You’ve just taken over a cybersecurity program. The documentation looks fine on paper, the previous owner says everything’s “under control,” and leadership expects a quick assessment.
Before you start fixing anything, take a step back. Your first job isn’t to make changes, it’s to understand what you’re working with. The best way to do that is by asking the right questions. The answers will tell you how strong the program really is and where it might be falling short.
You’d be surprised how often this question stops people in their tracks. Ask for a list of critical assets and data. If what you get back is vague or outdated, that’s your first warning sign. A strong cybersecurity program starts with visibility. You can’t protect what you don’t know exists.
Every organization has a few known risks that keep people up at night. Ask around. Talk to engineers, IT staff, and business leaders. If you get consistent answers, good. That means people are aligned on what matters most. If everyone says something different, your risk management process probably isn’t working.
If the answer is “never” or “I think last year,” you already know where to start. A simple tabletop exercise will reveal more about your team’s readiness than any policy document. You’ll quickly see who knows their role, who hesitates, and where confusion slows things down.
Ask who has admin access, how MFA is enforced, and how often access reviews are done. If nobody’s sure or it takes days to find the answers, access control hygiene isn’t where it needs to be. Strong access controls aren’t glamorous, but they’re one of the easiest ways to prevent a breach.
Do people see security as a partner or a blocker? Ask this question quietly and listen carefully to how people respond. Culture determines whether your program succeeds or fails. A team that sees security as everyone’s job will follow policies, report issues, and support your goals. A team that sees it as an obstacle will work around it.
Your first few weeks running a cybersecurity program shouldn’t be about proving how much you know. It should be about understanding the reality of where things stand.
The answers to these five questions will help you find the weak spots, identify quick wins, and start building credibility from day one.
This article appeared originally on LinkedIn here.