­
The 30-60-90 Day Plan for CISOs(6): Mastering Governance & Risk | Gordon Rudd - All Articles - CISO Platform

All Articles

The 30-60-90 Day Plan for CISOs(6): Mastering Governance & Risk | Gordon Rudd

Posted by Biswajit Banerjee on April 1, 2025 at 12:12am in Blog
The 30-60-90 Day Plan for CISOs(6): Mastering Governance & Risk | Gordon Rudd

Welcome to the Challenge: Governance, Risk & Security

A CISO’s world is never just about technology. It’s about governance, risk, and control. Without governance, security becomes a guessing game. Without risk management, threats remain unseen. A 30-60-90 day plan is the key to balancing it all. Let’s dive in.

 

 

First 30 Days: Establishing Governance & Understanding Risk

1. Governance: The Foundation of Security

A lack of governance is a risk in itself.

  • Start at the top. Board members and senior executives set the tone.
  • Establish an advisory committee. Business leaders need a say in security.
  • Define security’s role in IT strategy. If IT moves, security moves with it.

 

2. Prioritize Risk Management

Security is about controlling risk, not eliminating it.

  • Identify risk appetite. What’s an acceptable loss? Ask the CFO.
  • Use a framework. NIST, ISO, COBIT—pick one and stick to it.
  • Map risks to business impact. Not all threats need the same response.

 

3. Streamline Security Requests

Security must move at business speed.

  • Fix firewall bottlenecks. If IT controls the firewall, ensure security has a say.
  • Prioritize security projects. Delayed security is a vulnerability.
  • Understand approval processes. Know how to get projects funded and prioritized.

By the end of this phase, governance should be defined, risk appetite clear, and security positioned as a business enabler.

 

Day 31-60: Implementing Controls & Enhancing Visibility

4. Define & Enforce Security Frameworks

Frameworks provide structure and accountability.

  • Choose a primary framework. NIST, ISO, or COBIT are common choices.
  • Standardize policies. Align controls with business operations.
  • Ensure compliance integration. Security must fit into audit, legal, and regulatory needs.

 

5. Validate Security Tools & Justify Technology

Security tools should serve a purpose—not just exist.

  • Review existing technology. Every 18 months, ask, “Is this still the best option?”
  • Evaluate alternatives. Challenge vendors to stay competitive.
  • Automate where possible. AI and analytics can reduce manual workload.

 

6. Align Training with Business Needs

Security teams must keep up with evolving threats.

  • Mandate training. Five days of training per person every 90 days.
  • Encourage cross-training. No single points of failure.
  • Invest in certifications. Cloud, risk, and compliance skills are critical.

By the end of this phase, security controls should be aligned with business needs, tools should be justified, and staff should be continuously improving.

 

Day 61-90: Maturity, Automation & Continuous Improvement

7. Governance Committees: Keep Security in the Loop

Security decisions need leadership buy-in.

  • Join audit and risk committees. Security must be part of corporate governance.
  • Engage in IT strategy discussions. Security can’t be an afterthought.
  • Ensure compliance reporting is proactive. Don’t wait for audits to find gaps.

 

8. Continuous Security Improvement

Security isn’t static. It evolves.

  • Schedule vulnerability scans daily. Don’t wait for a breach to find weaknesses.
  • Monitor technology roadmaps. Know when your tools are becoming obsolete.
  • Refine security metrics. Measure effectiveness, not just activity.

 

9. Secure the Development Lifecycle

Code security matters just as much as network security.

  • Implement code reviews. Security should be part of development, not an afterthought.
  • Use automated security testing. Catch vulnerabilities early.
  • Adopt secure coding standards. Reduce risk before deployment.

By the end of 90 days, governance should be strong, risk should be managed, and security should be woven into business operations.

 

The Future: Staying Ahead of Threats

Cybersecurity doesn’t stop at 90 days. It’s an ongoing cycle.

  • Monitor, refine, repeat. Governance and security must adapt to business changes.
  • Justify security investments. Keep proving the value of security initiatives.
  • Train relentlessly. Technology evolves fast—your team must evolve faster.

With a structured 30-60-90 day plan, CISOs can build a security function that’s resilient, responsive, and ready for anything. Now, go secure the enterprise.

Join CISO Platform — the CyberSecurity Community
Gain exclusive insights from top security professionals and access cutting-edge research.
Join Now

By: Gordon Rudd (Cheif Executive Officer, Stone Creek Coaching)

 
Views: 12
Tags: ciso, security, risk, governance
E-mail me when people leave their comments –
Follow

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

City Round Table Meetup - Mumbai, Bangalore, Delhi, Chennai, Pune, Kolkata

Apr 15, 2025 at 8:00am to May 15, 2025 at 10:00am UTC+5.5
India
  • Description:
    CISO Playbook Round Table Overview : 
    Our round tables are designed to bring together top CISOs and IT leaders in intimate, focused sessions. These closed-door discussions will provide a platform to explore key security challenges and solutions. These sessions aim to create a focused, closed-door environment where 08-10 CISOs will dive deeply into the practicalities of implementing specific technologies.
    • Technology Implementation: From…
  • Created by: Biswajit Banerjee
  • Tags: ciso, playbook, round table

Fireside Chat On The Dark Path of Stolen Data: Understanding the Cybercrime Ecosystem

Apr 16, 2025 from 9:30pm to 10:00pm UTC+5.5
Online
  • Description:

    We’re excited to bring you an insightful fireside chat on "The Dark Path of Stolen Data: Understanding the Cybercrime Ecosystem" with Matthew Maynard (Security Operations Specialist, BJC Healthcare) and Erik Laird (Vice President - North America, FireCompass), where we delve deep into the hidden layers of cybercrime, exploring how stolen data is monetized, its impact, and how organizations can fight back.

    The cybercrime ecosystem is thriving, with stolen data fueling…

  • Created by: Biswajit Banerjee
  • Tags: fireside chat, stolen data, matthew maynard, ciso

CISO Cocktail Reception At RSAConference USA, San Francisco 2025 !

Apr 29, 2025 from 5:45pm to 9:00pm PDT
San Francisco, America
  • Description:

    We are excited to invite you to the CISO Cocktail Reception if you are there at the RSA Conference USA, San Francisco 2025. It will be hosted aboard a private yacht, so that our CISO's can enjoy the beautiful San Francisco skyline while cruising the Bay Area! This event is organized by EC-Council with CISOPlatform and FireCompass as proud community partners. 

    Yacht Party…

  • Created by: Biswajit Banerjee
  • Tags: ciso, usa, san francisco, rsaconference 2025

Round Table Dubai 2025 | GISEC

May 8, 2025 from 6:00pm to 9:00pm UTC+04
Dubai
  • Description:
    CISO Playbook Round Table Overview : 

    Our round tables are designed to bring together top CISOs and IT leaders in intimate, focused sessions. These closed-door discussions will provide a platform to explore key security challenges and solutions. These sessions aim to create a focused, closed-door environment where 08-10 CISOs will dive deeply into the practicalities of implementing specific technologies.
    • Technology…
  • Created by: Biswajit Banerjee