You're the Only Security Person at Your Company. Here's Your 90-Day Plan.

Being the sole security person at a growing company is one of the most overwhelming jobs in technology. You're responsible for everything, resourced for very little, and expected to have answers for threats that large enterprise teams address with entire departments. This is the plan no competitor will write for you.

If you've just been handed responsibility for security at a company that has never had a dedicated security person, welcome to one of the most disorienting roles in technology. You're not a CISO at a Fortune 500 with a team of analysts, a six-figure threat intelligence budget, and a SIEM that someone else configured. You're the person who is also fielding IT support tickets, negotiating SaaS contracts, and wondering whether to fix the printer or patch the web server first.

This guide is not written for enterprise security teams. It is written for you.

The 90-day framework below is based on the principle of starting with visibility, not perfection. The single biggest mistake new solo security managers make is trying to implement a complete security programme from day one: writing policies nobody reads, deploying tools nobody knows how to use, and burning out before the first quarter is over. The right approach is to start by understanding what you actually have, what is already exposed, and what matters most, then build from there.

Before Day 1: Set the Right Expectations

The most important conversation you need to have is not with your firewall vendor. It is with your leadership team. Before you begin any technical work, you need agreement on two things:

1. What does "security" mean to this organisation? Is the primary concern regulatory compliance (GDPR, ISO 27001, SOC 2)? Protecting customer data? Preventing ransomware? Brand protection? The answer determines where your first 90 days go. A professional services firm in a GDPR-regulated environment has different priorities to a SaaS startup worried about competitor espionage.

2. What is the acceptable level of risk? You cannot eliminate risk. You can only manage it. Leadership needs to understand that security investment is a risk-reduction decision, not a risk-elimination decision. Getting alignment on this prevents the "why weren't we protected?" conversation after an incident, and it starts with you asking the question before anything goes wrong.

The trap to avoid: Don't spend your first month writing an information security policy. Policies without visibility into your actual risk posture are theatre. Get visibility first. Then write the policies that reflect what you actually found.

Days 1 to 30: Get Visibility

The entire first month has one goal: understand your attack surface. You cannot protect what you cannot see, and you almost certainly have assets, exposures, and gaps that nobody in your organisation knows about.

Week 1: External Attack Surface Discovery

Your first move is to understand what the internet can see about your organisation. This means: every internet-facing domain, subdomain, IP address, open port, web application, cloud resource, and SSL certificate associated with your company's primary domain and any subsidiary domains.

Most organisations are surprised by this. Common discoveries from first external scans include:

• Forgotten development or staging subdomains running outdated, unpatched software
• SSL certificates that have expired or are within 30 days of expiry
• Open ports on cloud resources that were provisioned and forgotten
• Admin panels accessible from the internet that should be internal-only
• Domains registered by previous marketing teams pointing at long-dead services

You do not need a complex tool to do this. A free external scan using a platform like CyberInsights will surface this automatically for your domain in under 10 minutes. The output becomes your baseline, the foundation everything else is built on.

Week 2: Credential and Dark Web Exposure Check

Your second priority is finding out whether any employee credentials are circulating on the dark web. This is not a theoretical exercise. Compromised credentials are responsible for 41% of breaches. If an employee's email and password from a LinkedIn breach in 2016 is still being used for their corporate login in 2025, you have an active risk that requires no hacking to exploit. All it takes is a login attempt.

Check your primary email domain against dark web breach databases. A good dark web monitoring tool will tell you which employee email addresses have appeared in known breach datasets, what type of data was exposed, and when. Start with this list sorted by severity; compromised credentials for senior employees, finance team members, or IT staff are your highest priority.

Week 3: Vendor Inventory

Make a list of every third-party vendor, SaaS tool, and contractor that has access to your systems, customer data, or internal infrastructure. You don't need to assess all of them in week three. You just need to know they exist. Common discoveries: tools provisioned by employees who left two years ago and still have active API keys; contractors who have access to production systems they no longer work on; SaaS tools nobody remembers purchasing that are still billing monthly and still connected via OAuth to your Google Workspace.

