100 Day Plan Framework: Onboarding Guidance for CISOs (& Leaders)

Congrats, you got the CISO Position? What Now?

Have you developed a 100 Day Onboarding Plan?

Disclaimer(s): This is a baseline, and may not fit your organization. Adjust timelines to match company size and culture.

Sources: experiences, mentors,?Gartner, CISOs, and leaders.

100 Day Plan Framework for new CISOs (& Leaders):

Goals:

1. Define the CISO's role and responsibilities

2. Build Rapport, & Establish trust

4. Assess the Security Program (Today)

5. Develop the Security Plan (Tomorrow)

6. Present the Security Plan

7. Gain leadership and stakeholder support

8. Execute the Plan

9. Measure & Continuously Improve

Strategy to Achieve 100-Day Plan:

1. Meet with Leadership: Weeks 1 – 4

*Align timing to your Organization*

• Meet with Sponsors: (e.g., CTO, COO, CEO, CFO, C, CAO)
• Questions to gain insight:
• Who are my top 5 relationships?
• Do you have 1-2 top priorities?
• Success criteria for the security program?

1a. Meet with the Security Team: Weeks 1 – 4

*Align timing to your Organization*

• Meet with Security Team
• Questions to gain insight:
• Top 3 things to know about the team?
• What are you hoping that I don't change?
• Where do you focus most of your time?
• What's challenging about your role?
• How can I support you and the team?
• What are security's top priorities?
• What are the enterprise's top objectives?

1b. Meet with Partners: Weeks 1 – 12 (Meet Critical Partners weeks 1- 4)

*Align timing to your Organization*

• Meet with Partners
• Questions to gain insight:
• What are your top 1-3 business priorities?
• How do you see the security function?
• What are a few opportunities?
• What are 1- 2 areas that we can partner?

1c. Assess Security Program Maturity: Weeks 1 – 8

*Align timing to your organization*

1. Identify Resources, Budget, Risk Processes, & Technology.
2. Perform Gap Analysis (Interviews, Assessments, etc.)
3. Meet with Critical Vendor Partners
4. Validate Ransomware Readiness (Risk of Interruption to Business Operations)
5. Review Security Technical Controls (Identify, Protect, Detect, Respond, Recover)
6. Identify the Top 3 Risks and Options to Address ( Business Plan Components)

• Assessments Scope:
• Risk Register
• Audits, Compliance & Regulatory Reports
• Controls Maturity Frameworks - e.g., ISO, NIST, CIS
• Threat & Vulnerability assessments
• Penetration tests & other Risk Assessments
• Phishing tests

2. Review Findings with Team(s): TBD

*Align timing to your organization*

3. Develop Security Strategic Plan: TBD

*Align timing to your organization*

Strategic Plan Scope:

1. Security Program Vision & Strategy
2. Regulatory & Industry Benchmarks
3. Security Scorecard & Top Risks
4. Gap Analysis, Quantified Recommendations, Budget, People, Skills, Investments (sometimes called a "Business Plan")
5. Delivery Roadmap
6. Performance Metrics

4. Implement improvements to address the risk (TBD)

5. Measure & Continuously Improve (TBD)

Part 2: Additional?LinkedIn?

Community Feedback:

* A series of posts highlighting guidance from CISOs, Business Leaders, Technologists, & Partners on tips to plan and execute a 100-day onboarding plan.

100 Day Onboarding Plan - Tips & Guidance:

1.?Jamie Thingelstad - CTO, SPS Commerce , - "The New Leaders 100 Day Action Plan, By: George Bradt, Jayme Check, John Lawler"

2. Johnny Collins?- Cybersecurity Leader & Incident Responder, KPMG - "Excellent writeup. A few pieces I have come across working as a CISO and with CISOs is the following that complement what you have put down Christina:

• Understand the business side of the house and the point of contact, as this will help in the event of a security incident like ransomware recovery, business email compromise, compromised web application servers, and others
• Be prepared to walk into an incident; sometimes you are hired because of a previous incident that may not have been fully remediated
• Take a look at previous incident history and assessments as this can help focus on gap closures
• Take into account the integration process for M&A as you can quickly inherit problems on the security and IT side
• Ensure you have a good incident response retainer (I recommend multiple $0 for coverage) and external counsel available as you will want to make sure you have support ready to go and not have to work through red tape
• Funding in the event of an incident, make sure you know who manages and approves those invoices for products and services so that there is no disruption"

3. Michala Liavaag ??- CISO Advisor | vCISO | Cybility Consulting Ltd – "Christina S.?thanks for sharing. Mine is pretty similar to yours so must be doing something right ??.

• A few additional questions that I throw in as part of meeting new stakeholders from the outset help me to take the temperature of the organization including identifying where the supporters, and naysayers are.
• Do you have any experience working with dedicated security professionals previously??If so, what did they do that worked well for you? What did they do that frustrated you?
• If there isn't a baseline survey in place to provide insight into how the wider staff population perceives security, run a diagnostic survey to create a baseline from which to measure improvements.
• Another one is getting people to share what they think the "sacred cows" are in the organization as this can help prevent unintended missteps as incoming CISO."

4. Responses to Michala L. 's Post:

• Kurby Brown Jr - Sr. Director of Security & Compliance at Turnitin - " Michala L. Love the idea of taking the temperature of the organization."
• Girish Ahir - AWS Cost Optimization | DevOps | AWS Architecture | Cloud Monitoring & Support | Managed AWS Services - "Michala L.?Excellent suggestions. I think this is something which can be adopted by everyone. It's not role specific."

5. Steve Hindle - CISO, Mad Mobile - "Thanks for the tag, Christina S. .This is an amazing post and comment thread.?

• LinkedIn?should be pushing this to the top of the community feed.
• You've echoed a lot of the items that we've both evangelized and spoken candidly about in a number of settings.
• I'd amplify and add to the items above that suggest soliciting input and building the map around what your stakeholders and peers expect from you, or what they perceive/believe?#cyber?#security?means to them. Those last two words must define your narrative and any CISO needs to be a storyteller to the business audience, crafting that narrative for them.
• Any Executive team is going to be asking how you can fix their problems or address their perceived risk. Unless you can adapt your message appropriately and start with _their_ "why", the role of the CISO as an advisor and business partner becomes exponentially more difficult.

