Manage Learn to apply best practices and optimize your operations.

The 100-day plan: Achieving success as a new security manager

One of the top priorities of any newly minted information security manager is to implement a new enterprise security strategy. In this tip, security management expert Mike Rothman explains what needs to happen in the first 100 days of a security regime in order to build credibility and strengthen the relationship with senior executives.

Congratulations, you are the new security manager. Maybe you lost a bet or drew the short straw. Or maybe you like...

the thrill of a big challenge.

Whatever the circumstances, the honeymoon period ends quickly, so it's critical to make sure the first 100 days are optimally spent. This will set the tone of your working career in this organization, so it's essential that no time is wasted in figuring out what needs to be done and implementing a plan detailing how to do it. That typically means identifying and fixing some of the biggest holes, making some organizational or process changes (for the better) and, ultimately, establishing a track record of meeting objectives.

For more information

Keep in mind that the regime change happened for a reason. Maybe the previous security manager lost the confidence of the team, or maybe he or she didn't get enough done or didn't let anything happen at all. Odds are there are issues that need to be dealt with, and it's up to you and your team to start making progress.

Basically, the first 100 days can be broken down into four distinct areas of focus:

  • Baseline -- It's important to figure out how security really stands at the company, so some kind of assessment is in order. Maybe a pen test, maybe a scan, maybe a social engineering experiment; most likely all of the above. Keep in mind that after about 100 days, the blame for any problems will fall on the new security team, so all of the residual issues need to be found as soon as possible. There is no benefit to sugarcoating the situation.
  • Triage -- Now that the baseline is established, the leaky buckets can be plugged. That means moving quickly to remediate the most obvious, easiest and cheapest issues. Finding a few quick wins is absolutely critical during the first 100 days. Those issues may not be the highest profile or even the most important, but by getting them fixed, it informs the organization's senior management team that you get things done successfully and on schedule.
  • Evangelize -- Another key task for the first 100 days is to set the stage for a structured security program that will underlie security operations. That means meetings with executives are in order to figure out what they want protected and why. It also makes sense to present the entirety of the program to the power brokers in the organization; they will likely push back on some aspects, and that's fine. As credibility is built up, it'll become easier to get support for the projects and processes that are important to protecting data. But a big part of finding success as a senior security manager is to get face time with the corporate executives. If they don't know who you are and what you are doing, then you are doing it wrong.
  • Plan the next steps -- The last thing to do during the honeymoon is to build a plan for the rest of the year. Senior managers like to see the team working on a plan. The underlying security program provides the structure, so the remaining task is to define some milestones and then start tracking progress against those milestones.

Starting off on the right foot for the first 100 days is critical. It is the first (and possibly the last) opportunity to set a tone of achievement and accountability with the senior team. If it's done right, executives will consider security to be a key initiative for the organization, and that's what every security manager strives for.

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also's expert-in-residence on information security management. Get more information about the Pragmatic CSO, read his blog, or reach him via e-mail.

This was last published in November 2008

Dig Deeper on Information security policies, procedures and guidelines