Skip to main content

Days 1–30: Listen, Learn, and Don't Break Anything


Blog Series: Your First 90 Days as a CISO

Post 1 of 4

A Plain-English Guide for New, Aspiring, and Future Security Leaders

Congratulations. You just landed the CISO role. Whether it's your first time in the seat or you're stepping up from a deputy or director position, the moment is real — and so is the pressure that comes with it.

Here's the thing nobody tells you in the interview process: the first 30 days aren't really about security. They're about you becoming someone this organization trusts. The technical problems — the vulnerabilities, the policy gaps, the outdated tools — they'll still be there in 60 days. What won't wait is the window you have to establish yourself as a leader who listens, learns, and earns credibility before swinging the axe.

This post is going to walk you through exactly how to use those first 30 days to build the foundation your entire tenure will rest on. We'll cover who to meet, what to ask, what to look for, and just as importantly — what to avoid doing before you're ready.

📋 ABOUT THIS SERIES

This is part of a four-post series walking you through your first 90 days as a CISO — in plain English, no buzzwords.

  • Post 1: Days 1–30 — Listen, Learn, and Don't Break Anything (you're here)
  • Post 2: Days 31–60 — Assess the Landscape and Build Your Roadmap
  • Post 3: Days 61–90 — Start Executing and Show Early Wins
  • Post 4: Winning the Room — How to Gain and Keep Executive Support

Why the First 30 Days Are Different

New executives often feel enormous pressure to demonstrate their value immediately. Boards want to see ROI. The CEO wants to know they made the right hire. Your team is watching to see what kind of leader you are. That pressure is real, and it can push you toward action before you're ready to act wisely.

Resist it.

The organizations where CISOs fail fastest are almost always the ones where the new leader came in hot — restructuring the team in the first two weeks, canceling vendor contracts they didn't fully understand, or rolling out sweeping new policies that created friction and resentment without solving anything meaningful. Acting fast feels productive. It almost never is, not at this stage.

The most important thing you can do in your first 30 days is develop a clear, honest picture of the environment you've just inherited. What's actually working? What's broken? What do people think is broken that actually isn't? What risks are being accepted informally that nobody has documented? You cannot answer any of these questions without spending serious time listening to the people who already know the answers.

Think of it this way: a surgeon doesn't make the first cut before reviewing the patient's full history, running tests, and understanding what they're dealing with. Your first 30 days are your diagnostic phase. Don't pick up the scalpel yet.

Meet Everyone Who Matters — And Then Some

Your first major task is scheduling one-on-one meetings with every key stakeholder across the organization. This means not just the IT department. It means Legal, HR, Finance, Procurement, Operations, Marketing, and as many business unit leaders as will agree to sit with you.

Why so broadly? Because security doesn't live only in IT. Data lives in every corner of the organization. Risks emerge from business decisions made by people who've never thought about security implications. Compliance obligations flow from contracts negotiated by Legal and Finance. If you only talk to the people in your immediate orbit, you'll spend your first year discovering risks that the rest of the business already knew existed.

The goal of these meetings is not to impress anyone or to preview your security vision. The goal is to genuinely understand their world. What do they rely on technology to do? What would stop their team cold if it went down? What security-related friction are they experiencing that nobody has fixed? What do they wish the security team understood about how their work actually gets done?

You will hear complaints. Some of them will be legitimate, and some won't. Either way, receive them without defensiveness. You didn't create these problems, and getting defensive about them serves nobody. What you're doing is building a map of the organization's relationship with security — the trust gaps, the friction points, the places where security has been a blocker and the places where it's been invisible.

💡 Pro Tip

Take written notes in every single meeting, and follow up with a brief email within 24 hours summarizing what you heard and thanking the person for their time. This one habit — consistent, without fail — signals that you're organized, that you actually listened, and that you treat people's time as valuable. It will set you apart from the vast majority of new executives, and people will notice.

Get to Know Your Security Team — Really Know Them

If you have a security team reporting to you, they are your most critical early relationship. These are the people who will execute your vision, carry your programs forward, and either amplify your impact or quietly undermine it if they don't trust you.

Meet with each person individually, not just as a group. In group settings, people default to professional presentation mode. In a one-on-one, you get to understand who they actually are — their strengths, their frustrations, what they're proud of, what they feel is broken, and what they've been trying to fix without the resources or authority to get it done.

Ask them what they need from you as a leader. Ask what they've been wanting to prioritize that hasn't been given attention. Ask what they think the organization misunderstands about security. These questions signal that you see them as professionals with expertise and perspective worth valuing — not just headcount executing tasks.

Be especially thoughtful if you're inheriting a team that was close to your predecessor, or a team that's been leaderless for a while. Both situations create specific dynamics you need to understand before you start making changes. A team that loved their former leader will need time to trust a new one. A team that's been running without clear direction may have developed informal structures and workarounds you need to understand before you disrupt them.

