Every CISO search I have sat on (and I am running interview loops right now for security leadership roles at a large company) eventually asks the same question: “Walk us through your first 90 days.” Candidates who treat it as a formality lose the room in about four minutes. Candidates who treat it as a chance to show how they think about a business they have never worked inside tend to make the final round.
This guide covers both jobs the 90-day plan has to do: the interview artifact that panels use to score your judgment, and the actual operating plan you execute after you sign. They share a skeleton. They are not the same document, and confusing them is one of the most common ways strong candidates get rejected.
Two Documents, One Name
The interview version of the 90-day plan is a judgment test wearing a planning costume. When a panel asks for it, nobody expects you to know the company’s real security posture. What they are scoring is whether you understand what a new executive can and cannot know from the outside, whether your instincts run toward listening or toward announcing, and whether your plan connects to how the company makes money.
In our debriefs, a generic 90-day plan is reliably a top-three rejection reason, alongside failing the board-communication question and failing to show any commercial awareness. It usually gets phrased as “the plan could have been written for any company” or “it was a tooling roadmap, not a leadership plan.” A candidate who opens with “deploy EDR, roll out a SIEM, launch security awareness training” has told the panel that their plan for a $2B logistics company is identical to their plan for a 200-person fintech. That is disqualifying at this level, and it does not matter how good the rest of the interview was.
The operating version, the one you build in your second week on the job, is different. It is longer, it has names and dates in it, and it gets revised constantly. The interview plan is a demonstration of how you would build the operating plan. Keep that distinction in your head and most of the advice below falls into place.
If you are preparing for the full loop and not just this question, the CISO interview guide covers how the 90-day question fits into the overall scoring, and the question bank has the follow-ups panels use to stress-test the plan once you present it.
Days 1–30: Listen and Assess
The first phase has one output: an accurate map of where the organization actually is, technically, politically, and financially. Not where the last audit said it was. Not where the outgoing CISO’s final board deck claimed it was.
The instinct you have to fight is the urge to fix things. You will see broken things in week one. Unless something is actively on fire (an unpatched internet-facing critical, an incident in progress), write it down and keep listening. Every fix you ship in the first 30 days is a fix you shipped before you understood the politics attached to it.
The 11 conversations to book in week one
Get these on the calendar in your first five days, even if some land in week three or four. Each has one question that matters more than everything else you will ask in the meeting:
- CEO: “What is the one thing that, if it went wrong, would keep you from hitting the plan this year?” You are learning what the business actually fears, which is rarely what the security team fears.
- CFO: “How does spending actually get approved here? What is the process, and where does it stall?” Not a budget ask. You are learning how money moves before you ever need to move it.
- General counsel: “What is in flight that I should know about: litigation, regulatory contact, contractual security commitments we have made to customers?” GCs know where the bodies are buried and are usually relieved to be asked early.
- Audit committee chair: “What did you not get from my predecessor that you wanted?” This is the single highest-leverage question in the whole list. The answer tells you exactly what your first board readout needs to contain.
- Head of engineering: “Where has security slowed your teams down in a way that didn’t feel worth it?” You are mapping accumulated resentment. There is always some.
- Head of product: “What are customers asking about security in deals, and are we losing anything because of it?” Security as a revenue blocker or enabler. This feeds your business case for everything later.
- Head of people: “Who on the security team is a flight risk, and who do people outside the team actually trust?” HR sees the team differently than the org chart does.
- Top customer-facing exec (CRO or equivalent): “What security questions come up in your biggest deals, and who answers them today?” If the answer is “a spreadsheet from 2023,” you just found a quick win.
- Your inherited team leads (one each, individually): “What have you been asking for that keeps getting deprioritized?” You will hear the same two or three items repeatedly. That repetition is data.
- IT leader: “Where do our asset and identity inventories lie to us?” Every environment has a gap between the CMDB and reality. The IT leader knows where it is and has usually stopped mentioning it because nobody acted on it.
- The previous CISO, if reachable: “What would you have done differently, and what could you never get funded?” Most incoming CISOs skip this call out of some misplaced territorial instinct. It is a thirty-minute conversation that can save you a quarter of discovery. If they left badly, the way people talk about their departure tells you plenty too.
