#493 The First 100 Days of a CISO: Leadership, Cybersecurity Strategy and Execution with JC Gaillard
The First 100 Days of a CISO: Leadership, Cybersecurity Strategy and Execution with JC Gaillard
Cybersecurity has become one of the defining leadership challenges of the modern enterprise. Yet despite massive investments in technology, frameworks and compliance structures, many organisations continue to struggle with cybersecurity maturity. The question is no longer whether cybersecurity matters. The question is how leadership can translate cybersecurity ambition into operational reality.
In a recent episode of the Leadership Podcast and Leadership Videocast, leadership expert Niels Brabandt spoke with cybersecurity strategist JC Gaillard, author of “The First 100 Days of a CISO: A Leadership Guide to Lasting Impact”. The discussion explored one of the most critical moments in cybersecurity leadership: the first hundred days of a Chief Information Security Officer.
For boards, executives and decision makers, the conversation between JC Gaillard and Niels Brabandt offers a strategic perspective on why cybersecurity leadership often fails and how organisations can create lasting impact instead of repeating the same cycles of frustration.
Why Many CISOs Struggle to Create Impact
JC Gaillard has spent decades working in cybersecurity leadership roles across global financial institutions including BNP Paribas and Rabobank before moving into advisory and consulting work. During his consulting career he observed a recurring pattern across large organisations.
Many CISOs leave their roles after only two or three years. The reason is rarely technical failure. Instead, it is organisational frustration.
CISOs frequently feel trapped between conflicting expectations. One day they are expected to communicate with regulators. The next they must engage with boards, developers, risk managers, compliance teams or operational staff. Each stakeholder group speaks a different language and operates under different priorities.
This dynamic creates what JC Gaillard describes as a cybersecurity spiral of failure. Short leadership tenures prevent long term transformation, while organisations remain trapped in cycles of partial progress and structural stagnation.
The Leadership Nature of the CISO Role
The conversation between JC Gaillard and Niels Brabandt emphasises an important leadership principle. Cybersecurity is not merely a technology discipline. It is an organisational leadership challenge.
Modern CISOs must operate simultaneously as strategists, communicators and organisational change leaders. Technical expertise alone is not sufficient. What ultimately determines success is the ability to navigate organisational complexity and align stakeholders around a shared security narrative.
This leadership dimension is precisely why the first hundred days matter so profoundly.
The 666 Framework for the First 100 Days
One of the most practical concepts introduced by JC Gaillard is the 666 framework, a structured approach designed to guide new CISOs during the early phase of their role.
The first six days are dedicated almost entirely to listening. New CISOs must resist the temptation to arrive with predetermined solutions, preferred vendors or familiar programmes from previous organisations. Every organisation has its own history, culture and constraints.
Listening allows the new CISO to understand the organisational context, identify hidden obstacles and establish credibility with senior stakeholders.
The next six weeks focus on co constructing a cybersecurity narrative with key stakeholders. Instead of presenting cybersecurity as a technical agenda, the CISO must frame security as a business conversation. Leaders must understand how security supports operational resilience, protects strategic assets and enables sustainable growth.
The final six months concentrate on execution. Cybersecurity frameworks have existed for decades and most professionals already know what should be implemented. The real challenge lies elsewhere. It lies in how change is executed inside complex organisations.
Understanding why previous initiatives failed often reveals more than simply identifying new solutions.
From Compliance to Business Value
During the conversation Niels Brabandt raised a critical issue that many cybersecurity leaders encounter: the dominance of compliance driven thinking.
In many organisations cybersecurity discussions revolve around policies, audits and regulatory frameworks. While compliance remains important, JC Gaillard argues that it should be understood as a by product of effective cybersecurity rather than its primary objective.
Boards and executive teams increasingly recognise that cyber incidents are not hypothetical scenarios. They are inevitable events that must be managed through resilience, preparation and operational discipline.
As a result the real challenge facing cybersecurity leaders is not regulatory awareness. The challenge is execution.
Execution as the Central Cybersecurity Problem
According to JC Gaillard, most organisations already understand the strategic importance of cybersecurity. Executive awareness has grown significantly over the past decade as cyber attacks have become more visible and financially damaging.
However, awareness alone does not create operational capability.
Organisations frequently struggle with the practical question of delivery. Even when budgets are available and leadership attention exists, many firms struggle to translate cybersecurity strategy into consistent operational performance.
This gap between strategy and execution remains one of the central leadership challenges in cybersecurity.
Governance, accountability and operational alignment ultimately determine whether cybersecurity programmes succeed or fail.
Leadership Lessons for Decision Makers
The interview between JC Gaillard and Niels Brabandt highlights several broader leadership lessons that extend beyond cybersecurity.
First, complex organisational problems cannot be solved through technical expertise alone. Leadership alignment and stakeholder engagement are equally important.
Second, early leadership actions often determine long term outcomes. The first hundred days of a new executive role provide a critical opportunity to build trust, shape narratives and establish strategic direction.
Third, execution discipline remains one of the most underestimated capabilities in modern organisations.
Cybersecurity strategy is widely understood. What remains rare is the organisational ability to deliver it consistently.