Get the Lay of the Land

While you're building relationships, you should also be gathering information about the environment itself. This doesn't mean diving into a full technical assessment yet — that comes in the next phase. Right now you're just building situational awareness.

You want to develop a working understanding of several things. Start with the technology landscape: what systems does the business run on, what's hosted in-house versus in the cloud, and where does the most sensitive data live? Then look at the existing security program: what tools are in place, what policies exist on paper, and what the team has been focused on.

Ask for documentation on any past security incidents, breaches, or near-misses. The history of security events at an organization tells you more about the real risk profile than any tool assessment. How were incidents handled? Were they documented? Were lessons captured and acted on, or filed away and forgotten?

Look at the compliance landscape as well. What regulations apply to this organization? HIPAA? PCI DSS? GDPR? SOX? Are there active audits or assessments underway? Are there compliance gaps that have been flagged but not addressed? This information will become critical in Phase 2 when you start building your roadmap.

  • What technology does the company rely on most, and where are the critical dependencies?
  • What data does the company handle, and where does the most sensitive data live?
  • What security tools and programs are already in place — and are they actually being used?
  • What compliance and regulatory requirements apply to this business?
  • What incidents or breaches have happened in the past, and how were they handled?
  • What third-party vendors have access to your systems or data?
  • What does the budget picture look like, and when does the next budget cycle happen?

You won't get complete answers to all of these in 30 days, and that's fine. You're building a picture, not completing a puzzle. Write down what you learn and what you still need to find out. The gaps in your knowledge are just as useful as the answers.

Understand the Culture — It Will Make or Break You

Every organization has a culture, and that culture will determine what you can accomplish as CISO more than almost any other factor. You can have the best security program design in the world, and it will fail if it doesn't fit the culture of the organization you're trying to implement it in.

Some organizations move fast and accept risk as a cost of speed. Others are methodical and process-driven. Some have a strong security culture where employees take their responsibilities seriously. Others treat security as someone else's problem until something bad happens. Some leadership teams view the CISO as a strategic partner. Others view the role as a compliance checkbox.

None of these cultures is inherently wrong — but each one requires a different approach. A fast-moving startup culture requires security solutions that don't slow things down. A risk-averse financial services culture may welcome more thorough controls but will expect rigorous documentation. A blame culture will require you to actively work to create psychological safety around security reporting before you can expect people to surface issues honestly.

Pay attention to how decisions actually get made — not how the org chart says they should be made. Who has real influence? Whose opinion moves things? Where does security fit in the priority stack when it competes with business objectives? Understanding the informal power structures and cultural norms of your organization will save you from months of wasted effort pushing against walls that cultural reality has quietly built around you.

💡 Pro Tip

Ask people how decisions get made — not who makes them. The answer will reveal the informal culture more clearly than any org chart. You'll quickly learn whether decisions happen in formal meetings or in side conversations, whether data drives choices or gut instinct does, and how much patience the organization has for process versus how much it craves speed.

Start Managing Up From Day One

Your relationship with your direct supervisor — whether that's the CEO, CTO, or another executive — is one of the most important relationships in your professional life right now. Don't neglect it while you're busy meeting everyone else.

Have an explicit conversation early on about expectations. What does this person want to see from you in the first 30, 60, and 90 days? How do they want to be communicated with — brief weekly updates, formal monthly reports, or informal check-ins? What are the top security concerns that are already on their radar? What does success look like to them at the end of year one?

These questions accomplish two things. First, they give you critical information about how to prioritize and communicate. Second, they signal to your supervisor that you're thoughtful, organized, and invested in doing the job well — not just the way you already had in mind.

One more thing: if there's a board or board-level security or audit committee, find out how security is typically reported to them and when the next opportunity will be to present. You won't be ready to present in the first 30 days, but you want to understand the cadence and expectations well in advance.

What NOT to Do in the First 30 Days

This section matters as much as everything above. The mistakes new CISOs make in the first 30 days are often career-defining — and not in a good way.

Don't make promises you can't keep. When stakeholders tell you about pain points, it's tempting to say "we'll fix that." Resist. You don't know yet whether you can, when you can, or what fixing it will require. Instead say: "That's important — I'm going to make sure I understand it fully before I commit to a plan." This response is honest, it shows maturity, and it buys you the time you need.

Don't make major changes to tools, processes, or personnel. You do not have enough information yet to make good decisions about these things. Changes made in the first 30 days, before you understand the full context, are far more likely to create new problems than solve old ones. There will be exceptions — a genuine emergency or a critical risk that can't wait — but those should be rare.

Don't trash your predecessor. Even if the program you've inherited is a mess, even if people are practically lining up to tell you how bad things were before you arrived — don't join that conversation. Criticizing the person who held the role before you is unprofessional, it signals poor judgment to the people watching you, and it builds no goodwill. You inherited what you inherited. Your job is to move forward.

