vCISO’s First 100 Days: The Playbook

As a vCISO, you are in charge of developing and implementing the business’s cybersecurity strategy, while balancing business needs and fostering trust within the organization. And even if you’re not officially on the company’s payroll, you still hold a leadership role within the organization. As such, the first 100 days are critical for navigating your professional responsibilities and positioning yourself as a reliable decision maker.

How can you ensure your first 100 days as a vCISO serve as the foundation for your long-term success? In this new blog post, we bring the highlights of a five-step 100-day action plan designed to help you accomplish your goals.

This blog post is based on the comprehensive playbook “Your First 100 Days as a vCISO – 5 Steps to Success”, which you can read here.

Goals and Pitfalls to Avoid for vCISOs

Before diving into the activities themselves, here’s a quick reminder of the vCISO’s goals and organizational risks. This list should serve to guide you throughout the first 100 days and beyond.

In the first 100 days, a vCISO should focus on three primary goals:

1. Establishing, overseeing and managing organizational security
2. Fostering trust among the organization with security goals
3. Making security a business enabler

Pitfalls that should be avoided include getting caught up in organizational politics, relying on manual processes, and spreading services too thin across industries. (You can read more about the goals and pitfalls in the guide.

The 5 Phases: Your 100-Day Action Plan

Research (Days 0-30):

This phase is your opportunity to get to know the organization. It involves a deep dive into the company’s current security status and business goals, building relationships with stakeholders and evaluating existing security controls.

Some of the key activities include:

• Meeting stakeholders and management
• Meeting the IT/security team
• Getting access to tools, data and all relevant systems
• Analyzing existing infrastructure, tools, frameworks, policies and reports
• Reviewing past security incidents and responses

Read the full list of activities and additional details about each one in the playbook.

Understand (Days 0-45)

In this step, your goal is to synthesize information into a comprehensive view of the organization’s security maturity, including risk assessment and gap analysis.

Some of the key activities include:

• Conducting a security risk assessment
• Creating a clear picture of security maturity and the security posture
• Showing the current security posture and gaps to the management
• Identifying short-term and long-term needs
• Identifying business needs
• Examining the use of automation

Read the full list of activities and additional details about each one in the playbook.

Prioritize (Days 15-60)

Now, you can draft actionable plans based on your understanding of the organization’s security.

Key activities include:

• Defining short, mid and long-term goals
• Creating a remediation/work plan based on those goals
• Identifying 2-3 quick wins
• Planning budgets and resources

Read the full list of activities and additional details about each one in the playbook.

Execute (Days 30-80)

This phase is about putting the strategic plan into action, establishing yourself as an organizational leader.

Key activities include:

• Getting stakeholder and management buy-in
• Communicating the plan to all stakeholders
• Implementing automated systems that can deliver low hanging fruit (see examples in the report)
• Focusing on the quick, impactful wins
• Setting a cadence for external scanning and reporting

Read the full list of activities and additional details about each one in the playbook.

Report (Days 45-100)

The final phase involves validating the strategy’s effectiveness, crafting detailed reports and continuously adapting the security measures.

Key activities include:

• Measuring success
• Crafting detailed reports for management
• Communicating progress at least once a month
• Integrating reporting into your overall plan

Read the full list of activities and additional details about each one in the playbook.

Next Steps and Long-Term Strategy

In your first 100 days as a vCISO, you’ve established a strong foundation by building key relationships, aligning security with business goals, achieving quick wins and incorporating automation. As you transition into long-term planning, you will need to continuously refine your security practices, policies and technologies, ensuring they stay up-to-date with technological advancements and evolving threats while meeting compliance needs.

Implementing a vCISO platform will be instrumental in monitoring your organization’s security status and adapting to external changes in the threat and regulatory landscapes.

To learn more about how to knock your first 100 days out of the park, get the playbook, which was crafted together with PowerPSA Consulting for vCISOs based on our extensive experience and combined knowledge, here.