Leadership Development /

The First 100 Days of the CISO: A Critical Period for Organisational Alignment

100 days

Why the first 100 days shape long-term outcomes more than technical capability

 

I have written and spoken at length over the past ten years around the short tenure of Chief Information Security Officers (CISOs).

Year after year, surveys estimate it in the region of two to three years. This is significantly below the average tenure of other C-level roles, if you assume the CISO role is a true C-level role and can be compared.

On that last point alone, a lot could be said in many firms, but to stay on topic, I would say the two to three years estimate matches my own field experience and the research I have conducted across my own network.

Personally, I think the short tenure of CISOs is one of the major cornerstone explaining the long-term stagnation of cybersecurity maturity in many large firms, and as a consequence, the non-stop avalanche of cyber-attacks we are witnessing today: You cannot achieve much of transformative substance around cybersecurity in any large firm in two to three years: Large organisations have always been siloed, political and territorial; over the past decades, they have simply become too complex for cybersecurity transformative dynamics to reach meaningfully across the corporate structure in those timeframes.

Across the cybersecurity industry, there are several lines of thought trying to explain the short tenure of CISOs: Mismatch between field reality and business (or CISO’s) expectations, lack of budgetary resources to achieve anything meaningful, inadequate organisational structures or reporting line, scapegoating; the list is long…

All point towards some form of business disconnect leading to frustration and exit.

To me, quite a lot of that disconnect builds up in the first 100 days of the CISO.

The way an incoming executive approaches the role and engages will business stakeholders from the start almost always conditions the way this executive will be perceived and treated by other leaders down the line.

Beyond the journalistic cliché of the first 100 days, there are a few hard realities: The period is long enough for people to judge the way you understand the firm, its culture and its political dimensions. All those aspects matter for a role as complex and transversal as the CISO’s. And first impressions solidify quickly (and are hard to shake up later on).

The biggest mistake an incoming CISO can make is to rush in with pre-conceived ideas and look for quick wins: What has worked elsewhere may not work here; real decision makers may not be those with the biggest title on the org chart; rushed decisions – technical or organisational – may lead to friction.

The key is to listen to all stakeholders and read the room first: Understanding expectations, pain points, previous failures and their context, even what happened with the previous CISO, and hearing it from real stakeholders in their own words, should lead to the consolidation of a picture, out of which a meaningful and achievable direction of travel should emerge.

Humility is key here: Acknowledging that, as a new player, you need to understand the lay of the land, identifying real movers and shakers, mapping how trust and allegiances operate across corporate silos and geographies, all this needs to be absorbed in the first weeks in order to co-construct a strategic and operational framework that will be aligned with the governance culture of the organisation.

“What can I do to help you” is often the first question new CISOs should ask other senior leaders.

By listening first and building an approach that attempts to address the cybersecurity challenges of the firm within its actual cultural and governance context, federating all relevant stakeholders, the new CISO positions themselves as a strategic thinker and as a natural leader.

Rushing to address operational issues, painted as quick wins, simply lowers the role and almost always traps the CISO in firefighting dynamics from which they rarely escape.

That’s the original mistake too many make: Down the line, they end up complaining that the business doesn’t understand their priorities, that they don’t have board access or sufficient budgets, but all those aspects are often the result of a situation built up during their first 100 days.

The first 100 days are not about showing what you can do but showing how you can lead in the actual cultural and governance context of the firm, and drive change if that’s what’s required.

The first 100 days of the new CISO have to be the crucible in which a bond of trust is forged between the CISO and key business stakeholders, and this is something that can only emerge from listening to the culture and priorities of the business and embedding the cybersecurity strategy within those.

 

JC Gaillard

Founder & CEO

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.

An edited version of this article was published on Forbes on 26th September 2025 and can be found here.