For decision makers in business, the message is clear. Cybersecurity leadership is not simply about technology investment. It is about building organisations capable of executing complex strategies over the long term.
Niels Brabandt
---
More on this topic in this week's videocast and podcast with Niels Brabandt: Videocast / Apple Podcasts / Spotify
For the videocast’s and podcast’s transcript, read below this article.
Is excellent leadership important to you?
Let's have a chat: NB@NB-Networks.com
Contact: Niels Brabandt on LinkedIn
Website: www.NB-Networks.biz
Niels Brabandt is an expert in sustainable leadership with more than 20 years of experience in practice and science.
Niels Brabandt: Professional Training, Speaking, Coaching, Consulting, Mentoring, Project & Interim Management. Event host, MC, Moderator.
Podcast and Videocast Transcript
Niels Brabandt
Let's imagine you have a new job, and your accountability is to keep the company safe and sound, and your job is the CISO, Chief Information Security Officer. And the question is, what should you do during your first 100 days? Because the first 100 days might be very, very important. And we have an expert on the matter with us here today. Hello and welcome, JC Gaillard.
JC Gaillard
Thank you. Many thanks for inviting me on the podcast. I'm delighted to be with you.
Niels Brabandt
Thank you very much for being with us. Yes, delighted
JC Gaillard
to speak around the role of the CISO, the first 100 days, and everything that goes around it.
Niels Brabandt
Yeah, perfect. Very good. So let's get straight into it.
Niels Brabandt
You wrote the book that the first 100 days are extremely important, the first 100 days of a Mute CISO: A Leadership Guide to Lasting Impact. So when we now look at the first 100 days, many people say it's all about orientation, it's about getting settled in, but it all remains usually quite, quite superficial.
Niels Brabandt
If anyone would ask you, what was your main motivation to write this book, what would you tell them?
JC Gaillard
My main motivation is that I see too many CISOs stuck in routines that don't work. I see too many CISOs leaving after a couple of years because they're out of frustration, because they think the business doesn't get it, because they think that they don't get things in motion. And that, that, that, that to me is the cornerstone of what I've been calling the cybersecurity spiral of failure, one of the cornerstones of it anyway.
JC Gaillard
The first 100 days of the new CISO, the book you kindly shown on the screen just before, is actually one in a series of three. And it's part of a thinking process, a writing process that started over 10 years ago, around 2015, 2016. Because to be honest, when I started consulting, I was absolutely shocked by what I was seeing in many large firms.
JC Gaillard
My background is not in consulting. I spent 20 years of my life working at Paribas until it became BNP Paribas, then at Rabobank. I'm French and British.
Niels Brabandt
Yeah, I saw that. And you also were a member of the Harvard Business Review Advisory Council. Very impressive, so.
JC Gaillard
Yes, absolutely. And I'm just I spent 30, 35 years of my life living in London. I'm French and British. I fell into consulting effectively 20—sorry, 15 years ago—as a matter of exiting out of Rabobank, where I was the Chief Security Officer for the International Division. But I'm not a consultant by trade as such.
JC Gaillard
But when I started consulting, I was absolutely shocked by what I was seeing in many large firms in terms of maturity levels and in terms of the type of problems they were facing. Large firms that would have been having large information security practices for the best part of the 20 years before, large firms that might have been sending people to conferences to tell the world how to organize around information security. And then one day you're called in and you look around and you say, "Right, okay, what's going on here?"
JC Gaillard
And that's the background of my thinking process, the background of my research, and the background of my work effectively in terms of what I've been writing about. So I started writing articles on the Corex Partners blog. That's the company I founded around 2015, approximately. And then I amalgamated those into a compilation of articles, and then it finally became the Cybersecurity Leadership Handbook, which was published around 2023 in its current format.
Niels Brabandt
And what would you say when we get to the gist of this? What is the nature of the modern CISO's role? What is the real nature of what CISOs should do today?
JC Gaillard
What makes the role absolutely difficult is that many CISOs are trapped in an impossible position. One day they're expected to be credible in front of the board, the next in front of regulators, the next in front of pen testers, the next in front of developers, the next in front of management, the next in front of the staff, etc. Across the large enterprise, the role has become completely impossible. And they're struggling because of that, okay? They felt trapped, they feel frustrated, then after a couple of years, two, three years on average, they end up moving to another job.
JC Gaillard
That creates the conditions I was talking about around the spiral of failure. There is not a lot you achieve in two, three years in any large firms. Large firms are too complex. They're too political. They're too territorial. They are siloed by essence. You don't achieve much in terms of transformative effort around anything in two, three years. And that's the main problem around cybersecurity in many organizations. Business short-termism has trapped CISOs in that sort of dynamic, and that's the essence by which cybersecurity effectively maturity levels have remained low. We're in a situation around cybersecurity where constant focus on short-termism has led to long-term stagnation, if you want. That's a little bit what I talk around in the spiral of failure. And that's what makes the role of the CISOs difficult.
