Congratulations! Your first 100 days in Security & Compliance
This article is written for non-traditional leaders of a security and compliance function. Non-traditional can mean many things. For example, you could be the default person responsible for this function as you are also responsible for IT or engineering at your organization. Regardless of how you won the role, congratulations, let’s get to work.
Day 1 – Claim your prize
Let’s put some formality around your ownership of security and compliance. Communicate to your immediate team that you will be in charge of such matters from now on. But this isn’t just about telling people—it’s about setting the tone. Be clear that while security may not have been a top priority before, it will be now. Highlight that security is not only an IT issue but a business-critical function that will help safeguard the organization’s reputation, data, and operations.
Pro Tip: Write a short email or announcement to your team and stakeholders stating your ownership of this role. Establish open communication channels for security-related matters.
Week 1 – Getting organized
Locate key documents – Before diving into changes, get a clear picture of your current landscape. Key documents and policies may already exist, even if they are outdated or incomplete. These will provide a foundation for understanding your current security posture.
Action Items:
- Look for existing policies: data protection, incident response, and disaster recovery.
- Identify critical vendor contracts and agreements, especially those related to IT services, cloud providers, and software licenses.
- Confirm your understanding of key systems architecture and the location of critical systems (is there a file server by the CEO’s desk?).
Pro Tip: Contact us if you need some free enablers and templates to get you started with any of these documents if you’re missing any.
Configure workflows and tools
You’ll need tools to track and manage security-related tasks. Set up or assess existing tools for project management and incident tracking. Consider your needs for Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), and other security tools.
Action Items:
- Review your current security tools—ensure SIEM, EDR, and firewalls are configured correctly.
- Set up a ticketing system or project management tool to track security and compliance tasks (Trello, Asana, Jira).
- Establish workflows for incident reporting and security reviews.
Pro Tip: Start with what you have. Many organizations over-invest in tools without mastering the basics. Focus on getting visibility into existing systems first.
First 30 days – Ready for anything
Put together an incident response plan – All companies experience a security incident of some kind. An incident response plan (IRP) is an essential guide for how to handle potential security breaches, data leaks, or other cyber incidents. If an incident occurs, you’ll want to respond swiftly and efficiently.
Action Items:
- Draft or review the current incident response plan. If none exists, create a basic one with key steps for detecting, responding to, and recovering from security incidents.
- Identify key personnel responsible for responding to incidents and outline roles and responsibilities.
- Run a tabletop exercise to simulate a security incident with your team.
Pro Tip: Focus on creating a simple, actionable plan that you can evolve. Don’t let perfect be the enemy of good.
Put together an incident response team – Bring together key personnel responsible for responding to incidents and outline roles and responsibilities. These may include representatives from Product & Engineering, Operations, Customer Success, Communications and HR.
Action Items:
- Set a monthly or quarterly recurring meeting with the incident response team.
- Share the incident response plan with them and ask for comments and edits
- For one of the meetings, schedule a tabletop exercise or test to run through an incident scenario with the team.
Pro Tip: Make sure these incident response team meetings include an agenda and meeting notes. These will be required should the company pursue certifications such as SOC 2.
First 60 days – Make the truth good
Inevitably, your security and compliance program will come under scrutiny from the management team, your customers, and auditors should you choose to pursue security certifications. The best way to handle such scrutiny is to make the truth good, then tell the truth. Now that you have the basics of your program in place, focus on addressing your immediate security gaps. This phase is all about improving your actual security posture.
Action Items:
- Conduct a risk assessment to identify key vulnerabilities in your systems and workflows.
- Prioritize security improvements based on risk, such as patching critical systems, securing access controls, or implementing encryption.
- Start working on compliance improvements, ensuring your policies meet any regulatory requirements.
Pro Tip: Begin tracking metrics related to security incidents, downtime, and compliance tasks. This will allow you to report progress.
First 90 days – Tell the truth
Well, more like shout it from the rooftops. You and your team should be proud of the program you have put together and now it is time to showcase it. Whether it’s a security package with a management overview of security and compliance at your company, or a full blown Trust Center. This will be a place where your stakeholders—clients, partners, and employees—can see your commitment to security and transparency.
Action Items:
- Create a public-facing Trust Center on your website where you publish key security policies, certifications, and incident response protocols.
- Develop clear communication strategies for addressing security incidents with clients and stakeholders.
- Ensure that your compliance status is up-to-date and available for review in the Trust Center.
Pro Tip: A well-built security package or Trust Center can be a competitive advantage, showing potential clients that your organization takes security and compliance seriously.
Conclusion
Your first 100 days in security and compliance will set the tone for how your organization approaches these critical functions. By taking ownership, organizing tools, building a strong incident response plan, improving your security posture, and sharing your progress through a Trust Center, you’ll establish a solid foundation for ongoing success.