Your First 100 Days as a CISO (Information Security Officer): Priorities, Quick Wins, and Pitfalls

TL;DR

The first two weeks belong to listening: conduct an initial assessment, review documentation, speak with key people. Don't demand action right away.
Identify three to five quick wins within the first 30 days that are visible and generate little resistance. This builds trust and credibility.
Your relationship with executive management is your most important asset. Report regularly, briefly, and in business language, not in technical jargon.
Avoid the three classic pitfalls: changing too much too fast, bypassing the IT department, or framing the ISMS as a pure compliance exercise.
After 100 days, you should have a documented risk picture, an action plan, and the trust of key stakeholders.

Day one: Everything and nothing at the same time

You've taken on the role, whether through internal promotion, as a new hire, or as an externally appointed CISO (Information Security Officer). Maybe your predecessor left a proper handover. Maybe not. Maybe there's an existing ISMS you need to continue. Maybe you're starting from scratch.

Regardless of the starting point, you face the same challenge: you need to simultaneously understand where the organization stands, build trust with stakeholders, deliver early results, and develop a long-term strategy. All while you're still learning how things work, who the decision-makers are, and where the informal power structures lie.

This roadmap divides the first 100 days into four phases. It is deliberately realistic — not a theoretical ideal model, but a practical guide that acknowledges you have a learning curve and can't have all the answers from day one.

Phase 1: Listen and understand (Day 1 to 30)

Week 1 and 2: Initial assessment

Your first impulse will be to change things. Resist it. The first two weeks belong to listening, reading, and understanding. You gather information but don't evaluate it publicly yet. Why? Because premature judgments in a new role are poison for collaboration. The people you'll be working with kept the organization running before you arrived — they deserve to be heard before you make suggestions for improvement.

Start with the documentation. Review everything that exists: information security policy, guidelines, risk analysis, SoA, action plan, audit reports, incident documentation. Don't just skim the documents — note for each one: When was it last updated? By whom? Is it actually followed? Are there obvious gaps?

In parallel, you need an overview of the system landscape. What systems are in use? Where are they located (on-premises, cloud, hybrid)? How is the network structured? Which external service providers are there? The IT department can show you most of this, and going through it together is also a good opportunity to get to know your colleagues.

Week 3 and 4: Getting to know stakeholders

In weeks three and four, conduct one-on-one meetings with key stakeholders. Not as formal interviews, but as open conversations. Your goal is to learn three things:

From the person's perspective, what is the current state of information security?
Where does the person see the greatest risks?
What does the person expect from you as the CISO?

The list of conversation partners includes at minimum:

Executive management: Your most important stakeholder. Understand what security goals management has, what regulatory requirements they see, and how much budget and attention they allocate to information security.
IT leadership: Your closest operational partner. Understand the technical infrastructure, ongoing projects, known vulnerabilities, and the IT department's resource situation.
Data Protection Officer: The interface between ISMS and DSGVO (GDPR). Clarify the boundaries and collaboration, and leverage the synergies.
HR leadership: Responsible for training, onboarding/offboarding, and employment law aspects of security policies.
Department heads: The people who must implement your policies. Understand their work processes and their pain points.
Works council (if applicable): Early involvement in topics such as monitoring, logging, and policies that affect employee behavior.

Document the results of these conversations. Not as formal minutes, but as personal notes that you'll need for your action plan.

Results after 30 days

At the end of Phase 1, you should have the following:

An overview of the current ISMS maturity level (even informally: "We have basic policies but no structured risk management")
A stakeholder map: Who supports you, who is neutral, who is skeptical?
An initial list of obvious gaps and areas for action
A good sense of the company culture and the willingness to embrace information security

Phase 2: Deliver quick wins (Day 31 to 60)

Why quick wins are crucial

Over the next 30 days, the goal is to produce visible results. Not because you're under pressure to perform, but because quick wins serve three functions: They show executive management that the investment in your role is paying off. They show employees that information security is concrete and useful — not just an abstract compliance topic. And they give you the feeling of making progress.

The best quick wins for new CISOs

Enable MFA for all privileged accounts. If this hasn't been done yet, it's the quick win with the best effort-to-impact ratio. Admin accounts, VPN access, and cloud services should use MFA. The technical implementation typically takes just a few days.

Update and communicate the password policy. If the existing policy is outdated (e.g., still requiring password changes every 90 days), update it to current standards (longer passphrases, no forced rotation except upon compromise). This shows you know current best practices and don't create policies for the sake of bureaucracy.

Publish an IT emergency card. A one-page card with the most important phone numbers and steps for an IT security incident. Easy to create, immediately useful, and visible to everyone.

Conduct initial phishing awareness. Not an elaborate training session, but a brief email or intranet post with current phishing examples and clear instructions on how to report suspicious emails.

Establish a security incident reporting process. A simple, low-threshold way for employees to report suspicious activity. This could be a dedicated email address, an intranet form, or a messenger channel.

Communicating quick wins effectively

A quick win that nobody notices is no quick win. Communicate every implemented measure:

To executive management: brief status via email or in the next regular meeting
To the IT department: in the team meeting or via ticket
To all employees: via intranet, email, or notice board (if the measure affects them)

Phase 3: Develop strategy (Day 61 to 90)

Systematically assess risks

Now, with two months of organizational knowledge, you're ready for systematic work. If there's no formal risk assessment yet, now is the time to begin. If a risk assessment exists, review its currency and completeness.

The risk assessment doesn't have to be a months-long project. Use workshop formats where you identify and assess threats, vulnerabilities, and risks together with asset owners. Three to four half-day workshops, grouped by theme (infrastructure, applications, organization, physical security), provide a solid foundation.

