This is Part 2 of a two-part series. Part 1 covers the philosophy: understanding the business trajectory, reading the culture, and why business enablement matters more than risk reduction in isolation.
In Part 1, I described three principles that I believe should come before any framework: understanding the business trajectory, reading the organizational culture, and framing security as business enablement. Those principles inform everything that follows here.
This post covers the practical structure of the first 90 days: what happens before the contract, during the assessment, through the first board briefing, and into program building. The timelines are approximate and the specifics change with every organization. The sequence, in my experience, holds.
#Before the Contract
Much of the work that determines whether an engagement succeeds happens before a statement of work is signed. This isn't a formal assessment phase. It's the conversations and observations that inform what the engagement should actually look like.
I try to understand enough about the business trajectory, the organizational culture, and the current state of security to answer four questions:
- What are the boundaries of this role? Where does the CISO function start and stop within this organization? Who currently owns adjacent decisions, and how will this engagement intersect with their work?
- What are the outputs? What this specific organization needs produced. A board narrative? A compliance roadmap? An incident readiness plan? The answer comes from the business trajectory, not from a service catalog.
- What early wins are achievable? Trust and credibility come from demonstrating value, and that needs to happen before the 90-day mark. Identifying realistic early milestones during the pre-engagement period means the first weeks aren't spent figuring out what to work on.
- What's the ultimate measure? What risks are we reducing, and how does that connect back to the business's ability to execute? If I can't articulate that before the contract is signed, the engagement isn't scoped well enough.
Not every engagement follows this pattern. A single scoped assessment, a compliance gap analysis, or a board-readiness project may only need a subset of these questions. The four above assume an ongoing advisory relationship. For a point-in-time engagement, the boundaries and outputs questions still apply, but the early-wins and ultimate-measure thinking compresses into the deliverable itself.
Some of this comes from direct conversations with leadership. Some comes from observing how the organization communicates, makes decisions, and responds to questions. The goal is to walk into day one with enough context to be useful immediately, not to spend the first month orienting.
#Weeks 1-3: Assessment
The formal assessment period is where the pre-engagement thinking gets tested against reality. The goal is to understand the security landscape in the context of the business questions that were identified before the engagement started.
Practically, this means:
Stakeholder conversations. The CTO, engineering leads, compliance staff, anyone currently making security decisions or living with the consequences of them. These are working conversations. The point is to understand how things actually work, who the trusted voices are, and where the organization already knows it has gaps.
Current state inventory. Policies, tools, vendor relationships, incident history, compliance obligations. This is the factual baseline, but it's only useful when mapped against the business trajectory. A gap that doesn't intersect with where the business is heading is still a gap, but it may not be the priority.
Framework as lens. NIST CSF provides a usable lens for organizing findings, but the framework serves the assessment. The output is a picture of where the organization stands relative to the risks that matter most to its goals.
Building the communication channels. This starts in week one. Identifying the people at every level who can carry context, provide feedback, and help refine the approach as it develops. These are the people who determine whether recommendations actually get adopted.
By the end of week three, the picture should be clear enough to articulate: here's where the business is going, here's where security intersects with that trajectory, and here's what I'd recommend we address first and why.
#Weeks 4-6: The Narrative and the Roadmap
If the communication strategy started in week one, the board briefing at this stage shouldn't contain surprises. Leadership should already have a sense of the direction because the findings and priorities have been discussed, refined, and pressure-tested through the advisory channels built in the first three weeks.
The board narrative covers familiar ground, presented with specificity:
- Current state, stated plainly. Where the organization stands on the risks that matter to its trajectory. A clear description of the security posture in terms the board can connect to business decisions.
- Key risks, ranked by business impact. What could prevent the organization from executing on its stated goals? This is where the three-part lens from Part 1 does its work: business trajectory, organizational actions, and where the intersection creates exposure.
- Recommended priorities with rough cost and timeline. What to address first, what it will take, and how long it should take. Framed as business enablement: how does addressing this risk help the organization execute on its goals?
- Peer context where it helps. How the organization compares to others at a similar stage and industry, when that comparison is available and relevant.
The roadmap that comes out of this phase is a working document. It should be specific enough to act on, but it will change as the organization learns more about its own risk appetite. The best roadmaps I've contributed to were ones the organization felt ownership over.
#Weeks 7-12: Building the Program
The shift from assessment to execution is where the engagement changes character. By week seven, the understanding is there. Now you're standing things up and finding out what actually works within this specific organization.
What this looks like depends entirely on what the assessment and roadmap identified. Some common threads:
Executing on the top priorities from the roadmap. The items that address the most significant business risks first. This is where the early-win planning from the pre-engagement phase pays off. Tangible progress in weeks 7-9 builds the credibility that sustains the engagement through harder work later.
Standing up governance. Risk registers, policy frameworks, vendor risk processes. These sound like paperwork, and some of it is. The question is whether the governance reflects how the organization actually operates. I've seen too many risk registers that read like aspirational fiction because nobody talked to the people doing the work. The cultural understanding from the assessment phase is what makes this distinction possible.
Staffing specialized work. Not everything belongs in the CISO's hands. Offensive testing, compliance assessments, and deep technical work often need dedicated practitioners. In my engagements, I scope and oversee that work and staff it through senior researchers or other partners depending on the need. The CISO's role is ensuring the work connects back to the roadmap and the business goals, not micro managing every assessment personally.
Measuring adoption, not just implementation. I've walked into environments where every policy box was checked on paper, and none of the controls were actually running. By this phase, the communication channels built in the first weeks should be providing real feedback on whether controls are being adopted, where friction exists, and what needs adjustment.
The question I try to answer by the end of this phase: can this organization sustain this program without me? Some engagements are designed for ongoing advisory. Some are designed to hand off. Either works, but that should be a deliberate choice made early.
#What Happens After Day 90
Day 90 is where the engagement shifts from building to operating. The assessment is done, the roadmap is in motion, governance is stood up, and the reporting cadence with leadership is established.
For most retainer engagements, this means a monthly rhythm of 2-4 days of active advisory, with availability for urgent matters between sessions. Quarterly board reporting. Ongoing refinement of the roadmap as the business evolves and new risks surface.
The measure of a good first 90 days is straightforward: the next time someone with authority asks about the organization's security posture, there's a real answer. One that's specific enough to act on and honest about what's still unknown. One that connects security to where the business is headed.
This is Part 2 of a two-part series on the first 90 days in a CISO role. Part 1 covers the philosophy that informs this framework.