6. Shawn M Bowen - CISO, World Fuel Services - "I am definitely way too late to this post, but lots of great stuff here...I'll just give two other references I didn't see through my quick review of the long list of comments:

• Yael N.'s blog: https://yasspartners.medium.com/ciso-guide-to-onboard-yourself-d6c8b39e140b
• ?George Finney's podcast: https://open.spotify.com/episode/3t27Kc478Rv0vQjKbjIQIR?si=bf03881e36ea44e5 "

7. Jerich Beason - CISO, Commercial Bank, Capital One - "A lot of hard earned great nuggets of wisdom in this post and the comments.?The book I lean on for any new leadership role is "First 90 Days," by the Harvard Business Review. Highly recommend it!

• https://www.amazon.com/First-90-Days-Strategies-Expanded/dp/1422188612 "

8. Nick Ryan?- Director, Chief Information Security Officer (CISO), Baker Tilly US - "

• This is fantastic,?Christina! This covers a ton of bases but if I had to add anything thing, I’d consider:
• Establish a baseline understanding of terms. It’s amazing how you and I may think of one thing when we hear the word “risk” while a finance executive may take it in another direction. Critical Risk = X, Moderate Risk = Y, for example. This goes for the leadership and security team.
• For the leadership team, what matters to each of them? We can make assumptions but assumptions don’t always pan out. Bonus points if they can call out what they like from a presentation standpoint. Do you need to focus your time on pretty charts/graphs or do they like detailed briefs?
• One meaningful finale for your initial gap analysis is to answer, “What’s the value of what we are trying to protect, and how safe is it for what we’re currently spending?”
• Last, don’t feel bad bringing in vendors that have been trusted partners over the years and make the existing partners prove their value add to you…I look back and there are a few vendors I wish I didn’t carry on with into my new role (felt obligated) and there are others I wish I didn’t rely on their history with my organization as the sole purpose of doing business with them."

9. Donna Ross (she/her/hers)- CISO, Radian - "Great List!

• The only thing to add is to rinse and repeat as it's a process as you form, storm and norm.
• And, continue with the meet and greets into quarterly stakeholder meetings.
• Also map existing controls against a standard to identify low-hanging fruits, gaps, etc. along with a thorough review of insurance and IR plans and retainers "

10. Rich Mason - President, Chief Security Officer at Critical Infrastructure, LLC - "

• A very generous share. Kudos to you,?Christina. Best of luck on the plan execution, though this reads more like skill in your case."

11. Response to Rich Mason 's Post: "

• Yael N.?Office of the CISO, Yass Partners - "High Praise. Execution is complicated. Having a mental model is a key starting point. I liked this. Keep us Posted"

12. Anatoly Chikanov - Director of Information Security, vCISO, Enel X, - "

• A good and interesting list?Christina S., but I'm curious as I didn't really see anything about budgeting. How do you address that area for example if you join mid-year when budgets are set etc.? Do you try to work within that established timeframe, or push for new stuff? A lot of deliverables that are mentioned in #3 would be based upon what resources you have as well.? Gary Hayslip , this might be an interesting discussion for you to follow as well."

13. Response to Anatoly Chikanov Post by? Gary Hayslip - Global CISO for SoftBank Investment Advisers & SoftBank Group Corp. :

• "Anatoly Chikanov?thank you for the mention my friend, yah I have written on this subject and posted articles and mind-maps on the 30-60-90 day plans. I like what?Christina S.?has done, especially partnering with the business. For a CISO to be effective, they must build partnerships with the business to build trust and tune their plan/program to what the organization needs to be successful. You can't do that well unless you meet with peers, partners, stakeholders, leadership, etc. and she does a great job documenting how she embraces that approach."

14. Idris Odutoye?- Technology Advisor, Leader, at ATA Trusted Advisors - "Meet with my Trusted Advisor to discuss any gaps in strategy and which solution providers are in the market to help close those gaps. If you don’t have a Trusted Advisor, I recommend interviewing a few to see if they can provide additional value to you and thus your organization."

15. Response to Idris Odutoye Post:

Ryan O'Mara - VP of Finance & Operations Atlas7 - "Knew if I read through the comments someone would have beat me too it. Part of meeting with outside advisors, I would include learn the current procurement strategy and vet alternatives. Sitting in the higher mid market leaves you to decide a more enterprise strategy (mostly direct) or a more mid market strategy (leveraging IT resellers/partners). Choosing correctly, can extend your budget by 20% and save you a lot of time vetting or implementing the wrong tech."

16. Walter Haydock - " Awesome - thanks for sharing. This is super actionable and helpful to aspiring CISOs!"

17 Michael Baker?- Vice President, IT Chief Information Security Officer (CISO), DXC Technology - "Love this.

• Getting started can be daunting for many people!?Great how you documented your commitment to active listening right out the gate. There is no rush to transform if you don't spend time listening and learning"

18. Dr. Tom Chebib, PMP, PMI-ACP, CSM, SAFe?, CMMC-PA-PI -VP, Security Controls, at 花旗 - "Very structured approach, thank you for sharing.

• I would also consider the enterprise's risk appetite and risk tolerances as part of your strategic roadmap. They can also be part of your top risks/prioritized short-term projects."

19. Mark Potter?- CISO, Backblaze - "Excellent 90 day plan. Thanks for sharing!

• Something else I like to incorporate into my meetings with stakeholders is whether there are pain points we might be able to help with."

20. Chase Valentine?- Security Adviser II, ExtraHop - " Looks really solid and can be adapted across industries.

• I am big on ensuring frameworks are followed, Security scorecards and top risks are great and underrated."
• Security Hygiene reports and Executive Threat Summaries are so important for the enterprise as well."

21. Lester Chng, CISSP, PMP ??- Lester Chng, Senior Advisor, Financial Crimes Unit Exercises, 满地可银行 - "Learn how to run Cybersecurity & Crisis Mgmt Exercises!"

22. Matthew Chiodi - Chief Trust officer Cerby , Former CSO at Palo Alto Networks: "

• This illustrates why weeks 1-4 are likely the most important weeks of a CISOs career. If done right, it’s set you up for success for the rest of your time there. Well done?Christina! Now let’s get you on the?Cloud Security Today?podcast to talk through it!”