Prioritize the action plan

From the risk assessment, the gaps identified during the initial assessment, and the stakeholder conversations, a list of measures emerges. Prioritize them along two dimensions:

Risk reduction: Which measure reduces the greatest risk most effectively?

Feasibility: Which measure can be implemented with available resources in a realistic timeframe?

Assign each measure to one of four categories:

Immediate (next 30 days): High risk, low complexity
Short-term (1-3 months): High risk, medium complexity
Medium-term (3-6 months): Medium risk or high complexity
Long-term (6-12 months): Strategic measures, investment projects

Create an ISMS roadmap

Consolidate the results into an ISMS roadmap to present to executive management. A tool like ISMS Lite gives you a ready-made structure for risk assessment, action tracking, and reporting, so you don't have to start from scratch. The roadmap should fit on one page and contain the following elements:

Current maturity level (e.g., as a spider diagram across ISMS domains)
Target state in 12 months
The most important measures, grouped by timeframe
Required resources (budget, personnel, external support)
Next steps

This roadmap is your central steering instrument. It gives you direction, provides transparency for executive management, and signals to employees that there is a plan.

Phase 4: Solidify the foundation (Day 91 to 100)

Prioritize policies

You won't be able to create all policies in the first 100 days — nor should you. Focus on the three to five most important:

Information security policy (if missing or outdated)
Acceptable use policy (use of IT systems and data)
Password and authentication policy
Incident response policy (detection, reporting, and handling of incidents)
Access control policy (authorization concept)

Every additional policy goes on the roadmap and will be created in the planned timeframe.

Conduct the first training

Plan an awareness training session for all employees toward the end of the 100 days. Not a dry mandatory session, but an interactive session that sparks curiosity. Good elements:

Live demo of a phishing attack or social engineering attack
Real examples from your own industry (anonymized)
Clear, simple rules that take effect immediately
Open Q&A session
Introduction of the reporting process for security incidents

Establish regular reporting

Set up a fixed reporting rhythm from the beginning:

Monthly to executive management: Compact status report (one page), risk situation, open actions, incidents, next steps
Quarterly in the management review: More detailed report with metrics and trends
Weekly to the IT department: Brief alignment on ongoing actions and current topics

This rhythm ensures that information security regularly appears on the agenda and doesn't only get attention when something goes wrong.

Classic pitfalls and how to avoid them

Pitfall 1: Changing too much too fast

You see the gaps, you know what needs to be done, and you want to get started. Understandable, but dangerous. If in the first few weeks you publish five new policies, have two systems shut down, and issue a series of prohibitions, you'll face massive resistance. Employees will perceive you as a roadblock, departments will complain to management, and you'll lose the support you desperately need.

The better approach: Prioritize rigorously, communicate transparently, and introduce changes incrementally. Explain the "why" for every measure, not just the "what." People accept change much more easily when they understand the reason.

Pitfall 2: Bypassing the IT department

The IT department is your most important operational partner. If you demand measures without talking to IT first, you create friction. IT knows the systems better than you and often has good reasons why certain things are the way they are. That doesn't mean you have to accept everything, but you should understand and incorporate IT's perspective.

A concrete example: You discover there's no network segmentation. Instead of drafting a requirement and setting a deadline, talk to the network administrator first. Ask why the network is flat, what dependencies exist, and how segmentation could be implemented from a technical perspective. This produces a realistic plan instead of a demand that goes nowhere.

Pitfall 3: Framing the ISMS as a compliance exercise

If your main argument for information security is that the auditor requires it or that NIS2 mandates it, you've already lost. Compliance is a byproduct of good information security, not the goal. The goal is to protect the organization's information, thereby securing business processes, customer trust, and competitiveness.

Talk to executive management about business risks, not control catalogs. Talk to departments about protecting their work outputs, not about ISO clause numbers. Talk to employees about protection against real threats, not about abstract standards.

Pitfall 4: Trying to do everything alone

You are the CISO, but you are not solely responsible for information security. Information security is a shared responsibility, and your job is to coordinate it, not to implement it single-handedly. Delegate where possible. Designate risk owners. Assign measures to the responsible subject matter experts. Build a network of contacts across departments.

Pitfall 5: Not seeking allies

In every organization, there are people who genuinely care about information security. Find these allies and leverage their support. It could be the administrator who has long been pushing for better password rules. The quality manager who has internalized the audit mindset. The team lead who became aware after the last phishing incident. These allies help you push through measures in their areas and build a security culture.

Checklist: 100-day plan at a glance

Day 1-14: Arrive and orient

Review and evaluate existing ISMS documentation
Understand the system landscape and network architecture
Clarify organizational structure and responsibilities
Set up access to all relevant systems and documents

Day 15-30: Understand stakeholders and risk landscape

Conduct one-on-one meetings with all key stakeholders
Build the relationship with executive management
Create an initial informal risk assessment
Identify quick wins

Day 31-60: Implement and communicate quick wins

Implement 3-5 quick wins (MFA, password policy, IT emergency card, reporting channel)
Actively communicate every measure
Start a regular reporting cadence to executive management

Day 61-90: Strategy and roadmap

Start formal risk assessment (workshops)
Prioritize the action plan
Create an ISMS roadmap for the next 12 months
Present the roadmap to executive management

Day 91-100: Solidify the foundation

Finalize the most important policies
Conduct the first awareness training for all employees
Set up systematic action tracking
Take stock: What have I achieved, what's next?

The first 100 days are your foundation. During this time, you won't build a complete ISMS, but you'll lay the groundwork for everything that follows: stakeholder trust, a realistic picture of the risk situation, a plan for next steps, and the first visible results. If you build this foundation solidly, everything after can build upon it.