Niels Brabandt
Excellent. You talk about the 666 framework, which you developed. Can you tell us a bit more about that? Because I found that part of the book really, really handy, because that's something you can put in place immediately. What is the 666 framework that you developed?
JC Gaillard
Yes, that's at the heart of the first 100 days. And essentially, it's about understanding that everything matters here. Every single day matters. Every minute of it matters, okay? And it's all about listening, listening, listening, and listening. And that's what I say in the first 100 days.
JC Gaillard
The CISOs have to understand that it's not about coming into the job knowing what has worked elsewhere, trying to replicate things you've seen elsewhere, things you've done elsewhere, coming in with your pet project, your pet product, your pet consultants. That's not what it's about. What it's about is listening, listening, and listening. Cybersecurity has been around in one shape or another in large organizations for the best part of the last 30 years. Understand that. Understand that there is no such thing as a green field. You're stepping into a situation, a context. You're talking to execs who have been here for a long time, for many of them.
JC Gaillard
Listen, listen, and listen. That's the first six days, effectively. Listen. And try to build and co-construct with those guys what the cybersecurity narrative is going to be. That's the first six weeks, okay? Listen to them. How can I help you? That's the question you need to keep asking. Servant leadership, that's got to be your lifeline. What can I do for you? Listen, listen, and listen. And build that into your cybersecurity narrative, into your security strategy. Construct with the stakeholders. Co-construct.
JC Gaillard
And then focus the rest of the time—that's the next six months, so to speak, the third six—on building an execution framework. How are you going to make it happen? It's not so much about what needs to be done, but how is it going to be done? In many ways, the what of change, if you want, around cybersecurity is written in cybersecurity good practice. It's been developing for the best part of the last 30 years. You know what needs to be done. As a cybersecurity professional, you will see it straight away. You will see where the weaknesses are. But how is it going to happen? Why is it that it hasn't been done in the past? Understanding where the roadblocks are that have prevented progress. That's what will make the CISO successful. And that builds up around the first 100 days in that 666 type of logic.
JC Gaillard
The first 100 days are not about demonstrating what you can do as a professional, what you can do as a cybersecurity specialist. You've been hired. Competence is assumed, okay? You've got to showcase yourself as a leader, as a person who can think strategically at the same level as the stakeholders around you. And that's something you're going to build by listening to them, by acting as their peer, and by bringing something to them in line with what they expect. And that's what I say in the book, really. That's what the first 100 days is all about. It applies to a variety of C-level jobs. I agree with that. But cybersecurity makes it even more essential because of its nature, because it's not a technology problem or just a technology problem.
Niels Brabandt
Excellent point here. When we talk about the technology problem here, often CISOs say, "Look, as soon as I step into the role, I often hear one department showing up from the very beginning, and that's compliance." So everything we do is, "Okay, we have this ending up in compliance. And now we do this, and this is going to be compliance." And so we have rules, rules, rules, rules, rules.
Niels Brabandt
And as we all know, no one is going to work in the morning and say, "My best moment today is going to be when the compliance department shows up." So how can you move—and you describe this very well in the book—how can you move from the whole compliance aspect, which is important, no question about that, but to real value creation as the last question of this interview today?
JC Gaillard
You see, this is an interesting question. I'm sad it's the last question, but we may come back to that. But I'm going to say, to me, the risk and compliance angle is very much something that reflects back to the first decade of the century, where many cybersecurity practices are rooted.
JC Gaillard
I hear different stories from top execs, to be honest. I hear different stories. When I talk to CIOs in particular, when I talk to board members, they know about cyber. Compliance is there, but as a byproduct of good practice, if you want, as a byproduct of protecting the business, as a byproduct of implementing a genuine resilient practice.
JC Gaillard
Top execs know that it's a matter of when, not if. That paradigm has taken roots in boardrooms, okay? We've seen too many cyber attacks. Don't tell me that there is anybody in any boardroom anywhere in the world that doesn't know about cyber. I would not believe it, okay?
JC Gaillard
The problems are elsewhere. The problems are rooted in execution, execution, and execution. I've spoken to many CIOs who've told me, "I could put any money I like in my budget on cyber, okay? But then what do I do? How do I get it done? How do I deliver, deliver, and deliver?" So the challenge is execution, execution, and execution. And that's the how of change. Not so much the what of change, but the how, and to some extent, the who is going to do what. So it.
Niels Brabandt
Yeah, I think these are the perfect final words here.
JC Gaillard
Governance and accountability, too.
Niels Brabandt
Yeah, okay. I think these are the perfect final words for this podcast. When people now say, "Hey, I think JC can be really helpful for our business. Maybe we should get him in either as a keynote speaker for the conference or as a consultant for our business," how can people get in touch?
JC Gaillard
Corexpartners.com. All my details are on the contact page. They can find me on Twitter at Corex_JC. They can find me on LinkedIn. I'm reasonably easy to find, I think, but Corexpartners.com for more details about what we do, and then LinkedIn or Twitter if you want to reach out.
Niels Brabandt
Perfect. CISO, the first 100 days matter, and JC Gayyar knows how to do it. JC, thank you very much for your time.
JC Gaillard
Many thanks for having me on the podcast. Thank you.