23. Dr.-ing Shrinivas Kulkarni (Pursuing PhD - Cybersecurity)?- Cybersecurity Governance, Risk & Compliance, Bombardier - "Amazing post?Christina S.?- Thanks a lot. In my humble opinion -

• 1st step in the 100-day plan is - Follow the money.
• Get to know how money is earned in the company. This way, it is extremely easy to understand the biz processes and associated systems.
• Also, Gain control over current Security Operations?
• The ex-CISO might be driving the operations in a different way than you would've expected.
• 100 days plan starts with 1st day - Gain Control over SecOps on mission control assets."

24. Terrance Cooley Chief People Officer | CISO | SSYAF Resource Parent | Cybersecurity | Crisis Counselor l DEI | Vinyl Enthusiast - United States Air Force - "

• An excellent framework. The only step I add is a climate check - do I have top performers who are abrasive, low, morale, what is the level of trust vs micromanagement in the environment, does everyone feel included, etc?
• Usually, by week 4, I've got a strong sense of where I need to make adjustments and act accordingly. "

25. Parker Brissette - Trusted Cybersecurity Advisor, GRSee Consulting - "Very insightful.

• I'm sure it is implied in your first 1-4 weeks plan but?I would highlight that the very first thing to understand is where the security program enables the business. Is it sales and customers, compliance with regulations, etc.? Many get caught up in going big that they forget that maturity comes in stage 5. Get to the basics in stage 1."

26. Steve Weltman, CISSP - Global CISO Team, Security and Compliance Strategy, Imperva - "

• This is golden and a solid plan that fits anywhere with a tiny tweak here or there to fit the current org. Thank you for posting this; I totally agree on the value of the strategy and adapting from the current program to the future state."

27. Will Nanse @North Georgia Organics - " more focused on the first-day plan: "Hey ops team, any active events, incidents, or breaches?"

28. Jordan Wigley - Director of Tech Alliances, SimSpace "I see some very great points under the section "Assess Security Program Maturity," that I wish every CISO would include in their initial onboarding research period.

29. Sheri Lilley, CBRM, CSPO, CSM - Director, IT Business Partners, Epiq - "

• If there is a Business Relationship Manager function,?engage those partners early.?The #BRM or #ITBusinessPartner embedded with your business stakeholders can provide insight into pain points and challenges."

30. Nathaniel Morris - Executive Technology Coach, EQ Digital - "Great "Quick Start" list! Every leadership role should have this type of guideline to help set expectations, acclimate quickly and create immediate value."

31. Nick Reva - Security Engineering, Snap Inc. - "Solid.

• I would 2-3x the timelines in a large org and more for companies that build high-stakes software.?
• For engineering companies, the depth of detail and nuance is going to be very high so allow yourself ample time to ask and parse. I think this is sized to smaller < 500 person companies. This would look slightly different at a 5000-person engineering company.?"

32. Jamison Nesbitt - Founder Cyber Senate & Climate Senate - "Assuming in one of these categories would be "Identify most critical assets?"

• ?Christina Response - "Yes, agree?Jamison Nesbitt??? Initially had “Identify, Protect, Detect, Respond, Recover” next to Technical controls. Agree, “critical asset identification is step 1”

33. William (Wil) Klusovsky - Cybersecurity Executive Leader, Avanade - " Day 1: risk assessment starts (or I get the results of the current one) so I know what I just signed up"

34. Nafis Muhammad - CISO & Security Advisor, at Security Journey - "Amazing plan?Christina Shannon?, I love it . You are a visionary . Keep up the amazing work.

• I would like to add how I think about building a security plan. I live and breathe it and post about it. Think of building a security as a culture and building it from within. Security is not just a security team problem, it’s something that everyone in the company should think about. If everyone in the company has base level knowledge of security , it’s makes it easier to communicate. It’s about building security layers. It’s like the the ford assembly line. I would love to have a more detail conversation about it in the near future about it."

35. Timothy H. - Information Technology Management | Information Security Management | Cybersecurity Professional at Micro Netz Inc . - "

• I really enjoyed this post and the contributing comments.?It's refreshing to know others will provide guidance and share ideas to help improve a community (Cybersecurity on this post) of their peers.?I will keep these post points (and contributors' comments) in store and continue to use them whenever I obtain my first CISO role.?Thank you for your insights.?Great post!!! "

36. George Johnson, CISSP - vCISO Independent - " I would add one additional element as an outcome of the meeting with sponsors:

• The development of the security charter (a living document that others have rightly pointed out can/should change over time through program reviews). The gap analysis identifies what you aren't doing but doesn't do it within the context of the overall program. The charter serves to identify what the program will do, and what it won't do. Where it touches the organization and where it does not. It is critical for the executives to know what areas are un/underfunded as identified in a charter (which identifies all practices that should be accomplished) and which areas are well practiced.
• Unfortunately, there isn't a lot of agreement on the naming of all the practices (many lists to choose from) and the naming conventions of the staff that performs the tasks. The charter can help structure the budget and bridge the risk discussion into $$$ with the CFO in order to move the discussion from a technical landscape to a financial/business landscape."

37. Ulf Wollenweber - CISO, Deutsche B?rse - “Great insights and highly valuable advice,?Christina! Thanks a lot! ???? I'll add:

• Leading by example, with kindness and empathy.
• Focusing on building the security culture right from the beginning (as it sets the foundation for quite some other things; takes more than 100 days, I know...)
• Always having a delivering added value mindset in terms of enabling the business to operate with peace of mind. "
• Christina S. Response - "I am making my way through the comments and missed this one… Thanks for calling out the need to lead with empathy and kindness, and the importance of culture. There is a lot of wisdom in this response, and thanks?Ulf Wollenweber?"

37. Chip Block Vice President and Chief Solutions Architect, CSS (Converged Security Solutions) -

• "This is very good but it should go to the CEO more than the CISO.?Almost all the new CISO situations I have seen start with a fire drill and the key things you have here get pushed off and, unfortunately, never seem to catch up."

38. Karen Tulloh PMP, CISSP, CISM , AT&T Cybersecurity - "This is wonderful."

• Christina S. Response:" Karen Tulloh PMP, CISSP, CISM, ITIL- " You are one of my favorite LI contributors covering security. Thanks for engaging ???? Any additional guidance that we should add to the list? "
• ?Karen Tulloh PMP, CISSP, CISM, ITIL- "humbled, thank you! I think this is great - people can refer back to your post."

