BLOG · 6 min read
First 90 Days as a Security Lead
New security leaders fail by trying to fix everything in month one. The job in the first 90 days is to understand, prioritize, and ship one obvious win.
Days 1-30: Listen
Interview engineering, IT, legal, product, support. Map the crown jewels. Read every past incident postmortem.
Days 31-60: Baseline
Asset inventory, identity inventory, current detections, current controls. Score against a real framework (CIS, NIST CSF).
- Top 5 risks with owner + date
- Detection coverage vs ATT&CK
- MFA, EDR, backup coverage %
Days 61-90: Ship one thing
Phishing-resistant MFA for admins, EDR on every endpoint, or backup verification. One visible win builds the trust you need for year two.
Tools mentioned
CIS ControlsNIST CSFATT&CK NavigatorVantaDrata
⟩ takeaway
Credibility before strategy. Ship one boring, obvious improvement before you propose the transformation roadmap.
⟩ keep reading
Related articles
Hardening Your Cloud in 5 Steps
A practical checklist to lock down AWS, Azure and GCP workloads before attackers find the gaps.
Prompt Injection: The OWASP LLM #1 Risk
How indirect prompt injection turns helpful AI into an attacker tool — and how to defend against it.
Inside a Real SOC: A Day in the Life
From the first SIEM alert to incident closure — what L1/L2/L3 actually looks like in practice.