Why this module exists. CISO and security-leader transitions in Indian enterprises follow a predictable failure mode. The new leader arrives, the board asks for an “assessment”, a 60-slide deck lands six weeks later, and the operational programme drifts for the entire honeymoon period. The disciplined version instead spends the first 90 days establishing five concrete artefacts. This module is the structure.
Days 1-14 — listening, not deciding
The single most-common rookie mistake is announcing a strategy in week 2. You do not yet understand the operational reality, the political topology, or the unsaid constraints. The first two weeks are 1:1s and inventory:
- 1:1s with every direct report and every adjacent function lead. SRE, Engineering, Legal, Privacy, Risk, Internal Audit, Compliance, IT, Finance. Ask each the same three questions: what is the most painful security thing in their week, what did the last attempt at fixing it look like, and what would they wish your team did less of.
- Asset inventory — what does the organisation own? Cloud accounts, domains, repos, data stores, SaaS subscriptions. Cross-check against the engineering team’s view and finance’s view. The gaps are usually the most informative output of the first two weeks.
- Find the open incidents. Whatever IR is in flight on day 1, you own from day 1. The handover from the previous leader is rarely complete.
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.