Days 61–90: Start Executing and Show Early Wins

Blog Series: Your First 90 Days as a CISO

Post 3 of 4

A Plain-English Guide for New, Aspiring, and Future Security Leaders

---

You've listened. You've assessed. You've built your roadmap and started making your business case. Now it's time to actually do something — and to do it in a way that builds credibility, creates momentum, and sets the tone for the security program you're building.

The final 30 days of your first quarter are where theory meets reality. This is when you shift from being the new CISO who's been asking questions and taking notes to being the CISO who executes. That transition matters. People have been patient. They've given you time to learn. Now they want to see what you're going to do with everything you've learned.

The key is to move strategically, not frantically. It's tempting to try to tackle everything at once — you've spent 60 days building a long list of things that need to change, and the pressure to show progress is real. But scattered execution produces scattered results. The goal of this phase isn't to do everything on your roadmap. It's to do the right things first, do them well, and communicate what you've accomplished in a way that builds confidence in where you're taking the program.

📋 ABOUT THIS SERIES

• Post 1: Days 1–30 — Listen, Learn, and Don't Break Anything
• Post 2: Days 31–60 — Assess the Landscape and Build Your Roadmap
• Post 3: Days 61–90 — Start Executing and Show Early Wins (you're here)
• Post 4: Winning the Room — How to Gain and Keep Executive Support

Choose Your Quick Wins Carefully

Early wins matter enormously for a new CISO. They demonstrate competence, build credibility with stakeholders, and show your team that things are actually going to change under your leadership. But not all wins are created equal, and choosing the wrong ones can actually hurt you.

A real quick win has three characteristics. It's genuinely impactful — it reduces meaningful risk or closes a real gap, not just a cosmetic one. It's visible — the right people know it happened and understand why it matters. And it's achievable within your timeframe — not something that requires six months of organizational change management to pull off.

What doesn't count as a real win: updating a policy document that nobody reads. Renaming the security team. Holding a meeting to announce that security is now a priority. These feel like action but they don't move the needle on actual security posture, and experienced stakeholders will see right through them.

What does count: enabling multi-factor authentication for all privileged accounts. Closing a critical vulnerability that's been sitting open for months. Running the organization's first-ever security tabletop exercise. Implementing or activating a monitoring capability that gives you visibility into a blind spot. Completing an external penetration test and sharing results with leadership. Any of these creates real, demonstrable improvement and makes for a credible story when you present your 90-day review.

Look at your risk assessment from month two and identify two or three items that meet the criteria above. Focus your execution energy there. Depth over breadth. Doing two things well will serve you far better than spreading yourself across ten things that all land at about 60% completion.

💡 Pro Tip

Communicate your wins intentionally. Don't just complete an initiative and move on — send a brief, clear update to your key stakeholders explaining what was done, why it mattered, and what the outcome is. This is not self-promotion; it's keeping people informed and building the narrative around a security program that's moving in the right direction.

Get Serious About Your Team

By now you've had individual conversations with every member of your security team. You know their strengths, their gaps, their frustrations, and their aspirations. Month three is when you start acting on that knowledge.

If there are staffing gaps that create real risk — critical capabilities that simply aren't covered — begin the hiring process now. Recruiting for security talent takes time. If you start the process in month three, you're being realistic about when you'll have those people on board. If you wait until month six, you're creating an avoidable gap.

Be equally intentional about the team you already have. Are people in the right roles? Are there team members who are underutilized — skilled people doing work below their capability because the team was historically understaffed and everyone just did whatever needed doing? Are there people who are in roles they're not suited for, through no fault of their own? These are hard conversations, but they're conversations you need to have — with empathy and with clear expectations, not avoidance.

Invest in your team's development. Security is a field that moves fast, and the skills that were cutting-edge three years ago may already be table stakes. Find out what training, certifications, or development opportunities your team members are hungry for, and make a genuine effort to support those goals. A team that sees you investing in their growth will follow you into hard challenges. A team that feels like interchangeable resources will disengage and eventually leave.

Great CISOs are talent multipliers. They don't just execute the mission themselves — they build teams that can execute it better collectively than any individual could alone. Month three is when you start laying that groundwork in earnest.

Formalize Your Most Critical Processes

If your assessment in month two revealed process gaps — and it almost certainly did — month three is when you start closing the most critical ones. Trying to formalize every process at once is a recipe for chaos and half-finished work. Pick the two or three that carry the most risk and do those first.

Incident response is almost always the highest priority. If your organization were to experience a ransomware attack or a significant data breach tomorrow, would your team know exactly what to do? Who makes the call to involve external counsel? Who notifies affected customers? Who communicates with regulators? Who handles media inquiries? Who has the authority to take affected systems offline? If these questions don't have clear, documented, practiced answers, your organization is dangerously exposed.

Building a solid incident response process doesn't require months of work. It requires clear roles and responsibilities, a documented playbook for your highest-priority scenarios, and at minimum one tabletop exercise to shake out the gaps before a real incident reveals them. A tabletop exercise — a structured walk-through of a simulated incident scenario — is one of the highest-value activities you can run in your first 90 days. It builds team capability, identifies process gaps, and is a highly visible, credible demonstration that your security program is getting serious.

