All Articles

The 30-60-90 Day Plan for CISOs(6): Mastering Governance & Risk | Gordon Rudd

Posted by Biswajit Banerjee on April 1, 2025 at 12:12am in Blog
The 30-60-90 Day Plan for CISOs(6): Mastering Governance & Risk | Gordon Rudd

Welcome to the Challenge: Governance, Risk & Security

A CISO’s world is never just about technology. It’s about governance, risk, and control. Without governance, security becomes a guessing game. Without risk management, threats remain unseen. A 30-60-90 day plan is the key to balancing it all. Let’s dive in.

 

 

First 30 Days: Establishing Governance & Understanding Risk

1. Governance: The Foundation of Security

A lack of governance is a risk in itself.

  • Start at the top. Board members and senior executives set the tone.
  • Establish an advisory committee. Business leaders need a say in security.
  • Define security’s role in IT strategy. If IT moves, security moves with it.

 

2. Prioritize Risk Management

Security is about controlling risk, not eliminating it.

  • Identify risk appetite. What’s an acceptable loss? Ask the CFO.
  • Use a framework. NIST, ISO, COBIT—pick one and stick to it.
  • Map risks to business impact. Not all threats need the same response.

 

3. Streamline Security Requests

Security must move at business speed.

  • Fix firewall bottlenecks. If IT controls the firewall, ensure security has a say.
  • Prioritize security projects. Delayed security is a vulnerability.
  • Understand approval processes. Know how to get projects funded and prioritized.

By the end of this phase, governance should be defined, risk appetite clear, and security positioned as a business enabler.

 

Day 31-60: Implementing Controls & Enhancing Visibility

4. Define & Enforce Security Frameworks

Frameworks provide structure and accountability.

  • Choose a primary framework. NIST, ISO, or COBIT are common choices.
  • Standardize policies. Align controls with business operations.
  • Ensure compliance integration. Security must fit into audit, legal, and regulatory needs.

 

5. Validate Security Tools & Justify Technology

Security tools should serve a purpose—not just exist.

  • Review existing technology. Every 18 months, ask, “Is this still the best option?”
  • Evaluate alternatives. Challenge vendors to stay competitive.
  • Automate where possible. AI and analytics can reduce manual workload.

 

6. Align Training with Business Needs

Security teams must keep up with evolving threats.

  • Mandate training. Five days of training per person every 90 days.
  • Encourage cross-training. No single points of failure.
  • Invest in certifications. Cloud, risk, and compliance skills are critical.

By the end of this phase, security controls should be aligned with business needs, tools should be justified, and staff should be continuously improving.

 

Day 61-90: Maturity, Automation & Continuous Improvement

7. Governance Committees: Keep Security in the Loop

Security decisions need leadership buy-in.

  • Join audit and risk committees. Security must be part of corporate governance.
  • Engage in IT strategy discussions. Security can’t be an afterthought.
  • Ensure compliance reporting is proactive. Don’t wait for audits to find gaps.

 

8. Continuous Security Improvement

Security isn’t static. It evolves.

  • Schedule vulnerability scans daily. Don’t wait for a breach to find weaknesses.
  • Monitor technology roadmaps. Know when your tools are becoming obsolete.
  • Refine security metrics. Measure effectiveness, not just activity.

 

9. Secure the Development Lifecycle

Code security matters just as much as network security.

  • Implement code reviews. Security should be part of development, not an afterthought.
  • Use automated security testing. Catch vulnerabilities early.
  • Adopt secure coding standards. Reduce risk before deployment.

By the end of 90 days, governance should be strong, risk should be managed, and security should be woven into business operations.

 

The Future: Staying Ahead of Threats

Cybersecurity doesn’t stop at 90 days. It’s an ongoing cycle.

  • Monitor, refine, repeat. Governance and security must adapt to business changes.
  • Justify security investments. Keep proving the value of security initiatives.
  • Train relentlessly. Technology evolves fast—your team must evolve faster.

With a structured 30-60-90 day plan, CISOs can build a security function that’s resilient, responsive, and ready for anything. Now, go secure the enterprise.

Join CISO Platform — the CyberSecurity Community
Gain exclusive insights from top security professionals and access cutting-edge research.
Join Now

By: Gordon Rudd (Cheif Executive Officer, Stone Creek Coaching)

 
Views: 184
Tags: ciso, security, risk, governance
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by Biswajit Banerjee

Community Manager, CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

Read More

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (Monthly)

Jun 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am
Virtual
  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

6 City Round Table On "New Guidelines & CISO Priorities for 2025" (Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata)

Dec 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am
India
  • Description:

    We are pleased to invite you to an exclusive roundtable series hosted by CISO Platform in partnership with FireCompass. The roundtable will focus on "New Guidelines & CISO Priorities for 2025"

    Date: December 1st - December 31st 2025

    Venue: Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata

    >> Register Here

  • Created by: Biswajit Banerjee

Fireside Chat With Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.)

Jan 10, 2026 from 4:30pm to 5:00pm
Online
  • Description:

    We’re excited to bring you an insightful fireside chat with Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.) and Erik Laird (Vice President - North America, FireCompass). 

    About Sandro:

    Sandro Bucchianeri is an award-winning global cybersecurity leader with over 25…

  • Created by: Biswajit Banerjee
  • Tags: ciso, sandro bucchianeri, nab