39. Andy Ellis , Advisory CISO, Orca Security - "Well timed - I'm in the middle of writing up a How-To guide for the first 90 days, and I'll definitely be cross referencing your list against what I've already drafted. ?I think the things that jump out at me to add to your list are:

• Meeting & preparing for the board
• Understanding the company (I think you implicitly have it, but learning what moves you might make that the company would just reject is important)
• Map your company's assets, and compare your security program against the assets (to identify where solutions that sound great aren't actually covering assets) "

40. Uilson Souza - MBA - Information Security Governance Specialist, 玛氏食品 - "Not sure if privacy comes to the scope, but, understanding what the data privacy team is doing is also important to measure the security maturity."

41. Dan Didier - VP, Solution Engineering, GreyCastle Security - "I'm wondering if you've accounted for meeting with customers to get their insights. This can be a real eye-opener and quite a compliment to what you hear, internally "

42. Monty Santiago, PMP - Information Security Executive, Avertium - " Not all companies are created equal, so understanding their business, most important assets, risk tolerance, decision makers, security culture, etc. will help you develop a security strategy that fits their needs."

43. Sanjay Deo - President & Founder, 24By7Security, Inc. - "With all items equal, I vote for item #2 to be most critical!"

44. Mor Asher ???? - CISO, 1ProTech IT, Cyber Security, and Regulatory Services - "Culture eats strategy for breakfast. No mention of a better understanding of the culture so while all good things are written, this crucial part is somewhat missing. Strong suggestion :-) "

45. Christopher Montgomery - Digital Transformation & Strategy, VMware - " I appreciate that you call out meeting with strategic partners and vendors. In my first CISO role, assessing third-party risk was vital, but also difficult because there was no framework in place, and the culture was not mature enough to understand its importance.?The CISO's role as a change agent cannot be understated."

46. Azeem Alvi - Endpoint Security Consultant @Axe Security Group UK - "This is great.

• Under Goals, you could also add Financial Planning which includes ROI. Stakeholders like to support but underestimate the finances required. A security function should have adequate budgets upfront and not retrospectively provided following dire circumstances. In my opinion, I have seen it too many times.
• Best to take a broader view with a business mindset I believe is also valid for security professionals at the highest levels. "
• Christina Shannon Response: "So true on the need to plan a budget. I interpret your post as “run your department like a business” well said and thanks ??"
• Azeem Alvi Response: "Indeed. Taking a broader view with a business mindset I believe is also valid for security professionals at the highest levels."

47. Dhruv Lakhotia - Associate Director, Business Continuity & Resilience, Cyber Security & Data Privacy 普华永道 - " We may also consider:

• About the ongoing Business, IT Operations projects, and their roadmap?to have an overview of ongoing and upcoming technologies or business decisions that may impact the IT & Cyber Security posture. Also to determine if the IT & Cyber Security panel (CISO) is involved in discussions and decisions prior to the adoption of new tech and also business decisions that may impact overall Information & Cyber Sec.
• As-is vs To-be target organizational and governance model of CISO function
• Ongoing Security projects and the blind spots in them (inadequate or incomplete coverage)
• Discussions with the business to understand the length & breadth of IT I.e. if there are footprints of IoT, OT, adoption, or usage of emerging tech so that situations can be avoided where business takes independent decisions on tech adoption without understanding the IT, Information, and Cyber risks. "

48. Kenneth "Matt" Hirzel - Director, Opportunity and Pursuit Lead CGI - " Great initial framework and lots of good comments added as well.?While I'm not a CISO, I think the rationale you provided in the framework makes sense.?Looking forward to seeing your second version of the framework with added comments.?Thanks for sharing!"

49. Jan Billiet - Director, Data Protection Officer, Booking.com - "

• My (admittedly blunt) 5 cents (and perhaps I missed this in the post and the many comments): propose to add ‘really understand (and help the security team understand) the business process, tech and security architecture’ (which is easily a 100+ day learning curve BTW with lots of ‘go see’ recommended). Without it, the informational baseline may be just ‘marketechture’…
• It takes time (and more than a P&L) to understand how a business really earns and spends money, how the flow of goods/services, people and data is really organized, and how the security stack (people, process, technology) is really (to be) organized AND aligned to support all of this both strategically and operationally. Without this, there are likely to be blind spots that may quickly derail several steps (present the plan, execute the plan, etc.), needed or even overdue strategic investment and practice decisions that are sidestepped, issues of empathy (e.g. with actual customers), continuous process improvement quality time on core capabilities that do not have the rigor they need and worse. Can catch up with anyone pretty quickly…"

50. Henrique Guapo?- Chief Information Security Officer, Generali Seguros - " Solid publication?Christina S.!

• I would add a very important point: an awareness program to, firstly, assess the maturity of the security culture and secondly, to involve the weakest element that can jeopardize a security program: people."

51. Eliot Baker - Host of the CISO Sandbox | League Commissioner of the CISO Phish Bowl Director of Content Marketing Hoxhunt - "

• I just love this series! This is really an ambitious project you've undertaken with your fellow CISOs?Christina Shannon! And, I can't help but nod my head and smile at?Henrique Guapo's answer: "Henrique Guapo?- Chief Information Security Officer at Generali Seguros - " I would add a very important point: an awareness program to, firstly, assess the maturity of the security culture and secondly, to involve the weakest element that can jeopardize a security program: people."
• I also love your *Resources footnote ?? This is a highly valuable playbook you're putting out to the public?Christina Shannon. Bravo! I sense there may be a cybersecurity-and-sports tie-in to developing effective playbooks worthy of a live show"

52. George Kamide - Senior Director, at SafeGuard Cyber - "

• ?? to?Henrique Guapo?‘s point that the awareness program isn’t just a ?? box but a yardstick by which to measure the “security culture” and its maturity in an org
• ?? and?Dr.-ing Shrinivas Kulkarni (Pursuing PhD - Cybersecurity)?fundamental “follow the money” point. Controls are only as effective as how connected they are to the core business and what the CEO/COO/CFO cares about "

53. Mark Gil Mercado, CEH, CISM - Senior Information Security Lead at First Advantage - " With the rollout of the 100-day plan that you shared, how long does it usually takes for an organization to see some improvements?"

