When someone steps into a security leadership role, there’s immediate pressure to prove value. You’re expected to assess risk, build relationships, and start showing momentum, all before the 90-day mark. That’s why I wanted to highlight this post from my friend Frank McGovern.
Frank has worked across multiple industries, launched Blue Team Con, and advised teams on how to modernize security programs in the real world. His take on what actually moves the needle in your first 180 days is one of the most practical breakdowns I’ve seen.
We asked if we could include it in this C2 Corner series. The ideas are Frank’s, written in his voice, with a few added thoughts from what we see at Abstract Security, especially around log strategy and detection coverage.
If you’re leading a security program, this is a strong foundation to start from.
1. Budget and Staffing
Before making any promises, align with finance and HR. Know your current headcount, available spending budget, and where the gaps are; especially around SIEM and data pipeline costs.
Quick note: Teams that come in with a clean data strategy and visibility into SIEM spend tend to get faster support when budget season hits.
2. Documentation and Governance
Before making any promises, align with finance and HR. Know your current headcount, available spending budget, and where the gaps are; especially around SIEM and data pipeline costs.
Quick note: Teams that come in with a clean data strategy and visibility into SIEM spend tend to get faster support when budget season hits.
3. SOC Transformation
Whether internal or MSSP-driven, the SOC needs tuning. That includes improving SLAs, tightening escalations, and refining detections.
4. Identity and Access Management
Get MFA enforced, consolidate identity platforms, and review AD hygiene. These are fast credibility wins with big risk reduction.
5. Posture Assessments
Run internal scans, check cloud configs, and get a full picture of exposure before the next pen test or audit brings it to light.
6. Email Security
Still the number one way attackers get in. Lock down SPF, DKIM, and DMARC, and reduce noise in your SOC at the same time.
7. Firewall and Segmentation Reviews
Stale firewall rules can stick around for years. Cleaning them up early sets the stage for proper segmentation later.
8. Application Security
Check your SDLC. Make sure AppSec tools are in place, being used, and feeding results back to dev teams for action.
9. Log Strategy and Detection Engineering
More logs do not mean more security. Focus on visibility. Pick high-value data sources and align detections to real threats.
From Abstract: Modern data pipeline platforms play a crucial role here. At Abstract, we focus on helping teams route, filter, and enrich the logs that matter most ensuring the right data reaches the right tools, fast. While some organizations opt for platforms like Cribl for broader routing needs, Abstract is purpose-built for security teams. Either way, a modern log strategy delivers quick wins and long-term value.
10. Third-Party Risk Management
Keep the process lightweight and focused on your most critical vendors. Contracts and SOC 2 reviews cover most of what you need at this stage.
After these ten are under control, you can shift attention to data classification, insider threat, and cyber insurance. Those are important, but don’t come first.
Final Thoughts:
The first six months are about earning trust and driving results. Focus on the fundamentals. Deliver visible outcomes. The rest gets easier from there.
Big thanks to Frank for letting us share this playbook. If you’re stepping into a new security role or helping someone who is, this list is a great place to start.
We’ll be back in two weeks with the next C2 Corner post. Until then, let us know what you’d add to the list or how you’d prioritize differently.
Want to dive deeper?
Grab our Applied Security Data Strategy eBook or sign up for future C2 Corner posts here.
Read Frank's full blog here