Security 30:60:90 day plan

Rachana Gupta
3 min readFeb 15, 2023

What if in an alternate reality you were appointed as head of security of a company. In this case how will someone tackle the planning. This got me thinking and i wrote down few things which made sense.

First 30 days:

Get to know your team and stakeholders: Schedule one-on-one meetings with your team members, other department heads, and key stakeholders to understand their expectations and pain points. Conduct a thorough assessment of the current security systems and practices within the company.

Assess the current security situation: Conduct a thorough review of existing security policies, procedures, and protocols. This will help you identify gaps and risks that need to be addressed. Identify any immediate security risks and vulnerabilities that need to be addressed urgently. Review the company’s security policies and procedures and identify areas that need improvement.

Develop an initial action plan: Based on your findings from the above steps, create an initial action plan that outlines the most critical security issues to address in the first 30 days. Prioritize items that are critical to business operations, and ensure that your team understands the importance of these actions. Develop a short-term plan to improve the security policies and procedures.

Next 30 days(i.e 60 days):

Develop a long-term security strategy: Based on the gaps and risks you identified in the first 30 days, develop a comprehensive security strategy that aligns with the company’s goals and objectives. Implement a vulnerability management program to identify, assess and remediate vulnerabilities within the company’s network and systems. Develop and implement a continuous monitoring program to ensure the company’s security policies and procedures are being followed. Implement security controls to protect critical assets, such as intellectual property, customer data, and financial information.

Review and update security policies: Based on the new strategy, review and update existing security policies and procedures. Ensure that these are communicated effectively to all employees and stakeholders. Develop a plan to evaluate and select security vendors and products.

Develop training and awareness programs: Develop training and awareness programs to ensure that all employees are aware of the company’s security policies and procedures. This could include regular security awareness training sessions, phishing simulations, and other forms of employee education.

Next 30 days(i.e 90 days):

Implement security technology solutions: Based on your strategy and policies, identify and implement technology solutions to improve the security posture of the organization. This could include solutions such as access control systems, security cameras, and other physical and digital security measures. Conduct a comprehensive security audit to identify any remaining security risks and vulnerabilities.

Develop incident response and business continuity plans: Develop and implement an incident response plan and business continuity plan to ensure that the organization is prepared for potential security incidents or other business disruptions.

Evaluate and adjust: Review and evaluate the effectiveness of your security strategy and plans, and make adjustments as necessary based on your findings.

Remember that this is just a general outline, and you should tailor your 30–60–90 day plan based on the specific needs of your organization. Regular communication with your team and other stakeholders is essential to ensure that your plans remain relevant and effective over time.



Rachana Gupta

I write about cybersecurity and also reflect on life