Sink or Swim (A CISO’s First 91 Days)

Feb 18, 2026

—

by

Welcome to the talk page for Sink or Swim: A CISO’s First 91 Days, as given first as an RSAC CISO Boot Camp Virtual Roundtable in 2026.

How to CISO relevant resources

The First 91 Day Guide is the prose version of this talk.
You might want to evaluate your own capabilities against the role with The Idealized CISO Job Description, and its related talk from the 2025 CBC, A Unicorn Designed By Committee.
The latest HTC Volume, Risk, is a deeper dive into talking about risk.

Other relevant resources

Four Dimensions of Building a Security Program (RSAC 2022)
Security Leadership (HouSecCon 2024)

Talk Slides

HTC1-The First 91 Days Download

Abstract

The challenge of establishing an effective security program is that there are too many things you could be doing, and that creates a challenge for security leaders to decide on which things they should do first, next … and never. Security leaders might come in with their beliefs of textbook security programs, which run afoul of organizational dynamics, sabotaging a new security leaders before they even get started.

The first 91 days of a security leader’s tenure – whether they are a CISO in name, in effect, or even embedded in an organization – set the stage for their ultimate success. Do they become distracted as they pivot from one fire to another? Is their security program built from the ground up based on first principles, or is it cobbled together with duct tape and bailing wire?
In this talk, security leaders will not only be provided a mental model for evaluating the state of their security program, they will also receive clear and actionable guidance on how to evaluate the organization that they find themselves in, build better relationships with their stakeholders, and prioritize the good work ahead of them.

The different types of organizations that a security leader might find themselves in, specific policy outcomes that might change based on the risk tolerance and business model of the organization.

Security leaders will learn how to quickly engage and form meaningful relationships with stakeholders, as well as quickly gather actionable input that will be useful in developing their security roadmap: ensuring that they have short term wins to build momentum for longer term projects.