• Christina S. Response: Thanks?Mark Gil Mercado, CEH, CISM??? - "Personally, I think timing for benefits is situational and directly tied to your business’s culture and focus. It’s also dependent on the strategy for addressing risk. For example, do you first go after “quick wins,” light in effort, or are you implementing a year + microsegmentation project (joking ??)"

Mark Gil Mercado, CEH, CISM Response: " It's probably tied on the culture and support of the business. Thanks for your response and all the best on your CISO role at?@SPS Commerce,?@Christina S.???"

54. John Donahue Cybersecurity Professional | CISSP | Transitioning Sailor - US Navy -

• "Reading this from an aspiring CISO’s perspective is very enlightening. I have read many different perspectives of what “right” looks like and I sit here in agreement with your goals. I especially like goals 2-5. Building trust as a leader is essential and you do that by showing what value you can bring to an organization, i.e. providing the gap analysis from goals 4&5."

55. Angel Cruz - CISM, CRISC Former Public and Private CISO / Retired US Navy Senior Chief / Interested in transitioning to a Security Advisory/Audit/GRC role. -

• " I do like this quite a bit - you've captured all the major themes that need to be fleshed out. Perhaps there is a place to articulate "understand the organization's risk appetite and pain thresholds re: security investment" but this may be inferred."

56. Keyaan Williams Board Member | Risk Executive | Strategist | Executive Coach | Consultant | The Funniest Man in Cybersecurity - Managing Director at CLASS-LLC - "

• For #5, I recommend NIST SP 800-55. It is the best guide I've seen for developing and tracking security metrics that are tailored to a specific organization."

57. Kurby Brown Jr - Director of Information Security at @Sourcepoint - "This is pretty awesome.?I see a few items here I can use to incorporate into my existing plans.??I would add reviewing the latest BIA to identify those critical systems and processes that are most important to the business.?thanks again."

58. Uttam Jha?- Enterprise Architect, Defence Australia of Defence - " BTW love your?disclaimer. Yes, we can't have a size fits all however a baseline is always good.My 2 cents is current state posture is also very important. we need to review the compliance and checks in place as we can deal with perceived threats but the main killer is "unknown threats" the sneaky ones. which can always catch us off guard. I guess #1 - Risk register and #3 covers this. :)"

59. Austin Stubbs?- Director & Principal Consultant, Cyres Solutions - "

• The time frames mentioned would be hugely dependent on the level of maturity you are walking into. Understand some places may have very few of the items readily available.
• In some places, the 'Assess Security Program Maturity' task can take a few months to go into any real depth especially if some of the controls are embedded within a business you have no visibility of 'yet'.
• The First 100-day plan is all about relationships with your team, management, steerco, and industry to get a lay of the land and understand how your new business actually works."

60. Baskar Maruthai - Senior Manager, at HCLTech - "Sounds good, I believe these plans would fit most CISO's who really want to improve security and protect valuable assets of an organization "

61. Pete MacKay - Engineering & Cyber Security | Embedded to Cloud | Building People & Products - " Would be interested to know the diff between ransomware readiness and general incident response, especially re validation (Review? Table-top?)? "

• ?Christina Shannon Response - For "ransomware readiness," speaking to the need to classify ransomware attacks as a “Hazard," that requires separate handling than risks typically addressed in ERM Meetings. Quantifying an organization's risk for the interruption to business operation must be prioritized as the first focus. Especially in organizations with Legacy Systems (Most)In terms of difference, I think both exercises (table-top) are an important part of effective IR & crisis management strategies.
• ?I want to know in the event of a ransomware attack, if the protect/detect/respond controls fail, can my business recover? I want to know whether an attacker can exploit a cloud misconfiguration to gain privilege escalation and move laterally to the data backups and storage. I want to know that data backups are segmented (and/or off-network periodically), and mostly, I want to test to prevent a disaster for the business."
• ? Pete MacKay - The reason I ask is that I tend to use ransomware to educate on the broader risk of malware. IMO the 'ransom' aspect is a distraction, because malware risk is the same as ransomware risk, just with a different manifestation, so the 'ransom' discussion is just a foot in the door. Separately there's a conversation on 'should we ever pay ransom?', and that's the opportunity to educate that the risk and problem doesn't remediate itself with a mere payment. I believe exfiltration is a much bigger risk (and impact) than ransom demand... especially if it's done without a visible ransom demand.
• Christina Shannon Response - Pete MacKay?Thanks. I think we are saying slightly different things, and neither wrong. Just preference :) I focus on understanding the business impact risk of ransomware holistically for an organization as a top priority before breaking out the IT Risk board deck and controls review. Ransomware, in my opinion, took us from minor adware "Joke of the day" malware attacks, to simply shutting companies down.
• I think we still live in the day where a lot of businesses don’t classify data (SMBs especially), and I agree that exfiltration heavily impacts reputation and can be severe. A business can’t make revenue if operations are interrupted too. If I am tasked to run a security program, ransomware will be my first priority to understand risk exposure in hybrid environments with legacy. If its an environment that lives 100% in the cloud, I wouldn't put ransomware at the top of the priority list as ransomware attacks aren't happening in the cloud as much."

62. Martin O'Neal / CEO / CTO - "

• I'd say that was a pretty good overview, but my 2p observation would be to say that based on what I have seen out in the trenches, on numerous gigs, is that most security programs stall or fail due to lack of buy-in, or lack of resource, in peer departments.
• What do I mean by that? New security programs actually tend to make a bit of work for the security department, but loooooads of work for peers, like IT Ops. And it's not like they're sitting around: the IT Ops team is generally already busy, so rolling up with a huge program of security work means something else is going to get bumped, or it'll just get queued and happen whenever.
• When I'm pitching for a CISO gig (or as an adviser to one) I often ask about the general budget, as if there isn't a sufficient increase to cover the likely work, then it doesn't matter how enthusiastic or supportive the sea-people are, because the program is just going to stall and be frustrating for everyone involved."

