30, 60, 90 Day Plan For New Security Leaders
A simple outline of tasks and goals a new security leader will need to tackle in their first 90 days.
When hiring anyone, it’s always great to understand what they should be working in their first 90 days of employment. You as a hiring manager likely have an understanding already of what needs to be done, otherwise, you wouldn’t be hiring 😄, but probably from just a high level and only some of the burning/immediate issues.
You know there are a lot of security issues that need to be addressed, but there are obvious gaps in what needs to be from a priority perspective as well as possible unknown unknowns in your environment.
The below is a 30, 60, 90 plan to help those hiring early security leaders in an organization understand what they would/could/should be doing.
Note: This is a generic plan. YMMV depending on how large the organization is and if there is/was someone responsible for security or not.
Security Leadership Plan - First 30 Days
Meet all key stakeholders
Understand where security has been a blocker or enabler
Understand business concerns and near term goals
Understand what the crown jewels of the business really is (everyone has a different perspective)
Get a braindump from existing/previous security person
There is always someone responsible for security. It may have been the General Counsel, CFO, CEO, VP of Engineering, a Contractor / Interim CISO
Begin a security/risk assessment of the organization. Start populating a risk register
This can be informal, but as you’re speaking to people and understanding what security is in place, where the skeletons are, and what security debt there is, begin tracking it in a risk register.
Take a look at other team’s boards and understand the projects they are working on. Start sitting in on meetings and understand who the technical SME’s are PM’s of the group are.
This is a great way to get to know people in the organization and understand what’s taking their time.
Also a great way to bake security in early 😉
Check for the basics
Logging / Operations
Incident Response Plan
This is super important as an incident can happen at any time. Hopefully not in the first week the person starts, but we don’t always have that luxury.
Application Security hygiene
Onboarding / Offboarding / Security Awareness
Review previous assessments/audit reports
Security Leadership Plan - 31-60 Days
By now the individual has a beginner’s level understanding of the landscape and is formulating potential solves for security in their head. By day 45 we should be seeing some concrete action taking place.
Have a hiring plan outlined for the organization
Write job descriptions for Engineers and/or Managers
Start conversations with vendors to fill existing gaps in processes or operations
Start putting together OKR’s for the next few quarters
Security Leadership Plan - 61-90 Days
Now is when the rubber hits the road. Things are coming together and they are starting to figure out their flow. It’s still very early in the security program, but with the right help initiatives are looking a little more solidified.
Begin interviewing candidates if not already. Ideally should be 2nd/3rd round interviews or if possible have hired first person by now.
Improvements to security processes are being implemented right now
Vendors are chosen for a few key areas and contracts are underway
Security hires will be implementing these tools and this will be part of their 30-60-90.
If the organization does not have any security engineers at this point, I would move up and accelerate security hiring.
Vendor selection for certain areas and tools they will be running can be delayed as they should have a decision in the process. There are of course some vendors/tools that will not require an engineer’s input that a leader can implement immediately.
This is a generic plan for startups and not a comprehensive one. YMMV1 depending on how large the organization is and if there is/was someone responsible for security or not.
I’ve been in environments where six months later, I’m still uncovering things. Being able to truffle
What is your 30, 60, 90 day plan? Any tips/tricks you can share that made onboarding someone easier?
Your Mileage May Vary