Statistics on CISO tenure make for uncomfortable reading. Depending on which study you believe, the average security leader moves on within 18 to 26 months, with nearly a quarter of CISOs departing within a year. The reasons are complex, but they rarely come down to a lack of technical ability. More often, they stem from misaligned expectations, burned bridges, and a failure to read the organisational culture.
The good news is that a deliberate, structured approach to your first 90 days - and for fractional CISOs we mean calendar days - can dramatically improve your odds of success. This guide draws on the accumulated wisdom of security executive search specialists, leadership thinkers, and the experiences of CISOs who have navigated this transition successfully.
The Role You Actually Have
There is a lot of variety in roles advertised as a CISO. Rarely do we see a perfect combination of executive status, budgetary autonomy, and a clean reporting line separate from IT or the CIO.
Under these circumstances, your job is often to educate and evolve the organisational perception of security, broadening your influence over time. The technical skills that got you hired matter less than your ability to build credibility, align with the business, and expand the function's reach.
If you are replacing an established CISO, the dynamic changes. The organisation and team may already be at an advanced state of competence. Here, your priority shifts to motivating and retaining team stability, maintaining momentum, and finding new ways for the security function to add value.
Before Day One
Leave Your Last Post Well
Integrate your successor, communicate your choices and milestones, and acknowledge the team you are leaving behind. A graceful exit is not just professional courtesy; it preserves relationships, protects your reputation, and can even create a future talent pool for your new organisation. Your previous employer may one day become a useful hunting ground for skills.
Reconnect and Research
Take the time in your final weeks to reconnect with industry peers and deepen your relationship with your new line manager and HR. Seek out security leaders in your new vertical. Understand the regulatory expectations, the competitive landscape, and the maturity benchmarks you will be measured against.
Write Your Plan
Create a realistic schedule for your first 90 days. This document will bring structure to the initial flurry of inductions and stakeholder meetings, and demonstrate to your new organisation that you have a methodology. Share it early. It builds trust before you have earned it.
Days 0 to 30: Listen, Learn, and Evaluate
You will arrive with a reservoir of goodwill. HR, directors, and data owners all have a stake in your success and want to influence your direction. Some in your own team may be apprehensive. Your job in the first month is to absorb, not to reorganise.
Connect with the Team
Clear, human communication is essential. In your early team meetings:
Finally, pay attention to how your team interacts with the rest of the business. Their mindset should be to facilitate, not block, day-to-day operations. How they conduct themselves with other departments reflects directly on you.
Evaluate Capability
Meet face-to-face with the most influential members of the organisation: budget holders, incident response leads, data owners, and compliance officers. Your agenda should include:
Consider engaging an external consultancy to conduct a maturity assessment. A third-party view validates (or challenges) your perceptions, facilitates honest conversations about gaps, and provides evidence you can use to justify future investment.
Days 31 to 60: Harness Influence and Create Visibility
By now you have met most of the key players. You can sense the office atmosphere, identify the informal leaders, and spot who accelerates or hinders progress.
Mobilise Informal Leaders
Formal hierarchy is only part of the picture. Foster ownership by giving quieter or cynical team members meaningful roles: chairing meetings, monitoring data quality, or organising team events. These small assignments can convert sceptics into advocates.
Invite leaders from the wider business to attend security team meetings. Transparency and cross-functional involvement often turn misunderstanding into championing. Follow up by sharing reports, asking for feedback, and offering to attend their team stand-ups in return.
Identify and Celebrate Quick Wins
Before you present your long-term strategy, look for improvements you can demonstrate now. Quick wins might be reducing response times to security events, closing long-standing audit findings, or cleaning up access controls. Document them, give credit to the team, and communicate them clearly.
These early successes serve two purposes. Internally, they build momentum and show the team that progress is possible. Externally, they reassure the board and senior leaders that you are capable of delivering, and they disarm audiences who may be bracing for immediate demands for increased budget.
Consider Building a Universal Dashboard
Or modifying an existing one if the organisation already suffers from dashboard fatigue. Create simple visuals that anyone in the organisation can understand. A straightforward RAG status covering four areas is usually enough:
This dashboard is more than a reporting tool. It is a visual representation of your leadership: transparent, accountable, and holistic. It also gives you a data-driven mirror to hold up to the team during weekly meetings, rewarding progress or rallying effort where it is needed.
Assess Skills and Gaps
Engage HR and recruitment partners to discuss skills gaps, salary benchmarking, and training needs. Look at your team holistically. Bringing in new people without understanding market rates, niche skill availability, and succession planning is a reliable way to damage your reputation.
Days 61 to 90: Reset Direction
Now is the time to convert your observations into a coherent strategy and to deliver on your promise of making necessary changes.
Document Your Strategy
Your new strategy and target operating model should be clearly written and include:
Share a draft with a trusted peer for feedback before discussing it with your executive sponsor. Where your vision impacts another department, pitch it to the head of that department directly. Creating security champions in influential roles early improves the odds of adoption.
Communicate Change
Bring the team together to share your findings from the first two months. Present a visual representation of the new team structure and 12 month objectives, aligned to business and compliance requirements. Ask for feedback on your leadership and the proposed direction.
If restructuring involves exits, communicate clearly and respectfully. Rumour and speculation are toxic to morale. Once those leaving have been informed, gather the remaining team, explain your decisions, invite questions, and reiterate that the new mission begins from that point forward.
Follow up with individual meetings, accompanied by line managers and HR where appropriate. State how you see each role evolving, the resources available, the career path, and any performance issues with a clear action plan.
The First Board Meeting
Reporting to the board has become a core CISO skill, often tested early. Preparation is everything.
Speak the Language of the Business
Before your first presentation, conduct risk interviews across the business to assess understanding. Can stakeholders differentiate information risk, technology risk, and business risk? This informs the language you use.
Avoid technical jargon. Terms that seem basic to you - "malware," "phishing," "patching" - may be foreign to non-technical board members. Making senior leaders feel uneducated is the fastest way to lose them.
For your first board meeting, focus on straightforward risk management KPIs linked directly to business objectives. Start by highlighting any quick wins or measurable improvements you have already achieved. This reassures the board and disarms audiences who may be expecting a litany of shortcomings and budget requests.
Useful metrics include:
At the same time, have detailed analyses ready. Some board members may have a sophisticated understanding of security, and your metrics must stand up to scrutiny.
The Overlooked Element: Psychological Alliance
Security teams suffer from change fatigue more than most functions. Each new leader brings uncertainty, a new strategy, hiring and firing, and then - just as improvements begin to show - another departure, and the cycle repeats.
Building alliances inside and outside the organisation is critical, not just for support but for perspective. If you are entering an industry without clear best practice, you will need to define success yourself. A network of peers, mentors, and people outside security helps you stay resilient and find new ways to approach challenges.
Protect Your Own Wellbeing
Research suggests stress levels among security leaders are rising year on year, with significant impacts on mental health, physical health, and home lives. Few of us join an organisation planning to leave within two years, yet the pressure to perform from day one often leads to burnout.
Maintain a support network. Invest in your relationships outside work. Do what you can to exercise and eat healthily. The security industry needs your leadership, and that requires you to stay in the game.
Final Thoughts
Your tendency will be to make a meaningful impact from day one. Resist the urge to reorganise before you understand. The first 90 days are about balancing engagement with people, honest evaluation of capability, and the gradual construction of a strategy that the business will actually support.
The technical skills that got you the job will not be the skills that keep you in it. Success in the first 90 days comes from reading the culture, aligning security with business objectives, and building the relationships that turn a security function from a cost centre into a trusted partner.