63 . Daniel Desages CyberOps TL at Aqua Security - "

• Great source ! Another element is you probably are not the first CISO there.
• What are your thoughts regarding CISO handover, looking at the existing program? Most CISO's I've worked with tend to begin from scratch every time "

64. Naveen Vasudeva Founder and CEO at The CyberTree Paradox - "

• This is really great advice?Christina S.?for those that are going into their first CISO role, will be very helpful.
• If I can add to this, and help simplify a little, in my experience one of the key things that a CISO needs to do when starting in a new role is to listen! In a basic sense, like we teach kids to cross the road, Stop! Look! and Listen!
• 100-day plans work well if they are only aligned to a company's business strategy, understanding the current to the future state is important, but baselining the executive sponsors' understanding of what needs to be achieved is something different. This of course works for large corporates or enterprise businesses. Would not apply to the majority of SME/SMB's - and even some enterprises as well. They may not have the teams in place to support some of these, they may not have the budgets in place, and they may lack support from the outset - so what has motivated that business to hire a CISO in the first instance - need to evolve and understanding of their business risk or reaction to a breach., the drivers impact the way the CISO is put to work and activity is prioritized.
• The one key takeaway from your list which I think is a super great message is about collaboration! "

65. Iain K. - Chief Risk officer at UWorld - "“Regardless of whether it’s your first or fourth CISO, or any other C suite role there is a lot to take away from your thoughts.I read your post with a lot of agreement and reflection, regardless of the role.”

66. Jamison Nesbitt - Founder Cyber Senate & Climate Senate - "Assuming in one of these categories would be "Identify most critical assets?"

Christina S. Response - "Yes, agree?Jamison Nesbitt??? Initially had “Identify, Protect, Detect, Respond, Recover” next to Technical controls. Agree, “critical asset identification is step 1”

67. Alex Christophe Sales Director at AuthN by IDEE - "

• In French, we talk about a "secret de Polichinelle" for something that is not a secret to anyone but you normally don't talk about this knowledge.
• Here is one: phishing is the root cause of 80% or more of cyber incidents.
• Here is a 2nd: 7/10 ransomware propagate using phished credentials.
• Not being a CISO -but happy to learn from you, is there a reason one of the earlier steps is not "evaluate every single vendor based on their factual (e.g. a thorough parse through MITRE) effectiveness in eliminating phishing?
• Or is managing the "as-is" or status quo a dominant prerogative of the CISO's role?

68. Joel Dixon Sales For Large, Enterprise, and Strategic Accounts! - "This baseline is amazing for Account Executives that are genuinely interested in helping organizations' security footprint. And now we can understand the psychology of a CISO and their world."

68. Valerie Darling CEO | CBO | CCO | Board Director | Bilingual Biotechnology Executive | Oncology | Diagnostics | Venture Capital | SVP Sales and Marketing | Revenue | Strategy | Business Development | Diversity | Spanish | Digital |Cyber Tings Capital - "

• This is an excellent First 90-100 Day plan for a new CISO, #cybersecurity or risk expert, or any executive new to a role (adapted to their dept: Tech, Marketing, Sales, BD, etc),?Christina.
• The add-ons from several who commented are solid to add to the plan.?(i.e.? Nick Ryan )
• Great source, too- "The New Leaders 100 Day Action Plan by?George Bradt,?Jayme A.,?John Lawler."

69. Ray Vazquez Vertex11 - " When you meet with the leadership it is important to understand early on what the true risk appetite of the organization is.?Don't just listen to what they say, but look at the metrics around Patch Management in particular to provide you independent insight into the amount of risk the organization likes to carry.?The risk view is the root cause of the answers to the other questions you have for your team."

70. Mike Stead - Vice President, Client Solutions at Optiv - "

• Don’t forget, you need to understand the business first. What makes your company money? How do you protect that vs the easy answers of “data” or “credit cards” — that’s only half the battle. Who are your customers and how do you protect them and make them feel that your company values their security and privacy?
• What business processes are critical to the success of the company and your client interactions? Are those resilient and secured enough to withstand today's adversary? If you don’t know that, then what are you protecting, why, and are you really prioritizing the most critical aspects of your business, or pandering to “securing data?”
• A lot of CISOs don’t truly know how their company operates, or how revenue is actually generated, they just focus on compliance and basic “data security” platitudes. That’s fine, but when you can truly interface with your CEO, Board, or any other top exec in a way that expresses why your need/program/change is paramount to THEIR success in language and in a manner that illustrates how your initiative will make them successful…..now you’ve won."

71. Daman Talwar - Client Relationship Manager at 高知特 Cognizant - " Govind Prabhu?This is an excellent example of 30-60-90 day plans we discussed a few months back."

72. Phillip Kittelson, MS, CISSP, PMP, GSTRT - "Awesome list, and seems to be driven by your real-world experience as a CISO. One thing I’ve heard: is bad CISOs don’t know how the org makes money and would recommend a strategy that obliterates advantages over the competition. What are your thoughts? "

• Christina S. Response: "I think you are spot on,?Phillip Kittelson, CISSP. A good CISO will know how its business generates revenue :) "

73. Yehuda Cagen?- Senior Director of Marketing at Ostendio , - "What about creating a plan to operationalize security around your people?"

74. Colleen Kranz - Senior Director of Demand Gen Renodis - "Ok, this collaboration and knowledge sharing is just awesome!?"

75. Tony Sadder, Cloud Security Sales, at Lacework , - "

• ?Andreas Schneider?also had some good insight to add on these posts, maybe for Part 4!?https://www.dhirubhai.net/posts/ciso-andreas-schneider_ciso-agileciso-informationsecurity-activity-6968479972734754816-ez2A?utm_source=share&utm_medium=member_ios "

76. Leland Cogburn Director, Information Security | Vulnerability Management | Data Loss Protection | Cyber Strategy - "

• It's a great start and would like to see some taste of reality embedded to focus a bit on execution. Many times we plan, make plans, and present plans, but discussions around execution, how to make it happen, or how did we do on executing and meeting our goals… don’t get talked about as much.
• Thirty years of experience helps one adapt and be resourceful on what works and what doesn’t, as every company is different. We have to assess the organizational maturity and appetite for risk, and dependence on the information. The nuisances are real and will make or break a new leader.
• I noticed measuring and reporting were glazed over quickly. I would add, measure what you need to know but report on what you want to change- and then tie that back to overall company goals.
• The Board is also present in most companies and you certainly want to involve some collaborative efforts with leadership. If there are frameworks in place already or the company is ISO or some other framework, you probably only need to understand perspectives. I find that the unique relationship with Board members is imperative as they provide information on such things as effects on strategy, public reputation, and fears of scrutiny (or not). "

77. Dmitriy Sokolovskiy, VP & CISO at Avid - "Somewhere in these great points, there should be one that says something like:

• Maintain recurring times on your calendar to reassess your progress against this plan, and reprioritize as needed. Too often we dive into the WORK and forget what the JOB was supposed to have been in the first place"

78. Percy MacDonald, Digital Transformation Expert, at Workspace 365 - "

• +1 for part 4. Marks & Spencers had a a director who said (forgot his name) "customers aren't loyal. We must earn their loyalty every single day."

