30, 60, 90 Day Plan For New Security Leaders

A simple outline of tasks and goals a new security leader will need to tackle in their first 90 days.

When hiring anyone, it’s always great to understand what they should be working in their first 90 days of employment. You as a hiring manager likely have an understanding already of what needs to be done, otherwise, you wouldn’t be hiring 😄, but probably from just a high level and only some of the burning/immediate issues.

You know there are a lot of security issues that need to be addressed, but there are obvious gaps in what needs to be from a priority perspective as well as possible unknown unknowns in your environment.

The below is a 30, 60, 90 plan to help those hiring early security leaders in an organization understand what they would/could/should be doing.

Note: This is a generic plan. YMMV depending on how large the organization is and if there is/was someone responsible for security or not.

Table of Contents

Security Leadership Plan - First 30 Days

  • Meet all key stakeholders

    • Understand where security has been a blocker or enabler

    • Understand business concerns and near term goals

    • Understand what the crown jewels of the business really is (everyone has a different perspective)

  • Get a braindump from existing/previous security person

    • There is always someone responsible for security. It may have been the General Counsel, CFO, CEO, VP of Engineering, a Contractor / Interim CISO

  • Begin a security/risk assessment of the organization. Start populating a risk register

    • This can be informal, but as you’re speaking to people and understanding what security is in place, where the skeletons are, and what security debt there is, begin tracking it in a risk register.

  • Take a look at other team’s boards and understand the projects they are working on. Start sitting in on meetings and understand who the technical SME’s or PM’s of the group are.

    • This is a great way to get to know people in the organization and understand what’s taking their time.

    • Also a great way to bake security in early 😉

  • Check for the basics

    • Logging / Operations

    • Incident Response Plan

      • This is super important as an incident can happen at any time. Hopefully not in the first week the person starts, but we don’t always have that luxury.

    • Application Security hygiene

    • Endpoint Security

    • Onboarding / Offboarding / Security Awareness

  • Review previous assessments/audit reports

Security Leadership Plan - 31-60 Days

By now the individual has a beginner’s level understanding of the landscape and is formulating potential solves for security in their head. By day 45 we should be seeing some concrete action taking place.

  • Have a hiring plan outlined for the organization

  • Write job descriptions for Engineers and/or Managers

  • Start conversations with vendors to fill existing gaps in processes or operations

  • Start putting together OKR’s for the next few quarters

Building Up Britain: Why Construction Needs A Restructure

Security Leadership Plan - 61-90 Days

Now is when the rubber hits the road. Things are coming together and they are starting to figure out their flow. It’s still very early in the security program, but with the right help initiatives are looking a little more solidified.

  • Begin interviewing candidates if not already. Ideally should be 2nd/3rd round interviews or if possible have hired first person by now.

  • Improvements to security processes are being implemented right now

  • Vendors are chosen for a few key areas and contracts are underway

    • Security hires will be implementing these tools and this will be part of their 30-60-90.

Notes

  • If the organization does not have any security engineers at this point, I would move up and accelerate security hiring.

  • Vendor selection for certain areas and tools they will be running can be delayed as they should have a decision in the process. There are of course some vendors/tools that will not require an engineer’s input that a leader can implement immediately.

  • This is a generic plan for startups and not a comprehensive one. YMMV1 depending on how large the organization is and if there is/was someone responsible for security or not.

  • I’ve been in environments where six months later, I’m still uncovering things. Being able to truffle

Thanks,

Ayman

What is your 30, 60, 90 day plan? Any tips/tricks you can share that made onboarding someone easier?

Reply

or to participate.