Executive brief on how PCI DSS 4.0 affects offensive security practices, penetration testing, and segmentation testing. Watch Now

The New CISO Special: Organizing the Chaos in Your First 100 Days

With Senior Solutions Architect Matt Twells, Bishop Fox offers a comprehensive guide to ease into your role confidently, providing a strategic framework to streamline your initial efforts.

Senior Solutions Architect Matt Twells is breaking down his comprehensive guide to surviving and thriving in your first 100 days as a security leader. Whether you're stepping into your first CISO role or taking charge of a security program, those initial months can feel like trying to eat an elephant whole. This presentation offers a practical framework for getting your arms around the chaos - focusing not just on what bites to take, but which ones to take first. Let's dive into this roadmap for security leadership success!"

Summary

Matthew's presentation tackles the overwhelming challenges faced by new security leaders through a structured 100-day approach divided into three distinct phases.

Days 1-30 focus on listening, assessment, and building situational awareness. Drawing from military experience, Matthew emphasizes the importance of "getting your 5s and 20s in" - understanding your immediate environment before taking action. This initial phase involves extensive stakeholder meetings across business units, IT teams, leadership, HR, finance and sales to gather tribal knowledge. The speaker stresses the critical importance of inventory management - knowing what assets, software, users, vendors and data exist across the organization - calling this knowledge "like having a farm of wind turbines" that powers all other initiatives. This phase also includes compliance reviews and identifying the most urgent security issues requiring immediate attention.

Days 31-60 shift to planning, strategizing and prioritizing. This phase involves developing clear short-term and long-term security goals with measurable metrics that align with business objectives. Matthew provides detailed guidance on budget evaluation, emphasizing that while security leaders don't need to become accountants, they must understand how money is allocated and demonstrate value to stakeholders. The presentation covers building compelling business cases using a clear problem-risk-solution framework, quantifying ROI, and conducting gap analyses against industry frameworks like NIST CSF. Matthew emphasizes that demonstrating improvement against recognized frameworks builds credibility with leadership who may not understand technical details.

Days 61-100 focus on implementation and execution. The presentation highlights the importance of "quick wins" - smaller projects that show immediate value while longer-term initiatives progress. Matthew stresses effective stakeholder engagement across departments to ensure security initiatives enable rather than hinder business objectives. The presentation covers creating simple, effective reporting structures for senior leadership with clear status updates on completed work, in-progress initiatives, challenges, and expected completion dates. Finally, Matthew introduces the concept of decentralized command - empowering teams with clear objectives while giving them autonomy in execution, which requires trust, clear communication, and a culture that allows experimentation without fear of retribution.

Throughout the presentation, Matthew emphasizes recurring themes: doing the fundamentals well, avoiding attempts to "boil the ocean," building relationships across the organization, and ensuring security initiatives align with business objectives. The approach balances technical security requirements with practical business realities, providing a comprehensive framework for security leaders to navigate their critical first months.

Key Takeaways

  1. Start with situational awareness - understand your immediate environment before implementing changes by meeting stakeholders, assessing existing security posture, and identifying "what's on fire" versus longer-term issues.
  2. Prioritize inventory management of assets, users, vendors, and data - this fundamental knowledge powers all other security initiatives and is essential for regulatory compliance and risk assessment.
  3. Develop measurable security goals that align with business objectives - security strategies that impede business operations will ultimately fail, regardless of their technical merit.
  4. Master the art of building business cases using a problem-risk-solution framework with quantifiable ROI - this skill is essential for securing necessary resources from leadership.
  5. Create simple, consistent reporting structures for senior leadership focusing on what matters to them: what's been done, what's in progress, challenges faced, and expected completion dates.
  6. Implement "quick wins" alongside strategic initiatives to build credibility and demonstrate progress while longer-term projects develop.
  7. Adopt decentralized command principles - empower teams with clear objectives and boundaries while giving them autonomy in execution, fostering agility and innovation.

Chapters

0:03:40 - Days 1-30: Listen, Assess & Understand Your Environment

0:30:27 - Days 31-60: Plan, Strategize & Prioritize

0:33:15- Short-Term & Long-Term Cybersecurity Goals

0:41:17 - Budget Evaluation & Business Cases

0:59:17 - Gap Analysis

1:12:23 - Days 61-100: Aim, Implement & Execute

1:21:26 - Reporting Effectively to Senior Leadership

Matt Twells

About the speaker, Matt Twells

Former Senior Solutions Architect

Matthew Twells was a Senior Solutions Architect at Bishop Fox focused on technical scoping of client engagements, training and development, and sales enablement. He graduated from the University of Reading in Reading, England with a B.A. (Hons) in Economics, and has spent time working in the British Army as a Secure Communications Engineer, working with the National Health Service as part of the Cyber Defense Operations Center (CDOC) team during the COVID-19 pandemic and subsequently in a variety of cybersecurity consulting, technical project management, internal audit, and penetration testing roles over the last 7 years.

More by Matt

Extend Your Knowledge

Check out these related resources.

Headshots of panelists of the session "Cyber Security CISO on Securing Themselves".
Virtual Session

Cybersecurity CISO on Securing Themselves: How Security Companies Manage Their Own Risk

This panel brings together CISOs from leading security firms to discuss the unique challenges and strategies of protecting organizations that themselves are in the business of security—revealing both unexpected advantages and heightened risks.

Learn More
The Art & Science of Cyber Leadership interview featuring Wendy Nather, Head of Advisory CISO at Cisco.
Virtual Session

Strategic Insights from Wendy Nather Cisco's Advisory CISO Leader

Hear from Wendy Nather, Head of Advisory CISOs at Cisco. She is co-author of The Cloud Security Rules, and she was listed as one of SC Magazine‘s women in IT security “power players” in 2014, as well as an “influencer” in the Reboot Leadership Awards in 2018; she was also inducted into the Infosecurity Europe Hall of Fame in 2021.

Learn More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.