79. Borislava Althea Tatchev, Senior IT Architect & Advisor, Director and Founder, at Alqubit - "Without knowing yet the levels of inefficiencies, the level of resistance to change, the level of the real leadership sponsorship that you've been given, any plan is pointless."

80. David Ethington - Information Technology Security Manager at 3Degrees Group, Inc. - "You should be at least thinking about that during the interview process. As they explain things, start thinking about some preliminary ideas. Sure, maybe none will come to fruition due to not having enough insight, but maybe a few will. Besides, it doesn't hurt to think. (Unless you have a headache, then it hurts)."

81. Troy Fine - Senior Manager Cybersecurity Risk Management and Compliance at Drata -

• "I think it is touched on above, but I think understanding the “security culture” is important first step. Talk to the security team, talk to leadership, and get a feel for how security is viewed. Is it a “cost center” or does the business understand that security is an investment in the business and is a business enabler. In my opinion, this will be the most important aspect for a CISOs success.
• I have never been a CISO, so just my 2 cents, and I like adding my 2 cents without being asked ??."

82. Schuyler Purdy, MBA , Sales Development at CSPi Technology Solutions - "Great stuff, Christina. Really love Michala L. ’s examples of some useful questions to ask. The most successful organizations are in sync at every level and understand their goals/limits, so it’s crucial to have a feel for what stakeholders may expect to see."

83. Brian Waltermire - CEO / Principal at Asgard Managed Services - " I love the outline. when you hit ransomware readiness give me a shout. we innovated on top of Veeam, #1 Gartner magic quadrant, to include secure dns to protect the network and all VCSP connections. no?#ddos?or rogue personnel."

84. Jay Ribeiro - US DOT Chief Information Security Officer (CISO) & Associate CIO, Georgetown University SCS Professor, - "

• Awesome and super helpful. Thanks?Christina Shannon?!!! What about the T minus the first day? Anything that you can recommend besides the ones mentioned already like getting to know the business from the outside? Any thoughts on reaching out to key players before your first day? Is that recommended and if it is, what do you ask and what do you do with their answers? Can’t wait for your new and consolidated post! Thanks again."
• Christina Shannon Response - " I Love how you moved the planning cycle before the start date. ?? do you have specific tips from your experiences,?Jay Ribeiro???LinkedIn?community? I have done this, and think it’s a good idea. I didn’t get the “preplanning” opportunity my last two stops (situational), and saying I may not be the best one to provide the guidance, but think we have an awesome group of collaborators here to help ??"
• Jay Ribeiro - " Christina Shannon?I read and watch anything that’s publicly available about the organization. Learn about my leadership as well as my direct reports if I am provided their names somehow. Getting to know my leadership specifically their dos and donts' could help a lot when you’re trying to build relationship and credibility in your first weeks on the job. Not sure what else others do though."

85. Krishna C. Katragadda – Founder & CEO at @DaXlens, – “Christina Shannon, great roadmap ?? How about understanding the company culture , practices/norms?”

86. Dr. Carol Q. - Senior InfoSec Engineer, Security Consulting Team Leader Principal Financial Group – “

• Also, what should we 1) Stop doing, 2) Start doing 3) Continue doing?”

87. ?????? ???????????????? (MsIT/GrDp-Forensics) - Author: ???????????????????? ???????? (???????????????? ??????) and Emergency Response (CERT - IT/OT) – "

• Brilliant and insightful ?? Just curious, if conducting a SWOT analysis for the whole security program and the team would be relevant to learn about the People, Process and Tools?
• Also, how about doing a Threat Modeling with the MITRE ATT&CK framework against the current/existing security tools towards defense-in-depth? Thanks. Just thinking out loud.”
• Christina S. Response: " I love the addition of performing SWOT analysis and adding Threat Modeling to the plan. Thanks??????? ???????????????? (MsIT/GrDp-Forensics)?:)"

88. Lyall M. - Head of Information Security @NZX – “

• Under the Assess Security Program Maturity section, one I always repeat to myself is to resist the urge to "do something". Unless you have been hired to deal with a specific fire (e.g., post-breach), the fire you try to put out on day 5 may not be ranked in the top 10 biggest fires you have on your hands by the time you get to day 50.”

89. Rob Dorney - Senior Director at Cybersixgill, a Bitsight Company - "Congrats on your new Role Christina. As part of your vendor review process, if threat intel has gaps on use cases, 3rd party risks, or Overall automated dark web intel. I am happy to walk you through how we close those gaps at Cybersixgill. Good luck with everything!"

90. Brent S Allen - Regional Vice President Rubrik - "

• I love this collaboration. Spectacular. I am not a security expert by any means. However, one thing has served me well to consider is: jot down my preconceived notions about the business and the org and the stakeholders. It helps get to authenticity when reviewing the answers you note from the questions you posted. Continual interviewing will serve you well.
• Most people use the thinking portion of their brain only until they recognize a pattern and then begin to theorize based on that pattern recognition. Continual interviewing and writing your preconceived notions down will remind you to pause and think through and not just theorize from minimal interactions."

91. Jan Schreuder - ?Cyber Security Strategy & Transformation, Co-Founder Cyber Leadership Institute - "Christina S.?for sharing this so generously - most of your plan resonates with our experience. For those who are looking for additional guidance, please see."

92. Robin Nicholson?- Sr. IT Security Engineer @TheSalkInstitute - "You’re going to kill yourself with everything you have listed to do just in weeks 1 - 4.?You need time to understand the business: How does your org make $$$; How do you deliver on your budget? How does your org determine success? =BREATHE= Rome wasn't built in a day."

