​How to succeed in your first 100 days as a new Chief Information Security Officer

By Tom Scholtz, vice president and Gartner Fellow

A successful chief information security officer (CISO) is primarily a leader, a manager and a communicator, not a technologist. Most CISOs who fail do so because they don’t understand or meet business requirements and expectations, or they don't effectively communicate how they’ve met the expectations.

Your first 100 days as a CISO constitutes a “honeymoon” period. Within this brief timeframe, you must formulate a course of action, make connections, and establish and communicate a personal management style.

Those who approach the role with a strong plan for the first 100 days are likely to enjoy success. This will depend on two complementary achievements:

(1) Establishing a foundational personal brand of credibility and leadership; and

(2) Laying the foundation for a sound security program.

It is within this critical period that you establish yourself and create the basic perceptions that others will, for better or worse, associate with your subsequent plans and actions.

100 day roadmap

Gartner breaks down the CISO’s objectives into a 100 day roadmap. Each phase includes critical target outcomes, actions and resources, as well as some optional ideas to consider as time and resources allow.

Roadmap of a CISO’s First 100 Days

Source: Gartner (July 2016)


Don't wait until your first day on the job to prepare. Take some key actions before you start to inform yourself, learn about your colleagues and staff, draft communications to make a great impression on day 1 and set up meetings with your team and key business and IT leaders. Do not make the mistake of approaching your new role with ad hoc communications and plans. A few hours of investment in planning before you start will ensure critical preparations are completed. Demonstrating that you understand “how things work around here” is crucial.


Use this period to gain a comprehensive insight into the current state of the security program in the organisation; what's working and what isn't; as well as the top five challenges that you will prioritise for the first three to six months. During your first week, try to spend most of your time creating an inventory of the resources you will need to manage the security organisation: people, reports, available metrics and financial parameters. Use face-to-face meetings to build a strong understanding of the business and rapport with key stakeholders.


This phase turns what you’ve learned into a blueprint for action. Share your security program vision with your team, line managers and business stakeholders. This is your chance to design and refine your new security organisation. By now should have a reasonably accurate picture of your monthly security operations budget, so now is the time to plan your budget for the next two to three months.


Now is your opportunity to deliver visible results, such as changes in the security program. This is when you redefine your team, get involved in existing projects, set budgets, establish (or re-establish) the security governance processes and forums, and ensure senior management commitment for the security charter you developed.


This is your chance to start providing evidence of your impact. Develop an executive reporting framework and process, monitor program and project progress, and highlight early wins, successes and challenges. Schedule meetings with your line manager, team leaders and key stakeholders to gather their thoughts on the progress made and challenges encountered during the first 100 days of your tenure.

By following this roadmap, you will put yourself in a great position to succeed in your new role. Set your priorities carefully, and avoid overcommitting. Stay as far away from technical details as possible, and focus on the relationship of security to the business. While you’re doing this, it is also best to assume some inevitable portion of your time will be spent handling unpredictable security events.

About the author

Tom Scholtz is a research vice president and Gartner Fellow at Gartner. He is also the chief of research for security and risk management, advising clients on security management strategies and trends. Tom will be speaking at the Gartner Security & Risk Management Summit in Sydney next week, 22-23 August.

Join the CSO newsletter!

Error: Please check your email address.

Tags Chief Information Security Officers (CISOs)IT LeadersGartnerIT careersCISOcyber security programcyber security

More about Gartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tom Scholtz

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts