# The 90-Day CISO Plan

**The template panels expect, and the plan you'll actually run after signing.**

*From CISO Prep (cisoprep.com). Free version. You may share this document; please don't strip the attribution. The full version (with a completed worked example for a realistic company profile, the board-readout deck, and the negotiation script) is in the [CISO Interview Template Pack](https://cisoprep.com/templates/).*

---

## How to use this template

Two modes:

**Interview mode.** Fill this in for the company you're interviewing with, in one evening, using only outside information (10-K/S-1 risk factors, earnings calls, security job postings, breach history, product docs). Then compress it to ONE PAGE using the one-pager format at the end. Bring the one-pager, not this document. The caveat language is pre-written for you. Use it. Panels score the caveat as seniority.

**Operator mode.** After you sign, this becomes your actual working plan. Replace the assumptions with what you find, keep the phase gates, and let the day-90 readout structure drive what you collect from day one.

Everything in [brackets] is yours to replace. Delete this page before you use the document.

---

## Company snapshot (fill in first: everything else keys off this)

| Field | Your entry |
|---|---|
| Company, stage, revenue model | [How does this business actually make money?] |
| The 2–3 things security must protect for the business to work | [e.g., customer data platform, payment flows, uptime SLAs, IP] |
| Regulatory and contractual drivers | [SEC, HIPAA, PCI, SOC 2 commitments, cyber insurance renewal date] |
| Known history | [Breaches, audit findings, why the last security leader left] |
| My operating assumptions from the outside | [3–5 bullets. You will present these AS assumptions] |

---

## Phase 1 (Days 1–30): Listen and assess

**Goal:** understand the business, the risk, and the politics before changing anything.
**Anti-goal:** announcing a strategy, reorganizing the team, buying anything.

### The 11 conversations (book them in week one)

| # | Who | The one question that matters |
|---|-----|-------------------------------|
| 1 | CEO | "What would make you consider security a failure two years from now?" |
| 2 | CFO | "How has security spend been planned historically, and what was the last ask you declined?" |
| 3 | General Counsel | "Where are we exposed today that keeps you up at night, and how do we handle privilege in incidents?" |
| 4 | Audit committee chair | "What do you want from my reporting that you weren't getting?" |
| 5 | Head of Engineering | "Where does security help or hurt your velocity today?" |
| 6 | Head of Product | "What's on the roadmap that should scare me?" |
| 7 | Head of People | "What does the exit-interview data say about my team?" |
| 8 | Top customer-facing exec | "What do customers and prospects actually ask about security?" |
| 9 | My inherited team leads (1:1s) | "What did the last leader protect you from, and what could they never get funded?" |
| 10 | IT leader | "What do you own that I'm accountable for?" |
| 11 | The previous CISO, if reachable | "What would you have done differently, and what could you never get funded?" |

### Phase 1 outputs (the gate to Phase 2)

- [ ] Stakeholder map with each executive's stated worry, verbatim
- [ ] Asset/crown-jewel inventory: what actually matters, not what's cataloged
- [ ] Inherited-commitments list (customer promises, audit remediations, insurance conditions)
- [ ] Team assessment: capability, morale, unfunded priorities
- [ ] Draft risk list: unranked is fine; ranking is Phase 2 work

---

## Phase 2 (Days 31–60): Prioritize and align

**Goal:** turn findings into a risk-ranked view the executive team agrees with.
**Anti-goal:** a 40-page assessment nobody reads.

### Workstreams

1. **Rank the risk list against the business model:** every risk stated in business-impact terms ("ransomware on the fulfillment platform = X days of stopped revenue"), not CVSS scores.
2. **Socialize before you present.** Walk the ranked list past the CFO and GC individually before any group setting. You want your top three risks pre-agreed, not debated live.
3. **The first budget conversation.** Go back to the CFO with ONE ask: small, scoped, tied to a named risk, with a definition of done. Your credibility for the real budget cycle is built on this transaction.
4. **Pick 1–2 quick wins** using the filter below.

### The quick-win filter (all four or it doesn't count)

- [ ] Visible to executives outside security
- [ ] Ties directly to a worry someone named in your Phase 1 conversations
- [ ] Low political cost: doesn't slow another team's roadmap
- [ ] Done inside 30 days, provably

*What fails this filter: "rolled out MFA," "ran a phishing test," "started a risk assessment." What passes: killing a control everyone hates and replacing it with something lighter that works; closing the audit finding the CFO mentioned unprompted; a tested restore of the system the CEO named.*

### Phase 2 outputs

- [ ] Risk register, ranked, in business language, pre-socialized
- [ ] One delivered (or visibly in-flight) quick win
- [ ] First budget ask made and honored
- [ ] Year-one program skeleton: 3–4 initiatives, each mapped to a named risk

---

## Phase 3 (Days 61–90): Deliver and report

**Goal:** the first board-ready readout and a repeatable operating rhythm.
**Anti-goal:** a reassuring readout. Everything wrong right now is inherited; in a year it's yours. Spend the bluntness while it's free.

### The day-90 readout (four sections, short)

1. **What I found:** honest posture against the risks that matter to this business
2. **What could hurt us:** top 3 risks, business impact, current exposure
3. **What I'm doing, in what order:** the program, each initiative tied to a risk
4. **What it costs:** the ask, and what declining it means in risk terms

### The operating rhythm you install

| Cadence | Forum | Content |
|---|---|---|
| Weekly | Security leadership | Delivery, incidents, blockers |
| Monthly | Exec sponsor 1:1 | Risk movement, decisions needed |
| Quarterly | Audit committee | The readout structure above, updated |
| Annually | Full board | Strategy, posture trend, program ask |

### Phase 3 outputs

- [ ] Day-90 readout delivered to [audit committee / exec team]
- [ ] Operating rhythm booked on calendars: recurring, named owners
- [ ] Year-one roadmap agreed and funded (or the gap explicitly accepted by name)

---

## The interview one-pager

Compress everything above into this structure: one page, presented only when asked or when the conversation opens the door:

> **My first 90 days at [Company]: working plan, built from the outside**
>
> **What I believe from the outside** (3 assumption bullets, explicitly labeled as assumptions)
>
> **Days 1–30:** Listen. The 11 conversations, crown-jewel inventory, inherited commitments. No changes.
> **Days 31–60:** Prioritize. Risk-ranked view in business terms, socialized 1:1 first. One scoped budget ask. One visible quick win.
> **Days 61–90:** Deliver. First board-ready readout: found / could hurt us / doing / costs. Install the operating rhythm.
>
> **What I won't do in the first 90 days:** reorganize the team, replace the stack, or promise a full risk assessment by day 30.

**The caveat to say out loud:** *"This is my plan given what I can see from the outside. The first 30 days exist to find out where it's wrong, and I'd expect the version I show you at day 45 to be different in at least one important way."*

---

*© CISO Prep · cisoprep.com · The worked example (this template completed end-to-end for a realistic company), the board deck, the offer-evaluation checklist, and the comp negotiation script are in the [Template Pack](https://cisoprep.com/templates/).*