93. Dane Warren - Group CISO at Intertek - “Stakeholder mapping”

94. Boris Berganza - Sr. Account Manager, SLED at Proofpoint - "Step 6. Call Proofpoint :) congrats on the Role Chrissy!!! I’m excited for you!"

95. Dossy Shiobara - Consultant at ButcherBox (+ Additional Roles) - "OMG, I absolutely love asking "what are you hoping that I don’t change?"

• I mean, I actually love the entire framework you outlined, there's literally nothing on it that I disagree with and everything on the list adds real value as opposed to simply being ceremonial security theater ... but I especially love that question, that doesn't get asked nearly often enough in my experience."

96. Peter Doyle - Senior Manager SAP & Cybersecurity at 埃森哲 - “ Firstly I think I just fell in love. Such a wonderfully structured approach.

• Secondly, I’d add in some time to work with your direct team (reports) a bit more, connect with them personally. Building and ‘retaining’ a world class (or even Acceptable) team in the current climate is a challenge and one not to be taken lightly.
• Remembering that you’re only as strong as the team around you, you’ll need their support. So they’re going to rely on yours. If you ever publish a book, I’ll be buying it.”

97. Kyle Weckman– VP, CISO at Kestra Financial “Where is the business plan to ask for the resources needed to close the gaps?”

Christina S. Response - "I like the granular focus and thanks,?Kyle Weckman. “Investments” broadly covers “headcount, software, hardware, services,” funding needs. The strategic plan outlines top risks, recommendations, budget implications, ROI or Risk / cost analysis. Meaning, I think we are saying similar?"

98. Jason Szot - Manager, Information Systems Meta Special Aerospace - "

• This is awesome. Thanks for sharing this. Even at a lower level than a CISO, I try to follow similar stages my first 3-6 months. Very well laid out - I may take some of this and incorporate it into my plans"

99. Darren Ritch, CISSP – Principal - Cybersecurity - Chief Security Office AT&T - "

• Thanks?Christina Shannon?for your amazing post and all the collaboration. There is more gold here than the California Gold Rush back in the day!”

100. Donald Mackert - Technical Director at Research Innovations Incorporated - "“Great framework for a plan that can be tailored to a specific organization”

101.Radek Havlis - Chief security Officer at @Telifonica?-

• "If you were a robot. The timing is totally unrealistic - unless your day has 48 or more hours and you don’t eat, sleep, take care of your family, have some recharging time. Double or even triple the time to plug yourself into the culture of the organization, include needed stakeholder iterations, co-creation to get your team aboard, add some quality, and then you may well succeed. But, indeed, a good structure to start with.”
• Christina Shannon Response - "Thanks, Radek Havlis. I am starting to wonder if I should remove the timing brackets, or add more to the disclaimer? Definitely agree that timelines and milestones are situational, and the post is a baseline. ??"

102. Avraham Gestetner – Security Assessment, Business Risk Quantification CYE -“Christina Shannon?This is great and relevant to any leadership role (I use a similar framework for all my CISO roles:)”

103. Sanusi Mutuwa – IT Cloud & Security Manager at Lincoln International – “This is very timely for me as I navigate my new role. Thanks for sharing your experience and laying out a path for others coming after you. Please continue this “mentoring” work. I for one am blessed by it.”

104. ???? ?? Matthew Williams? - Sales Director at Transmit Security - " A follow up post on your journey around Goals 7-9 may be interesting in 6-12 months if that’s not too much to ask.

• It’s not uncommon for CISOs I know to get buy in for their plan “yeah, that sounds good, go execute,” and then the plan requires a refresh where meaningful cross department collaboration is required - “those are your objectives I don’t have the resources to support.
• Would be interesting if you run into anything similar, if you proactively address them before that happens and how you handle the challenges you don’t anticipate."

Christina S. Response:" ???? ?? Matthew Williams, thanks for engaging. Yes, I will write a follow-up in 6 - 12 months. ????I agree with your point, and it’s a fair callout to say that sometimes your best plans don’t work out. In one of my roles, we went straight in to a major incident investigation within my first few weeks. My onboarding plan was modified to a “crisis management plan.”

106. Joel Krooswyk - Senior Manager of Solutions Architecture, acting Field CTO (Public Sector) GitLab -

• "Amazing transparency in sharing your plan. I especially like the questions about top relationships and critical vendor partners. Thank you for this post!"

107. Daniel Luechtefeld, CISSP – Security Engineering Team Leader at AlgoSec - "Thank you for sharing your experience as a way of virtual mentoring.”

108. Amirul Iman?Threat Analyst, Maxis - "Great proactive plan! Unless you are brought in as a firefighting CISO post major breach"

109. Mitchell G. - BizOps Manager at 德勤 - "Saving this for when I become one! Great information here!"

110. Norm DuBow, CISSP, CCSP, CRISC, CDPSE - Director of Information Security & Technology at SurePrep, part of Thomson Reuters - "Thank you Christina, this is helpful. Question: Where in the process would you meet with key clients (as applicable) to discuss meshing their requirements vs your ability current & future to fulfil? How would you frame this conversation?

• Christina Shannon Response: "Thanks,?Norm DuBow, CISSP, CCSP, CRISC, CDPSE, I thought about your question in the lenses of my experiences. Do you mean in the case where a client has security requirements for sharing data and other examples? If so, have consistently seen models where client conversations and security discussions are initiated by the client’s account team, and security serves in more of a risk advisor role. ??"

111. Chris H. - CISO, and CoFounder at Aquia - "This is excellent information, thanks for sharing?Christina Shannon."

112. 10. Ryan O'Mara?- VP of Finance and Operations, Atlas7 - " Include learning the current procurement strategy and vet alternatives."

113. Guillaume E - CISO at Kroo Bank - "That's a great summary and guidance.

• ?A book that has been key for me and that I use for every new role is - "The First 90 Days" - Michael Watkins "

114. Steve Cobb - CISO at One Source - "Great conversation, Christina. I'm actually giving a webinar just on this topic on 9/14 at 12:30pm ET at the STRONGER conference, entitled "You're the new CISO. Now what?". I would welcome anyone that wants to have a deeper, live discussion.?https://hopin.com/events/stronger-2022/registration "