Two more things belong in the first 30 days, and both are insider moves that generic articles miss. First, pull the audit committee calendar in week one. Your “day 90 board readout” is not actually on day 90. It is whenever the committee next meets, which might be day 55 or day 130. Your whole plan’s back end flexes around a date you do not control, and knowing that date early is the difference between a polished readout and a scramble. Second, find the cyber insurance renewal date. If it lands inside your first six months, the renewal questionnaire becomes a forcing function for half your assessment work, and the broker’s questions are a free external audit of what the market thinks matters.
Read the last two board decks, the last pen test report, and the most recent audit findings before you form any opinions. The gap between what the board was told and what the pen test found is your first honest measure of the culture you inherited.
Days 31–60: Prioritize and Align
Phase two turns the listening into a ranked list and starts building the coalition you need to act on it.
Risk-ranked findings, in business language
By day 45 you should have a one-page list of the top risks you found, ranked by impact on the business model, not by CVSS score, not by framework coverage gap. “Our order-management system has no tested recovery path, and it processes 100% of revenue” ranks above “we are missing a DLP tool,” every time, even though the second one is easier to fix. If your ranked list would look identical at a company with a completely different revenue model, you ranked it wrong.
This list is a draft, and you should present it that way to your boss and your peers: “Here is what I think matters most. Tell me what I am missing.” Peers who help shape the list defend it later. Peers who receive it as a verdict pick it apart.
The first budget conversation
Days 31–60 is when you go back to the CFO, this time with an ask, but a small and precise one. The goal of the first budget conversation is not to fund your program. It is to establish that when you ask for money, the ask is scoped, tied to a specific risk, and comes with a definition of done. Ask for one thing. Get it. Deliver it. Your credibility for the real budget cycle is built on that first transaction, and CFOs remember whether your first ask was disciplined or a wish list. (This dynamic also matters before you sign: the compensation negotiation guide covers how to probe budget authority during the offer stage, when your leverage is highest.)
Quick wins land here
One or two, no more. The next section covers what actually qualifies, because this is where most plans (interview and operating versions both) go wrong.
If you want the working skeleton for all of this rather than rebuilding it from prose, the free editable template at /90-day-plan/ is the template version of everything above (the eleven conversations, the phase gates, the readout structure), ready to adapt.
Quick Wins: What Counts and What Makes Panels Wince
A quick win has three properties, and it needs all three:
- Visible. Someone outside security notices it happened without being told to notice.
- Low political cost. It does not require anyone to admit fault, change their workflow, or lose budget.
- Tied to a stated business worry. Someone with power complained about this before you arrived. You are closing a loop they opened, not opening one of your own.
Examples that clear the bar: producing a real security answer packet for the sales team so enterprise deals stop stalling on questionnaires. Closing the audit finding that has appeared in two consecutive reports. Killing the security review step that adds two weeks to every release and catches nothing. Yes, removing a control can be a quick win, and it buys more goodwill with engineering than any tool you will ever deploy. Getting the executive team off shared admin credentials for the one system the GC already flagged.
Now the wince list. When a candidate says their 90-day quick win is “roll out MFA,” the panel exchanges a look. Either the company already has MFA (most do) and the candidate is reciting a script, or the candidate believes an identity migration touching every employee is a low-friction first-quarter move, which means they have never actually run one. “Ran a phishing test” is worse: your first visible act as a leader is tricking your new colleagues and generating a report that embarrasses whichever department clicked the most. That is a political cost with no risk reduction attached. “Launched security awareness training” and “started a tool evaluation” round out the category. Activity that photographs like progress but changes nothing an executive can see.
The test is simple: would the CFO mention your quick win to someone else unprompted? If not, it is not a quick win. It is just work.
Days 61–90: Deliver and Report
Phase three is where the plan converts to visible output. Two deliverables matter.
The first board-ready readout
Your day-90 readout (or day-55, or day-130, whenever the committee actually meets) is the most important document you produce in your first year, because it sets the baseline every future conversation is measured against. It should say: here is what I found, here is how it maps to what could hurt the business, here is what I am doing in what order, and here is what it costs. Four sections, honest, and short.
The mistake is making it reassuring. A first readout that says “things are broadly fine” wastes the one moment you can be blunt for free. Everything wrong right now is inherited; in a year, it is yours. Boards know this, and a new CISO who reports a clean bill of health reads as either not looking hard or already managing them. Building this document is a discipline of its own. The board presentation guide breaks down structure, timing, and the pre-wire conversations that decide how a readout lands before you ever enter the room.
