Cyverity

Get Started

How to Win Your First 90 Days as a New CISO

Partners analyzing situation at business presentation

Speaker: Russell Eubanks
Event: RSAC 2025
Date: April 30, 2025
Watch on YouTube: https://www.youtube.com/watch?v=VflCqx9aHGA

 

Introduction

In this RSA Conference session, seasoned cybersecurity leader Russell Eubanks offers a practical and motivational guide for CISOs looking to make a successful transition into their new role. Drawing from his own experience as the former CISO of the Federal Reserve Bank of Atlanta, Eubanks provides a 90-day framework designed to help new security executives navigate organizational politics, assess risk, and build trust—without burning out or acting prematurely.

Rather than approaching the first 90 days with a “fix everything” mindset, Eubanks recommends slowing down, observing carefully, and laying the foundation for long-term success. His mantra: “Get wisdom as cheaply as you can.”

 

Key Takeaways

  1. Prepare Before Day One (“T-minus 14”)
    Before starting the role, shift your mindset from employee to advisor. Treat the organization like a client:
  • Conduct open-source intelligence (OSINT) research: study the company’s mission, values, annual reports, and board member bios.
  • Identify who holds influence—especially board members and their own CISOs. Consider reaching out to build informal relationships.
  • Understand what the organization says it values—and prepare to connect security goals to those values.
  1. Embrace the “New Person” Mindset
    Resist the urge to prove yourself too quickly. Instead:
  • Publicly position yourself as a student of the organization.
  • Spend time learning the culture, politics, and business drivers before proposing changes.
  • Avoid overruling established team leaders until you have enough context—Eubanks shares a personal example of mishandling an incident response by moving too fast.
  1. Build Relationships Early
    Within the first two weeks:
  • Map out the org chart—both up and down. Know your direct reports, peers, and executive stakeholders.
  • Begin one-on-one meetings across the business, not just in security.
  • Identify a “work bestie” or peer mentor who can help you understand internal dynamics.
  1. Develop Your “Elevator Pitch”
    CISOs must communicate clearly and consistently:
  • Draft a short explanation of what you and your team do, in language business leaders understand.
  • Update and refine this pitch at Days 7, 30, 60, and 90 as your understanding of the role and organization evolves.
  • Practice this pitch—record it, watch it, and work on eliminating distractions to strengthen delivery.
  1. Use Existing Resources to Inform Your Strategy
    Focus on understanding the current security landscape before making changes:
  • Review policies, procedures, risk registers, and audit findings.
  • Track the age of your risk register like you would the expiration date on a carton of milk—outdated risks lead to misaligned priorities.
  • Collaborate with the audit team, not as adversaries, but as allies offering insight and feedback.
  1. Don’t Rush to Change Things
    Even when you think you see obvious problems:
  • Wait until you’ve gathered enough data and context.
  • Document issues, but save major adjustments for later.
  • Focus on learning and relationship-building in the early days.
  1. Define Team Purpose and Vision by Day 90
    Once you’ve gained insight into the organization:
  • Draft mission, vision, and values for the cybersecurity team—aligned with company-wide goals.
  • Involve direct reports and the broader team in refining and owning this direction.
  • Anchor future decisions and communications to these guiding principles.
  1. Build and Leverage a Community
  • Connect with local or national cybersecurity groups (ISSA, InfraGard, BSides, etc.).
  • Establish a CISO peer network for sharing insights and solving challenges.
  • Consider forming an internal advisory board of cross-functional leaders.
  1. Set Goals and Systems for Ongoing Success
    Sustainable leadership is built on intentional habits:
  • Define professional and personal goals clearly.
  • Use tools like paper planners or task trackers to ensure daily alignment with long-term outcomes.
  • Establish routines (e.g., rest, exercise, reflection) to maintain high performance over time.

 

Conclusion

Eubanks closes by reminding attendees that the real work of a CISO doesn’t start on Day One—it starts long before, in preparation, observation, and humility. The secret to success? Stay curious. Learn relentlessly. And don’t just survive your first 90 days—win them.