CISO 90-Day Onboarding Workbook

Most new CISOs spend their first 90 days in reactive mode — firefighting, attending every meeting, and producing a board deck that doesn't reflect any real analysis. This workbook structures the first 90 days into a defensible program assessment and stakeholder alignment process.

Built for three audiences: FTE CISOs joining a new organization, vCISOs starting a new client engagement, and interim security leaders inheriting an unknown-state program.

Workbook structure:

30-Day Foundation — stakeholder mapping (technical, business, board), existing program inventory, critical asset identification, and the 5 questions every new CISO should answer in the first 30 days before making any commitments.

60-Day Assessment — structured program gap analysis against the frameworks the organization cares about, risk register initialization, quick-win identification (high-visibility / low-effort), and first board or executive briefing preparation.

90-Day Strategy — 12-month roadmap draft, budget ask framework, team assessment, vendor landscape review, and the board presentation that establishes credibility for the program.

Stakeholder Map — tracks all security-relevant relationships: CTO/CIO, Legal/GC, CFO, HR, Business Units, Board Audit Committee, external auditors, key vendors. Includes communication cadence tracker and influence/interest matrix.

Quick-Win Tracker — 20 pre-seeded high-visibility security improvements that can be completed in the first 90 days with existing resources. Each with effort estimate, visibility rating, and risk reduction impact.

Board Briefing Builder — structured output template that auto-populates from the assessment tabs. Produces a first-90-days brief suitable for Audit Committee or full Board presentation.

User Guide covers the 5 most common new-CISO mistakes, how to navigate the inherited-debt conversation with leadership, the vCISO-specific onboarding variations, and how to use the 90-day output to establish budget credibility.