The pen test report. The risk register. The green dashboard. They feel like facts. They're not. They're a record of someone else's decisions, at a point in time that's already passed. And in your first 90 days as CISO, they'll shape everything you do, if you let them.
This is the first in a series of content supporting the CovertSwarm New CISO Series. The series explores the strategic and operational challenges new CISOs face, and why continuous offensive security testing (COST) is the only honest answer to an attack surface that never stops changing.
No email. No sign-up. Just the content — free, because it should be.
Most new CISOs don’t fail because a sophisticated threat actor got through the perimeter.
They fail because they trusted a document.
A pen test report. A risk register. A “we passed the audit” email from the team they inherited. A dashboard showing green across the board. These things feel like facts. They’re not. They’re someone else’s interpretation of a moment in time that has already passed.
The attack surface you inherit on day one is not the attack surface you’ll own on day 90. And in those first 90 days, when the board is watching, budgets are being set, and you’re still learning the names of your own team, those inherited interpretations become your operational reality. You act on them. You report on them. You build your entire strategy on them.
That’s where it starts to go wrong.
Nobody tells you this when you walk through the door.
Your predecessor didn’t hand you a security posture. They handed you a record of what security looked like at a specific point in time, filtered through their priorities and the budget they had available.
Every pen test in that folder? Probably 12 months old. Maybe more. Your infrastructure has changed since then. New code was shipped. A third-party integration went live. A developer spun up a staging environment and forgot to take it down. A contractor was onboarded to a cloud project and given permissions nobody reviewed. And the budget decisions your predecessor made are now shaping your risk profile whether you know it or not.
None of that is in the report.
The estate you actually own is not the estate that was tested. That gap is exactly where adversaries operate.
There’s something psychologically seductive about a security dashboard showing everything healthy.
You’re new. You don’t want to rock the boat immediately. The previous CISO left on decent terms. The team seems competent. The tooling looks solid. So, when the dashboard says green, there’s a powerful, perfectly human instinct to trust it.
Don’t.
Green dashboards reflect what your tools can see. Tools have blind spots. They have configuration gaps, detection logic built for known threats, and coverage that assumes your asset inventory is complete. In most organizations, it isn’t.
Your tools don’t report what they can’t see. And the dashboard calls everything it doesn’t know about green. You inherit a polished, misleading picture of a network that may be actively compromised right now.
Worth naming it for what it is: an assumption. The first of several you’ll face in year one. The three below are the ones that tend to do the most damage.
Annual penetration tests are project work. They have a start date, an end date, and a scope that was agreed months before the actual testing happened. By the time the report lands on your desk, parts of it are already stale.
That scope agreement? It excluded the newly acquired subsidiary. It didn’t include the mobile app that went to production last quarter. It stopped at the corporate perimeter and didn’t touch the OT network three floors down.
“We tested this already” is almost always “we tested part of this, under controlled conditions, a while ago.”
“Our current tools would catch it.”
This one is expensive to believe.
Detection tools are only as good as the threat intelligence they’re built on and the configurations the team applied. Threat actors don’t wait for vendors to update their detection logic. They use techniques your EDR has never seen. They chain together misconfigurations that individually look harmless and collectively hand them domain admin.
For your tools to catch anything, they need to be correctly tuned, current in their threat intelligence, and configured for your systems as they actually exist today. In most organizations, all three of those conditions are only partially true at any given moment.
A risk register is a record of what someone decided to write down, through the lens of what they understood to be important, at the time they wrote it.
It isn’t a live picture of your exposure. It doesn’t update when your developers push new code. It doesn’t flag when a credential leaks on the dark web. It doesn’t know that the contractor who left six months ago still has an active account.
It reflects decisions. Not reality.
The most dangerous thing a new CISO can do is accept the inherited narrative at face value.
The most useful thing? Attack your own estate before someone else does.
Not a compliance exercise. Not a framework audit. An adversarial simulation that treats your organization the way a motivated threat actor would. No agreed scope. No advance notice. No stopping at the edge of the corporate network because that’s where the last vendor stopped.
Here’s what that looks like in practice. First, map your actual attack surface the way an adversary would: forgotten subdomains, exposed APIs, third-party connections, shadow IT. Second, run a red team exercise with no pre-agreed constraints. See what gets found when there’s no scope to hide behind. Third, validateyour detection.
What you build from that process is your real security posture. Not the one in the report. Not the one on the dashboard. The one that exists today, shaped by every decision your predecessor made and every change the business has made since.
That’s the baseline worth presenting to the board. That’s the foundation a credible 90-day plan is built on.
Then keep going.
That’s what Constant Cyber Attack is built for. Not a periodic penetration test but a persistent offensive posture: monthly, full-spectrum simulations across digital, physical, and social attack surfaces, tracking your environment as it changes. New CISOs who run it in their first 90 days don’t just find the gaps their predecessors missed. They build the evidence base for every strategic decision that follows.
Your instinct to take stock carefully before making moves is sound. Your instinct to trust the documentation you’ve been handed is not.
Documents describe intent and history. They don’t describe what’s happening on your systems right now. Adversaries aren’t working from your documentation. They’re probing your estate, looking for the thing nobody has noticed yet, the thing that wouldn’t show up on a dashboard, the thing your risk register has never heard of.
You need to be doing the same thing.
Because the attack surface you inherit on day one is not the attack surface you’ll own on day 90. And if you’re only testing in snapshots, you’re always reacting to a version of your infrastructure that no longer exists.
The CISOs who get through that first year with credibility intact aren’t the ones who trusted the inheritance. They’re the ones who questioned it, then replaced it with something real.
Everything new security leaders need to know about inheriting a broken posture — and how to fix it.