An interview with global cybersecurity thought-leader JC Gaillard on his new book: “The First 100 Days of the New CISO – A Leadership Guide to Lasting Impact”
Available on Amazon from November 10th
Why did you feel the need to write this book now?
Over fifteen years of advising C-level executives across global organisations, I kept seeing the same pattern. Success or failure in the CISO role had very little to do with technology, and everything to do with leadership behaviour, and a lot of that is defined or structured in the first 100 days. Yet too much of the guidance available to CISOs today remains reactive, technology-centric, or fear-driven. I started reflecting and writing on this in 2017, and eventually I am now releasing this book because I feel the industry needs a leadership guide on that matter—not another technical manual. The CISO role has changed a lot over the past two decades, and the old playbook no longer applies. We are in a new era, the “when-not-if” era around cyberattacks and the expectations of senior executives around the role of the CISO have changed dramatically: We need a new approach.
Your book’s title implies that the first 100 days define a CISO’s long-term impact. What makes this window so critical?
The first 100 days are when the organisation forms its judgment—not about your technical expertise, but about YOU: Your credibility, your leadership tone, and your ability to align with the business and drive change, if that’s what’s needed. If you spend that time reacting, firefighting, or trying to prove yourself through febrile activity, you run the risk of ending up trapped in an operational box. If you use it to listen, set rhythm, and build trust, you will position yourself as a strategic leader. The first 100 days are not about speed—they’re about understanding, structuring and sequencing.
In its first half, the book introduces a specific framework around the first 100 days. Can you explain this in simple terms?
It breaks the first 100 days into three leadership phases: the first six days, six weeks, and six months. The first six days are about observation—listening deeply to understand culture, power dynamics, and decision-making. The next six weeks are about alignment—structuring governance, clarifying priorities, and beginning to control the narrative. The next six months are about embedding and structuring execution—delivering quietly, institutionalising rhythm, and building maturity into the organisation. More than a framework, this is really a leadership rhythm.
You reject the common advice that new CISOs should aim for “quick wins”. Why?
Quick wins may feel productive, but they are often politically and strategically damaging. They often create activity without context, and they risk positioning the CISO as a tactical operator rather than a strategic leader. Credibility and trust should always precede change. A CISO who acts before understanding fully the organisational dynamics is likely to create resistance. Influence is not earned through noise, but through proportion and trust.
You frame cybersecurity primarily as a leadership and governance challenge, not a technical one. Why is that important?
Technology is only ever an enabler. The root causes of cybersecurity failure are rarely technical; they are managerial in essence—poor governance, unclear accountability, misaligned risk appetite, weak culture. Until CISOs embrace their role as leaders of organisational behaviour and governance, not just technology stack owners, they will never unlock long-term impact.
In its second half, the book shifts into how CISOs build sustainable influence beyond the first six months. What changes at that point?
Once you have established credibility and rhythm, your leadership posture must evolve. You need to move from driver to steward, from initiating change to sustaining it. This is where governance becomes architecture, culture becomes reinforcement, and resilience becomes strategic advantage. The real test of maturity is whether the organisation performs without your constant intervention.
You talk a lot about trust as a measurable asset. How does a CISO create trust at executive level?
Trust is not built through technical detail; it’s built through narrative and consistency. Boards and CEOs want clarity, proportion, confidence and quiet, reliable execution—not alarmism. CISOs build trust when they speak the language of enterprise value, when they demonstrate control without drama, when they get things done, and when they show that cybersecurity is being managed as a structured business function, not a series of technical projects.
What is the single biggest misconception about the CISO role today?
That the job is primarily about preventing breaches. In the “when-not-if” era, breaches are probably unavoidable, so the role has to go beyond that. The real job is about ensuring the organisation can operate with confidence despite risk. That means building resilience, governance alignment, cultural buy-in, and strategic credibility in terms of operations and delivery.
What do you hope this book will change in the industry?
I want to shift the conversation from technology, tools and incidents to leadership and maturity. That’s at the core of what I have been writing and speaking about over the past ten years. If this book helps one CISO move from firefighting mode to strategic influence—if it helps one board understand that cybersecurity is a management discipline, not a technical hobby—then it will have achieved its purpose.
If you had to summarise your message in a single sentence?
Your first 100 days as CISO are not about proving what you know—they are about showing who you are as a leader. Success in the first 100 days lies not in speed, but in humility, discipline, proportion and structure: That’s the way to build trust with business leaders and the pathway to lasting impact.
JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.
He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
French and British national, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.
Read more on our Security Transformation Leadership publication here on Medium