JC's Column /

Too Many CISOs Try to Move Too Fast—and Pay the Price

JC Gaillard's column on cybersecurity

The “First 100 Days of the New CISO” are about understanding the business, not fixing it

 

Listen to my conversation with Niels Brabandt here on his Leadership podcast: The First 100 Days of a CISO: Cybersecurity Leadership and Execution

 

Too many CISOs fail—not because they lack competence, but because they enter the role with the wrong mindset. They arrive with pre-packaged solutions, proven frameworks, and a desire to demonstrate immediate value. Within two to three years, many leave frustrated, blaming the business who “doesn’t get it.” This is at the heart of what I have been calling the “Cybersecurity Spiral of Failure”.

The reality is simpler and more uncomfortable: Large organizations are complex, political, and slow-moving. Transformation takes time. Yet CISOs are trapped in short-term expectations, asked to deliver meaningful change in environments where progress is inherently difficult. This is why the first 100 days matter so much. Not as a period of observation, but as a defining moment to position yourself as a leader.

The role itself has become almost impossible. One day you are expected to be credible with the board, the next with regulators, then with engineers, auditors, and your own teams. This constant shifting creates tension and fragmentation. If you try to please everyone through technical expertise alone, you will fail.

The first lesson is this: You have not been hired to prove your competence. That is already assumed. You have been hired to lead.

This is where it becomes essential to approach the period in a structured way: In my last book on the topic, I advocate a “triple6” framework built around six days, six weeks, and six months. It is not a checklist; it is more a matter of discipline.

In the first six days, you listen. You resist the temptation to act. Cybersecurity has existed in your organization for years, often decades. There is history, context, and accumulated effort. There is no such thing as a “greenfield” around cybersecurity in large organisations. If you do not understand what came before you, you run the risk of repeating the same mistakes.

In the first six weeks, you continue to listen—but now with intent. You engage stakeholders and begin to co-construct a cybersecurity narrative. How can I help you? What can I do for you? … Those simple questions often break defensive mechanisms and lead to productive exchanges. It is with that type of “servant leadership” attitude that you build credibility—not by imposing solutions, but by aligning with business needs.

In the next six months, you focus on execution. The “what” of cybersecurity is largely known. Best practices have been established for decades. The real challenge is the “how.” Why has progress not happened before? Where are the roadblocks? Who owns what? If you cannot answer these questions, you will not succeed.

Too many organizations remain stuck in compliance-driven thinking—rules, frameworks, audits. Compliance matters, but it is not the objective. It must be seen as a byproduct of doing the right things well. Senior executives understand the reality of cyber risk today. The issue is not awareness; it is execution.

I have spoken to many CIOs who say, “I could allocate large amounts in my budget to cybersecurity—but then what?” That is often the problem. Not funding, not knowledge, but delivery.

As a CISO, your role is not just to define what needs to be done. It is to make it happen.

If you use your first 100 days to listen, align, and understand the barriers to execution, you create the conditions for long-term success. If you rush to act, you may reinforce the very dynamics that have caused others to fail before you.

In the end, success in this role has very little to do with pure technical brilliance. Most CISOs already know what “good” looks like. What separates those who succeed from those who don’t is their ability to lead and deliver—patiently, pragmatically, and in alignment with the business. It is about understanding people, navigating enterprise complexity, and removing the obstacles that have quietly blocked progress for years.

Cybersecurity does not fail because we lack knowledge; it fails because we struggle to turn that knowledge into sustained action. The CISO who recognises this—and acts on it from day one—stands a far better chance of breaking the cycle.

 

JC Gaillard

Founder & CEO

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.