The operating rhythm
The less glamorous deliverable is the rhythm you install: a monthly risk review with your directs, a standing sync with engineering and IT leadership, a quarterly business review with your boss, and a defined path for how risk decisions get escalated and by whom. The rhythm is the actual product of the first 90 days. Findings age out; risks change; the machinery that surfaces and routes them is what persists. If day 91 looks like day 45 (you personally chasing everything), the plan failed regardless of what got fixed.
How 90-Day Plans Fail
Four failure modes account for most of the rejections I have seen in interview debriefs, and most of the flameouts I have watched after hiring.
The 30/60/90 listicle. Three columns of bullets (“assess, plan, execute”) with content that could be pasted into any job at any company. Panels have seen this exact document dozens of times. It signals the candidate googled “CISO 90 day plan” the night before, and it converts a differentiation opportunity into a red flag. If your plan does not contain a single sentence that only applies to this company, do not bring it.
Promising a full risk assessment in 30 days. Anyone who has run one knows a real assessment of a mid-size enterprise takes a quarter or more, and the first month of it is fighting for access and finding out the asset inventory is fiction. Promising it in 30 days tells the panel you have either never done one or you are saying what you think they want to hear. Both readings kill you. Say “initial risk picture, refined continuously” and you keep your credibility.
No mention of the business model. A plan that never references what the company sells, how revenue flows, or what regulatory regime it lives under is a security plan for a company-shaped abstraction. This is the “could have been written for anyone” rejection. One paragraph connecting your priorities to their revenue engine separates you from most of the field, because most of the field skips it.
Reorganizing the team before day 60. Restructuring in your first two months means restructuring based on other people’s opinions of people you have not watched work. You will get some calls wrong, and you will spend a year paying for them. The exception is a genuine crisis (an empty critical seat, a conduct issue), and panels respect a candidate who names that exception explicitly. If you are stepping up from Director or Head of Security, this trap deserves extra attention; the first-time CISO guide covers why new CISOs reach for the org chart too early and what to do instead.
Presenting the Plan in the Interview
Mechanics matter as much as content here.
One page, not twelve. A dense deck does not read as thorough; it reads as someone who does not know what a new executive cannot know from outside. There is also a practical reason: a one-pager gets passed around the debrief table and actually read. A twelve-pager gets summarized by whichever interviewer skimmed it, and you have surrendered your narrative to their summary. One page, three phases, one line of reasoning per priority.
Caveat it, out loud, in these terms. Open with some version of: “Here is my plan given what I can see from the outside. Here is how I expect it to change once I am inside, and the first 30 days exist precisely to find out.” I have watched this single sentence move a candidate’s scores. Panels grade the caveat as seniority: it demonstrates you know the difference between a hypothesis and a plan, which is the exact judgment the question is designed to probe. Candidates who present their outside-in plan as settled fact get marked down for the same reason a doctor who diagnoses before examining would be.
Let them pull it from you. Do not slide the page across the table in the first ten minutes. Wait for the 90-day question, or for a natural opening: “that’s actually the second phase of how I’d approach this, I put a one-pager together if useful.” An artifact that arrives on request lands as preparation. One that arrives unprompted lands as a pitch.
Expect the follow-ups. “What if the CEO disagrees with your top risk?” “What would make you throw this plan away?” “What did you find in your current role’s first 90 days that surprised you?” The plan is the opening move, not the conversation. If you have not rehearsed the second-order questions, the one-pager just hands the panel a map of where to dig.
Get the Template
Everything above compresses into a structure you can fill in for a specific company in an evening: the eleven conversations with the single question for each, the three phase gates, the quick-win filter, the board readout outline, and the interview one-pager format with the caveat language built in.
The free editable version is at /90-day-plan/, the template version of everything above, in a format you can rewrite for the company in front of you rather than starting from a blank page. If you want to see it filled in end to end, the full worked example (a completed plan for a fictional mid-market company, with the reasoning annotated) lives in the templates library.
Whichever version you use, rewrite it in your own voice before any interview. Panels at this level have read every template on the internet, including this one. The structure is the commodity. What they are paying for is the thinking you pour into it, and that part, usefully, cannot be downloaded.