When William Sterling walked into his new role as CISO, he had a plan. What he didn’t have was any idea how quickly that plan would be tested.

The Honeymoon That Wasn’t

Most leadership books talk about the “honeymoon period” — that grace period where you can learn, observe, and build relationships before being expected to deliver results. In cybersecurity, that honeymoon is often measured in days, not months.

The reality is that threats don’t wait for you to get comfortable. Legacy systems don’t pause their decay. And that technical debt your predecessor accumulated? It’s accruing interest every single day.

What Makes the First 90 Days Different

Unlike other C-suite roles, a new CISO faces a unique combination of pressures:

• Inherited risk — You own problems you didn’t create
• Invisible threats — The breach that’s already happening but hasn’t been detected
• Stakeholder skepticism — A board that sees security as a cost center
• Team dynamics — A security team that may be burned out, under-resourced, or both

The Three Things That Matter Most

After talking to dozens of CISOs about their early days, three themes emerge consistently:

1. Assess Before You Act

The temptation to make immediate changes is strong. Resist it. You need to understand the landscape before you can navigate it. What are the real risks? Where are the gaps? Who are your allies?

2. Build Relationships, Not Just Programs

Your security program is only as strong as the relationships that support it. Invest time in understanding what keeps your business partners up at night — and show them how security can help.

3. Communicate Constantly

Silence breeds suspicion. Keep your stakeholders informed, even when there’s nothing dramatic to report. Especially when there’s nothing dramatic to report.

The Crucible Moment

Every CISO eventually faces their crucible moment — that crisis that tests everything they’ve built. The question isn’t whether it will come, but whether you’ll be ready when it does.

William Sterling’s crucible came faster than he expected. His story is a reminder that preparation, resilience, and leadership matter more than any technology stack.

This post is inspired by themes from The CISO Crucible, a novel about security leadership under fire.