Something triggered this conversation. Maybe customers are demanding you beef up your security program. Maybe you had a near miss or actual incident. Maybe your management team knows from experience that you’ve deferred this too long and it’s time to invest.

Whatever brought you here, here’s what actually happens in the first 90 days of building a security program.

Weeks 1-2: Understand the Business

Before looking at any security tool or process, understand the business. This seems obvious, but it’s frequently skipped.

Questions to answer: - What do you sell? - Who do you sell it to? - How do you sell it? - How do you interact with customers? - Who are your suppliers? - How do you build your product? - What data do you have? What are the crown jewels? - What’s the worst thing that could happen? Give me the top three disaster scenarios.

You need to understand the business model before you can understand where the risks are. How do you make money? What would destroy your ability to make money?

The business model canvas is useful here. A one-page diagram covering key aspects: customer segments, value propositions, channels, revenue streams, key resources. Sometimes this is the first time the executive team has had this conversation in a unified way.

Companies are dynamic. They may not have redefined themselves concisely recently. Or the CEO is crystal clear and just tells you exactly what matters. Either way, you need this foundation before anything else.

Weeks 2-3: Inventory the Tech Landscape

Two layers of technology to understand:

Corporate IT. What are the laptops? How do you manage them? Do you have an MSP? What are the critical SaaS apps? How does identity work? What’s the rundown of the IT world?

Engineering and cloud. What’s your cloud footprint? What are the key systems, processes, teams? Are there key processes that touch third-party vendors? Where do they plug in? Architecture diagrams, flow charts, anything that documents how things actually work.

The goal is knowing the lay of the land. You can’t secure what you don’t understand exists.

Weeks 3-4: Assess Current Security State

Now look at what’s in place from a security perspective.

Security tools, processes, policies, documentation. Run interviews with key stakeholders: the IT person, engineers, customer support, anyone who touches security-relevant systems. Ask each person: what do you think are the top three security issues the company has? People know. They’re in different roles with different views, but once you have those conversations, a picture emerges. Ground the assessment in a framework like NIST CSF or CIS Controls. This gives you a benchmark for maturity and a structured view of gaps.

Then look at the technical side. Go through existing security tools. Check the dashboards. Are they lit up red? Are they disconnected? Has anyone looked at them recently? This tells you about operational state.

Bring in SaaS-based security posture tools to get a baseline:

SaaS security posture. How is identity configured? How are email and office apps set up? One thing that’s always interesting: how out of control has file sharing gotten? Documents publicly accessible that shouldn’t be. Most companies don’t track this, and it’s usually a mess.

Cloud security posture. A CNAPP or CSPM tool gives complete visibility into your cloud environment. You’ll find things people forgot about. Dead instances sucking up resources that nobody can explain. The cost savings opportunity alone often justifies the effort.

Where is sensitive data? Who has access to it? What’s the lifecycle? Getting your arms around this takes focus, but it’s essential.

Weeks 4-6: Design the Program

The assessment tells you where you are and where the gaps are. Now design what you need.

Roadmap. The execution plan for addressing identified issues. Some items are technical (buy these tools, get them operational). Some are process (implement these procedures, create these policies). Prioritize what matters. Sequence appropriately.

Critical: overlay this with commitments the business has already made. Resources have day jobs. Engineering has product roadmaps. The security roadmap has to fit with organizational reality.

Staffing model. Look at the existing team. Maybe you need someone in IT. Maybe you need product security. Maybe a fractional CISO and the current team is sufficient for a while. Build a recommendation for how to staff the program.

Budget. What are the line items? What do you need to buy? In what order? The budget, roadmap, and staffing model all connect.

These three components need to balance. You’ll build a straw man and iterate, take it to key leaders across the organization, get feedback, and refine. A roadmap without context of the product roadmap or IT roadmap doesn’t work because you’re leveraging those resources. Sometimes you end up dominating the IT team’s plans for six to twelve months. They know they need to uplift things, and they’re often happy to have support and prioritization.

Weeks 6-8: Align and Get Buy-in

This is the core of security governance: getting alignment on what you’re going to do and who’s going to do it.

Formalize the process by which you’ll make security decisions going forward. Who pays attention to this on the executive team? Who staffs it? How do you track progress? Iterate through the roadmap with stakeholders, get buy-in on budget, and negotiate where necessary. The first version is never the final version.

Some organizations can move through this in four weeks. Some need eight. It depends on organizational maturity, availability of key people, and how much prior thinking has been done.

Weeks 8-12: Start Building

With alignment secured, start execution.

First priorities typically include:

Endpoint management. Get control over devices. MDM deployed, policies configured.

Detection and response. MDR operational, monitoring in place. This is foundational for everything else.

Compliance platform. If customers are pushing for SOC 2 or similar, get Vanta or equivalent stood up.

Quick wins. Throughout this process, you’ll find things that should be fixed immediately. Don’t wait. Address critical issues and quick wins as they surface.

The 90-Day Outcome

By the end of 90 days, you should have:

1. Assessment. Clear understanding of current state, major gaps, top risks mapped to business risks.

2. Roadmap. Prioritized execution plan with sequences, dependencies, and resource assignments.

3. Staffing model. Recommendation for how to staff the program going forward.

4. Budget. Line items for tools, services, and people needed.

5. Governance model. How security decisions get made, who’s responsible, how progress is tracked.

6. Security narrative. Because you’ve had the conversations and debates and achieved alignment, you can now tell a credible story about your security program. It’s real.

7. Execution started. Key tools deploying, critical issues addressed, quick wins completed.

From here, it’s building and operating. The program runs, matures, and gets revisited annually. If business circumstances change significantly (M&A, new markets, major threats), you pivot earlier.

The first 90 days set the foundation. Everything that follows builds on what you establish here.