Beyond incident response, look at patch management and vulnerability remediation. If critical vulnerabilities are sitting unpatched for 60 or 90 days because there's no consistent process for prioritizing and tracking remediation, that's a risk that needs attention quickly. A functioning vulnerability management program doesn't have to be complex — but it does have to be consistent and accountable.

Security awareness training is another area that's both high-impact and relatively accessible. If the organization doesn't have a regular security awareness program, even starting with a monthly phishing simulation and quarterly training can meaningfully reduce the human risk factor. And it's the kind of initiative that's visible across the entire organization — not just within IT — which matters when you're trying to build a broader security culture.

💡 Pro Tip

Run a tabletop exercise before day 90 if at all possible. Pick a realistic scenario — ransomware is a great choice for most organizations — walk your key stakeholders through it, and document the gaps it reveals. It checks multiple boxes at once: builds team capability, demonstrates leadership, and gives you concrete data for your 90-day review presentation.

Begin Aligning Security to the Business Rhythm

One of the most important transitions that happens in month three is beginning to align the security program to the rhythm of how the business actually operates. Security can't be a parallel universe that runs on its own schedule, disconnected from how the organization makes decisions and allocates resources.

Understand the budget cycle and when decisions about next year's spending will be made. You want to be walking into that cycle with a well-developed business case, not scrambling to put one together after the decisions have already been made. If the budget cycle begins in Q4 and you're a CISO who started in Q2, you have a relatively short window to get your priorities documented and your business case ready.

Understand how major technology and business decisions get made, and make sure security has a seat at that table. One of the most costly security patterns organizations fall into is building or buying things without security involvement, and then having to retrofit security controls after the fact — which is always more expensive and less effective than building security in from the start. Your goal over time is to make security a natural part of every major business and technology conversation. That doesn't happen on its own. You have to show up consistently and demonstrate that security involvement adds value rather than creating delays.

Start establishing or improving security metrics. If you can't measure your program, you can't manage it — and you certainly can't communicate its value to leadership. Identify three to five key metrics that reflect the health of your security program and the direction it's moving. Things like mean time to detect and respond to incidents, percentage of critical vulnerabilities remediated within SLA, phishing simulation click rates over time, and percentage of employees completing security training. Present these consistently, show trends, and let the data tell the story of your program's progress.

Prepare and Deliver Your 90-Day Review

Before day 90 is up, you need to get in front of your executive leadership team with a structured presentation of what you've learned, what you've done, and where you're taking the program. This is one of the most important presentations of your early tenure, and it deserves serious preparation.

Your 90-day review should tell a clear story in four acts. First, what you found — an honest assessment of the current state of the security program, the most significant risks, and the compliance landscape. Don't soften bad news. Executives respect honesty and lose trust in leaders who tell them what they want to hear instead of what they need to know. Second, what you've done — the quick wins, the process improvements, the team investments you've made in the first quarter. Third, where you're going — your roadmap, the priorities you've set, and the rationale behind them. And fourth, what you need — the resources, organizational support, and executive backing required to execute the plan.

Keep the presentation visual, clear, and accessible to a non-technical audience. You're not presenting to security engineers. You're presenting to business leaders who need to understand the risk picture and feel confident in your direction. Use plain language. Use analogies. Use numbers where they help, and avoid technical jargon where they don't.

Anticipate the hard questions. What's the most urgent risk we're facing right now? How do we compare to industry peers? What's this going to cost? What happens if we don't invest in this? Prepare honest, clear answers. The ability to answer difficult questions directly and without defensiveness is one of the hallmarks of a CISO who has executive trust.

End of Day 90: What Success Looks Like

At the end of your first 90 days, you should be able to look back at a quarter that was genuinely productive — not just busy. You've built relationships across the organization. You've conducted an honest assessment of the security program. You've identified and begun addressing the most critical risks. You've formalized at least one or two key processes. You've invested in your team. And you've presented a credible roadmap to leadership that positions you as a strategic partner, not just a technical operator.

More importantly, you should have begun to shift the organizational conversation about security. The measure of a successful first 90 days isn't just what got done — it's whether the organization is starting to see security as a business function that enables the mission, rather than a cost center that creates friction. That shift doesn't happen in 90 days. But you can plant the seeds in 90 days that make it possible over the following year.

The people around you should have a clear sense of who you are as a leader, what you stand for, and what direction you're taking the program. They should trust that you know what you're doing, that you understand the business, and that you're going to be honest with them even when the news is uncomfortable. That trust is the foundation everything else gets built on.

---

💭 Final Thought

By day 90, you shouldn't just be the new CISO — you should be the CISO. That transition from "new" to "established" doesn't happen because time passed. It happens because you did the work. You listened when it would have been easier to act. You built relationships when it would have been easier to stay in your office. You delivered real improvements when it would have been easier to produce reports and presentations that looked like progress without creating any. Do the actual work, be honest about it, and by the end of your first quarter the organization will know exactly what kind of leader they hired — and it will be the right answer.

Up Next in This Series

Post 4: Winning the Room — How to Gain and Keep Executive Support →