Don't go around people. If you need information or access that someone isn't providing, don't escalate or go around them before you've made a genuine effort to build the relationship directly. Going around people burns bridges before you've had a chance to build them.

Don't disappear. It can feel productive to spend the first few weeks in your office, reading documentation, reviewing systems, and building your mental model. But visibility matters. Show up. Eat lunch with people. Walk the floor. Attend meetings you weren't explicitly required to attend. Physical and organizational presence communicates engagement and investment in a way that no amount of behind-the-scenes work can replace.

Don't underestimate the politics. Every organization has politics — competing priorities, territorial dynamics, unspoken tensions between departments. Pretending they don't exist or trying to rise above them won't protect you from them. Understand the landscape so you can navigate it intelligently. You don't have to play political games, but you do need to know they're being played.

End of Month One: What You Should Have

By the end of day 30, you should be able to check off several things. You've met one-on-one with every major stakeholder on your list. You've had individual conversations with every member of your direct team. You've gathered a high-level picture of the technology environment, the existing security program, the compliance landscape, and the incident history. You understand — at least at a surface level — what the culture is and how decisions get made.

You should also have a running document — a notes file, a journal, whatever format works for you — capturing everything you've learned. Every meeting, every observation, every question that came up that you haven't yet answered. This document will become the foundation of the assessment you'll conduct in Phase 2.

Most importantly, you should have begun earning a reputation as a leader who listens, who is thoughtful, who doesn't shoot from the hip, and who respects the knowledge and experience of the people already in the organization. That reputation is worth more than any technical win you could have manufactured in 30 days, and it will pay dividends for your entire tenure.

💭 Final Thought

The best thing you can do in your first 30 days has nothing to do with security tools, vulnerability counts, or policy documents. It's showing people that you're a leader worth following. Leaders who listen before they act, who take the time to understand the people and the environment they've stepped into, who extend respect before they demand it — those are the leaders who build programs that last. Your technical skills got you the job. Your judgment and your ability to connect with people will determine whether you keep it and what you actually accomplish. Start there.

Up Next in This Series

Post 2: Days 31–60 — Assess the Landscape and Build Your Roadmap →

Labels:

Comments

Post a Comment

Popular posts from this blog

Asset Management - Physical Devices - What do you have? Do you know?

Asset management and inventorying your physical systems, we all know we should do it, and I am sure most try.  I am not going to talk about the should have, would have or could have. Instead, I am going to focus on the risks associated with the NIST CSF control ID-AM.1.   The control simply states, “Physical devices and systems within the organization are inventoried.”  At the simplest level, this control is saying that the organization inventories all physical systems that are apart of the information system. In my opinion, the control is foundational because how can you secure something if you don't know it exists.  If you are not inventorying your systems, how do you know if they have adequate controls to protect the data and network.   If you had a breach of data, would you know what type of data was involved, or would you even know if you had a breach?  To further extend this, how can you perform a risk assessment on the system to understand and relay ...
Post a Comment
Read more

Vulnerability Management… It’s easy - Planning

I am sure you have had either consultants, vendors, or heard at a conference that vulnerability management is foundational security control.  While I agree that it is an essential control, I also understand that it is challenging to implement.  Vulnerability management is not just to pick a tool, scan, and fix issues.  Many components make it a complicated journey.  This series will attempt to help break it down and give you ideas on how this complex service and be delivered effectively.    Planning   Objective When you start, I recommend creating a targeted objective and set of measures against your objective.   Ensure that you keep in mind your organization’s culture, politics, and risk appetite as you are developing your objective.   I have seen some target just “critical” systems for regulatory compliance, whereas others have targeted their entire enterprise.   No matter your scope, keep in mind your team’s current resource...
Post a Comment
Read more

The Detect Function in NIST CSF 2.0: The Risk of Seeing Too Late—or Too Much

In NIST Cybersecurity Framework 2.0 (CSF 2.0) , the Detect function represents the organization’s ability to identify the occurrence of a cybersecurity event in a timely and reliable manner . While Protect focuses on reducing the likelihood of compromise, Detect determines how quickly and how accurately an organization recognizes that something has gone wrong. For CISOs and security leaders, detection is where many programs quietly fail. Not due to a lack of tools, but due to poor signal quality, unclear objectives, and misalignment with business impact. Detection that is late, noisy, or misunderstood can be as damaging as no detection at all. Official NIST CSF 2.0 guidance is available here: https://www.nist.gov/publications/nist-cybersecurity-framework-csf-20 What the Detect Function Is (and What It Enables) Under CSF 2.0, the Detect (DE) function focuses on outcomes related to: Continuous monitoring Anomalies and event detection Security logging and analysis Threat intelligence ...
Post a Comment
Read more