JC's Column /

Launching “The First 100 Days of the New CISO: A Leadership Guide to Lasting Impact”

JC Gaillard's column on cybersecurity
First 100 days of the ciso banner short

 

A blueprint for the next decade of cybersecurity leadership

 

Buy It Here on Amazon

 

When I first began advising CIOs and other C-level executives in large firms over fifteen years ago, a pattern quickly emerged around the role of the CISO: The success or failure of a CISO had very little to do with technical expertise, and everything to do with leadership, structure, sequencing, and their ability to build credibility before attempting change.

It became clear that the first 100 days in a CISO role are not simply an onboarding period—they are a defining leadership moment. They set the tone, establish influence, and determine whether the CISO will be a strategic voice or become trapped in reactive mode and operational detail from which they may never emerge.

This book was written to help incoming CISOs on that journey.

The First 100 Days of the New CISO is not a technical manual. It is a leadership guide for a new era—an era in which cybersecurity is no longer an IT function but a pillar of corporate governance, business resilience, and stakeholder trust.

My goal with this book is to give new and existing CISOs a pragmatic, structured roadmap that reflects how real organisations work, how boards think, and how trust is built—or lost—in the early months of leadership.

At the heart of this book is a framework I have been writing about since 2017 which breaks the first 100 days into three purposeful phases: the first six days, six weeks, and six months. This structure is not about arbitrary timelines; it is about rhythm, structured development, and narrative control.

In the first six days, the CISO must observe, listen, and understand the true nature of the enterprise they have entered—its culture, its politics, and how decisions are really made.

In the next six weeks, the focus shifts to alignment: Turning observations into structured engagement, establishing governance rhythms, and articulating a credible direction of travel.

The next six months are about embedding execution: Delivering early proof points, institutionalising accountability, and demonstrating that security is being managed with proportion and control.

This is how influence is built: By creating the conditions in which change becomes expected, supported, and sustainable, before launching into it fully.

Throughout the book, I challenge the pervasive myth that immediate action and “quick wins” are the hallmark of a strong CISO. Activity is not impact. In fact, premature action often undermines credibility, reinforcing the perception of cybersecurity as reactive, isolated, or disconnected from business reality. Instead, I focus on putting credibility and trust before change, governance before growth, and sequencing before speed. This is the discipline that separates leaders who build lasting capability from those who end up spending their tenure firefighting.

The chapters guide the reader through that journey. We start with understanding the mandate and expectations that accompany a new appointment. We then explore how to use the first 100 days to establish trust with stakeholders, create clarity around governance, and introduce the right operating cadence. I explain how influence must precede authority, and how governance is not bureaucracy but the architecture of leadership and continuity.

As the book progresses, we shift beyond the first 100 days into the broader landscape of long-term leadership. I explore how CISOs transition from programme-driven change to operating model maturity, how culture and human behaviour underpin lasting security performance, and how the CISO must ultimately move towards value creation, beyond risk and compliance. Chapters on resilience, board engagement, metrics, and long-term capability round out the narrative, reinforcing the central idea that cybersecurity leadership is about building organisations that remain confident in their security, adaptable as threats evolve, and aligned as business conditions change, regardless of external shocks or leadership transitions.

The book attempts to translate complex leadership challenges into clear, actionable guidance—without jargon, without fear-driven narratives, and without unrealistic theory. Each chapter concludes with concise frameworks highlighting Warning Signs and Positive Signals—helping leaders assess where they are gaining traction or losing credibility. Unlike too many cybersecurity books, it is written in the language of business leadership, designed for CISOs as well as CEOs, CIOs, Chief Risk Officers, and board members who must understand the true nature of modern cyber governance.

Above all, The First 100 Days of the New CISO is a call to redefine the role itself. The CISO of the future is not a technical guardian, nor a compliance enforcer. They are a leadership figure—a steward of trust, a translator of risk, and a creator of organisational confidence. The first 100 days are where that identity is forged.

This book is for those who want to lead differently. For those who understand that cybersecurity is no longer just about preventing breaches, but about enabling strategy, protecting value, and strengthening the enterprise from the inside out. It is for CISOs who want to leave a legacy not of activity, but of maturity—of resilience, alignment, and impact that endures.

This is more than a book about the first 100 days. It is a blueprint for the next decade of cybersecurity leadership.

 

Buy It Here on Amazon

 

JC Gaillard

Founder & CEO

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.