Top Immediate Priorities for a New Chief Information Security Officer

Just stepped into a new CISO role? Don’t waste your first 90 days.

Whether you're leading security for a larger organization, SaaS provider, or high-growth startup, the early days in a new CISO seat are critical. You're expected to understand the landscape, demonstrate control, and communicate risk—fast. This checklist outlines the most urgent priorities that can make or break your success. It’s not just about checking boxes; it’s about protecting what matters most while earning trust from your executive team, your customers, and your regulators.

1. Security Risk Assessment

   • Confirm there is a recent risk assessment aligned with your business and threat landscape, and review how risks are tracked, managed, and mitigated.

   • If you are in healthcare, confirm there is a HIPAA Security Risk Analysis completed within the past 12 months. Validate policies and technical controls (e.g., access controls, audit logs, encryption) align with HIPAA standards.

2. Vendor / Third-Party Risk Management

   • Validate that third-party vendors (especially cloud hosting, EHR integrations, APIs, billing systems) are reviewed for security and compliance.

   • Confirm evidence of recent SOC 2 / HITRUST certifications or security assessments for critical vendors.

3. Identity and Access Management (IAM)

   • Check that MFA is enforced across the board (internal systems, customer portals, admin tools).

   • Confirm least privilege access, timely deprovisioning, and privileged account monitoring are functioning.

4. Endpoint Detection and Response (EDR)

   • Validate that all endpoints (laptops, servers, cloud VMs) are protected with modern EDR solutions.

   • Ensure endpoint compliance is enforced and monitored.

5. Security Incident Response Plan (IRP)

   • Confirm the IRP exists, is tested, and staff knows how to detect, escalate, and contain incidents.

   • Look for tabletop exercises or simulations in the past 12 months (especially ransomware scenarios).

6. Asset Management

   • Confirm that a comprehensive inventory exists for all hardware assets (servers, laptops, network devices, IoT, etc.) and software assets (applications, cloud services, scripts, etc.), and that it’s actively maintained.

   • Ensure asset ownership is assigned and that assets are categorized by criticality, location, and data sensitivity (e.g., devices storing or processing ePHI).

   • Verify integration of the asset inventory with other security processes (e.g., vulnerability management, patching, endpoint protection, deprovisioning).

7. Data Protection & Encryption

   • Validate that ePHI and other sensitive data are encrypted at rest and in transit across SaaS products and infrastructure.

   • Review any encryption key management practices (especially if customers manage keys through Customer Key programs).

8. Vulnerability Management Program

   • Confirm regular vulnerability scans (internal, external, application-level) are conducted.

   • Validate that patch management is timely, especially for critical and healthcare-related vulnerabilities.

9. Business Continuity and Disaster Recovery (BCP/DRP)

   • Confirm that BCP/DRP plans exist, have been tested in the last year, and cover both SaaS platform availability and customer-facing commitments.

10. Employee Security Awareness and Training

    • Validate that annual HIPAA and security training is mandatory.

    • Check for phishing simulation programs and ongoing employee security engagement.

11. Change Management Controls

    • Confirm that production changes (especially to healthcare SaaS systems) are tracked, reviewed, tested, and approved.

12. Logging, Monitoring, and SIEM

    • Confirm that critical systems are logging properly into a centralized SIEM or logging platform.

    • Validate that alert thresholds, response playbooks, and log review processes exist.

13. Secure Software Development Lifecycle (SSDLC)

    • Ensure that DevOps/Engineering follows a defined security process:

      • Secure coding guidelines

      • Static and dynamic code analysis (SAST/DAST)

      • Dependency vulnerability scans (e.g., using Snyk, Dependabot)

14. Privacy Program Alignment

    • Confirm there’s a documented Privacy Policy that aligns with HIPAA and any applicable state-level data privacy laws (e.g., CCPA, CPRA).

    • Check processes for data subject access requests (DSARs) if applicable.

15. Security Metrics and Board Reporting

    • Identify how security is reported to leadership (KPIs, KRIs).

    • Confirm there is regular reporting of security posture, risk trends, and incident metrics to the executive team or board.