The first ninety days of a chief security officer's tenure determine whether the rest of it succeeds. The dynamics in that window are unlike any other period in the role, and most of the people who struggle later struggled here first — not because they lacked the skill, but because they treated the opening as maintenance when it was construction.

Construction, not maintenance.

Most security leaders walk into a role where the function does not yet exist, or exists only in fragments that have to be assembled into something coherent. There is a guard contract here, a badge system there, an incident log nobody reads, and an executive-protection arrangement that activates only when someone remembers to ask for it. The instinct is to keep the lights on. The correct move is to treat the first eighteen months as a build, and the first ninety days as the foundation that build sits on.

That means resisting the pull of the inbox long enough to do three things: establish what the program is actually responsible for, build the threat picture for the organization as it really is, and identify the handful of exposures that would do the most damage if they were realized. Everything urgent will still be urgent in week two. The foundation only gets poured once.

"A function that depends on one person has not been built. It has been borrowed, and it comes due the first time that person is unavailable."

Build the bench.

The most common failure mode for a new security leader is to become the function rather than to build it. It feels like progress — the calls get answered, the incidents get handled, the executive is reassured — but a program that runs on one person's judgment and relationships is a program that fails the first time that person is on a plane, on leave, or gone. Building the bench is one of the highest-leverage things the role does, and the first ninety days is when the habit is set or lost.

The work is not glamorous. It is writing down how decisions get made so someone else can make them the same way. It is establishing partnerships and a vetted network so the program has depth it does not have to staff internally. It is the debrief after every event, captured in a document, used to update the doctrine. The chief security officer who builds the function as a network — deliberate partnerships supplementing internal capability — produces a function that is cost-effective, deep, and current. The one who builds it around themselves produces a single point of failure with a title.

Ninety days is not enough time to finish. It is exactly enough time to set the standard the rest of the program will be measured against. Set it deliberately.