The template · free version

Tip: download the Markdown and paste it into Google Docs or Notion to make it yours. Everything in [brackets] is yours to replace.

The 90-Day CISO Plan

The template panels expect, and the plan you’ll actually run after signing.

From CISO Prep (cisoprep.com). Free version. You may share this document; please don’t strip the attribution. The full version (with a completed worked example for a realistic company profile, the board-readout deck, and the negotiation script) is in the CISO Interview Template Pack.


How to use this template

Two modes:

Interview mode. Fill this in for the company you’re interviewing with, in one evening, using only outside information (10-K/S-1 risk factors, earnings calls, security job postings, breach history, product docs). Then compress it to ONE PAGE using the one-pager format at the end. Bring the one-pager, not this document. The caveat language is pre-written for you. Use it. Panels score the caveat as seniority.

Operator mode. After you sign, this becomes your actual working plan. Replace the assumptions with what you find, keep the phase gates, and let the day-90 readout structure drive what you collect from day one.

Everything in [brackets] is yours to replace. Delete this page before you use the document.


Company snapshot (fill in first: everything else keys off this)

FieldYour entry
Company, stage, revenue model[How does this business actually make money?]
The 2–3 things security must protect for the business to work[e.g., customer data platform, payment flows, uptime SLAs, IP]
Regulatory and contractual drivers[SEC, HIPAA, PCI, SOC 2 commitments, cyber insurance renewal date]
Known history[Breaches, audit findings, why the last security leader left]
My operating assumptions from the outside[3–5 bullets. You will present these AS assumptions]

Phase 1 (Days 1–30): Listen and assess

Goal: understand the business, the risk, and the politics before changing anything. Anti-goal: announcing a strategy, reorganizing the team, buying anything.

The 11 conversations (book them in week one)

#WhoThe one question that matters
1CEO”What would make you consider security a failure two years from now?“
2CFO”How has security spend been planned historically, and what was the last ask you declined?“
3General Counsel”Where are we exposed today that keeps you up at night, and how do we handle privilege in incidents?“
4Audit committee chair”What do you want from my reporting that you weren’t getting?“
5Head of Engineering”Where does security help or hurt your velocity today?“
6Head of Product”What’s on the roadmap that should scare me?“
7Head of People”What does the exit-interview data say about my team?“
8Top customer-facing exec”What do customers and prospects actually ask about security?“
9My inherited team leads (1:1s)“What did the last leader protect you from, and what could they never get funded?“
10IT leader”What do you own that I’m accountable for?“
11The previous CISO, if reachable”What would you have done differently, and what could you never get funded?”

Phase 1 outputs (the gate to Phase 2)

  • Stakeholder map with each executive’s stated worry, verbatim
  • Asset/crown-jewel inventory: what actually matters, not what’s cataloged
  • Inherited-commitments list (customer promises, audit remediations, insurance conditions)
  • Team assessment: capability, morale, unfunded priorities
  • Draft risk list: unranked is fine; ranking is Phase 2 work

Phase 2 (Days 31–60): Prioritize and align

Goal: turn findings into a risk-ranked view the executive team agrees with. Anti-goal: a 40-page assessment nobody reads.

Workstreams

  1. Rank the risk list against the business model: every risk stated in business-impact terms (“ransomware on the fulfillment platform = X days of stopped revenue”), not CVSS scores.
  2. Socialize before you present. Walk the ranked list past the CFO and GC individually before any group setting. You want your top three risks pre-agreed, not debated live.
  3. The first budget conversation. Go back to the CFO with ONE ask: small, scoped, tied to a named risk, with a definition of done. Your credibility for the real budget cycle is built on this transaction.
  4. Pick 1–2 quick wins using the filter below.

The quick-win filter (all four or it doesn’t count)

  • Visible to executives outside security
  • Ties directly to a worry someone named in your Phase 1 conversations
  • Low political cost: doesn’t slow another team’s roadmap
  • Done inside 30 days, provably

What fails this filter: “rolled out MFA,” “ran a phishing test,” “started a risk assessment.” What passes: killing a control everyone hates and replacing it with something lighter that works; closing the audit finding the CFO mentioned unprompted; a tested restore of the system the CEO named.

Phase 2 outputs

  • Risk register, ranked, in business language, pre-socialized
  • One delivered (or visibly in-flight) quick win
  • First budget ask made and honored
  • Year-one program skeleton: 3–4 initiatives, each mapped to a named risk

Phase 3 (Days 61–90): Deliver and report

Goal: the first board-ready readout and a repeatable operating rhythm. Anti-goal: a reassuring readout. Everything wrong right now is inherited; in a year it’s yours. Spend the bluntness while it’s free.

The day-90 readout (four sections, short)

  1. What I found: honest posture against the risks that matter to this business
  2. What could hurt us: top 3 risks, business impact, current exposure
  3. What I’m doing, in what order: the program, each initiative tied to a risk
  4. What it costs: the ask, and what declining it means in risk terms

The operating rhythm you install

CadenceForumContent
WeeklySecurity leadershipDelivery, incidents, blockers
MonthlyExec sponsor 1:1Risk movement, decisions needed
QuarterlyAudit committeeThe readout structure above, updated
AnnuallyFull boardStrategy, posture trend, program ask

Phase 3 outputs

  • Day-90 readout delivered to [audit committee / exec team]
  • Operating rhythm booked on calendars: recurring, named owners
  • Year-one roadmap agreed and funded (or the gap explicitly accepted by name)

The interview one-pager

Compress everything above into this structure: one page, presented only when asked or when the conversation opens the door:

My first 90 days at [Company]: working plan, built from the outside

What I believe from the outside (3 assumption bullets, explicitly labeled as assumptions)

Days 1–30: Listen. The 11 conversations, crown-jewel inventory, inherited commitments. No changes. Days 31–60: Prioritize. Risk-ranked view in business terms, socialized 1:1 first. One scoped budget ask. One visible quick win. Days 61–90: Deliver. First board-ready readout: found / could hurt us / doing / costs. Install the operating rhythm.

What I won’t do in the first 90 days: reorganize the team, replace the stack, or promise a full risk assessment by day 30.

The caveat to say out loud: “This is my plan given what I can see from the outside. The first 30 days exist to find out where it’s wrong, and I’d expect the version I show you at day 45 to be different in at least one important way.”


© CISO Prep · cisoprep.com · The worked example (this template completed end-to-end for a realistic company), the board deck, the offer-evaluation checklist, and the comp negotiation script are in the Template Pack.