fellow security practitioner.
The Interview
The winning 90-day plan presentation
The losing candidate presents 40 slides of technical architecture changes. The winning candidate presents 6 slides:
Slide 1
What I'll listen to — Weeks 1–4. Stakeholders, team, existing state.
Slide 2
What I'll assess — Weeks 5–8. Gaps, maturity, risk posture.
Slide 3
What I'll recommend — Weeks 9–12. Strategy, quick wins, budget.
Slide 4
How I'll communicate — Board cadence, exec reporting, metrics.
Slide 5
Success at day 100 — Measurable outcomes, not vague promises.
Slide 6
Open questions — What I'd need answered. Shows intellectual humility.
One showed they had all the answers. The other showed they knew the right questions.
Under 100 Employees
First security hire
You're probably the first. No team, possibly no budget. Report to CTO/CEO directly. You're a player-coach.
Weeks 1–2
Meet every department head. Understand product, tech stack, customers, revenue. Map infrastructure. Expect undocumented cloud accounts.
Weeks 3–4
Threat model the business. Crown jewels? Customer data? Source code? What's existential? One page.
Weeks 5–8
Essential hygiene. CIS Controls IG1. MFA everywhere, endpoint protection, email security, backup verification.
Weeks 9–12
First strategy document. One page: top 5 risks, what you've done, what you need. Present to CEO.
Advantage: Speed. No bureaucracy. Challenge: You are the entire department.
100–1,000 Employees
Inheriting a team
Small team, existing tools, patchwork policies. Regulatory pressure drove the CISO hire.
Weeks 1–2
Stakeholder mapping. Meet every exec and team member. Two questions: "Biggest risk?" and "Most frustrating thing about security?" Take team to lunch.
Weeks 3–4
Audit what exists. Policies — followed? Tools — configured? Processes — tested? Use NIST CSF to map gaps.
Weeks 5–8
Quick wins + strategy. Fix 2–3 visible problems everyone knows about. Build credibility. Develop 12-month plan.
Weeks 9–12
First board presentation. Where we are, where we need to be, how we get there, what it costs. Include peer benchmarks.
Advantage: Resources + personal scale. Challenge: Managing the inherited team.
1,000+ Employees
Enterprise complexity
Large team, established program, significant tooling, complex political landscape. Fundamentally different.
Weeks 1–2
Understand the politics first. Power brokers? Allies? What happened to your predecessor? The political map matters more than the network diagram.
Weeks 3–4
Assess your direct reports. These 5–8 leaders will execute or undermine your strategy. No org changes yet. Private assessment only.
Weeks 5–8
External maturity assessment. Commission independent audit. You need objective data — opinions don't scale.
Weeks 9–12
12–24 month strategy. Socialize with allies before formal presentation. Never surprise an executive in a meeting.
Advantage: Budget and headcount. Challenge: Organizational alignment.
Common Mistakes
What NOT to do in your first 100 days
✕Moving too fast on org changes — you don't have the context yet to restructure
✕Leading with tool purchases — "buy a SIEM" before understanding the environment
✕Ignoring your predecessor's work — dismissing everything that came before
✕Overpromising the board — setting expectations you can't meet
✕100 days of assessment, zero visible action — the team loses confidence
✕Not building alliances outside security — going it alone guarantees failure
Key Takeaway
Listen before you act. Act before they forget.
Remember this
Two or three visible quick wins in the first 60 days build credibility both upward (board/execs) and downward (your team).
The team that exits day 100 is the team that executes your strategy. Invest in them first.
The winning interview presentation shows the right questions, not all the answers.
← Review any slide · Return to Module 01 →