Week 4: Threat Context

Now that you know what you have and what is exposed, add context: what threats are most relevant to your industry and company size right now? Your retail company faces different active threats to your healthcare client portal. A quick review of threat intelligence relevant to your sector, available through any threat monitoring platform, tells you which of your findings to prioritise first based on what attackers are actually doing, not just what scores highest on a theoretical severity scale.

Days 31 to 60: Fix the Critical Things

Month two is not about fixing everything. It is about fixing the things that would cause a bad day if exploited this week.

The Priority Stack

Take everything you found in month one and stack-rank it by the following criteria, in order:

Priority Framework for Solo Security Managers

1. Internet-facing + known active exploit exists, fix this week. No discussion. This is an open door with a sign on it. (Critical)
2. Exposed credentials for privileged accounts, force password resets and enable MFA today. A credential in a breach dump for an admin account is an incident waiting to happen. (Critical)
3. Internet-facing systems with no authentication, any admin panel, dev environment, or internal tool accessible without a login needs to be locked down or taken offline. (Critical)
4. Expired or expiring SSL certificates, these cause customer-visible errors, erode trust, and are trivially fixed. Resolve within the week. (High)
5. Active typosquat domains or brand impersonation, if someone is running a phishing page impersonating your company, your customers are being targeted right now. (High)
6. Vendors with critical access and no security assessment, particularly any vendor handling customer data or connected to production systems. (High)
7. Everything else, schedule, track, and revisit monthly. Not everything needs to be fixed this quarter. (Normal)

The Remediation Reality

You almost certainly cannot fix everything yourself. The critical finding on your web server requires your DevOps team. The credential exposure requires your HR team for the offboarding conversation and your IT team for the password reset. The vendor security gap requires a conversation with your procurement lead.

Your job in month two is not to be the person who fixes everything. It is to be the person who owns the list, assigns the right owners, tracks progress, and escalates the things that are not moving. This is a coordination and communication role as much as a technical one, which is not how most security managers think about their job, but it is how the most effective ones operate.

Days 61 to 90: Make It Visible

Month three is about building the infrastructure for ongoing security management, and making the work you have done visible to leadership. A security programme that leadership cannot see is a security programme that will not get resources in next year's budget.

Your First Internal Security Report

By the end of month three, produce a one-page internal security summary. It should contain:

• Your overall external risk score and what it means
• Number of critical findings identified vs. resolved in the first 90 days
• Dark web exposure events detected and responded to
• Key risks still open and the plan to address them
• What you need from leadership to continue making progress (budget, headcount, engineering time)

Do not write this in security language. Write it in business language. "We identified 14 critical vulnerabilities in our external-facing systems. We resolved 11 of them. The remaining 3 require engineering resources estimated at X days." Leadership can action that. "We have a CVSS 9.8 RCE in our Node.js runtime" they cannot.

Set Up Continuous Monitoring

The biggest risk for a solo security manager is that your visibility is still a point-in-time snapshot. The external scan you ran in week one was accurate in week one. New subdomains get provisioned. New credentials get exposed. New vulnerabilities get disclosed. Without continuous monitoring, you are back to flying blind within weeks of completing the initial assessment.

Automating the monitoring, so that new findings are flagged without requiring you to manually re-run scans, is the highest-leverage thing you can do in month three. It is also what converts you from being reactive (finding out about problems after they matter) to being proactive (knowing about problems in time to prevent them from mattering).

Establish the Monthly Cadence

The output of continuous monitoring should feed a monthly security review, either a brief internal meeting or a written summary that goes to your manager and relevant leadership. A consistent monthly cadence does three things: it keeps you accountable, it builds the trend data you will need when you ask for budget, and it normalises security as an ongoing management concern rather than something that only gets attention after an incident.

What the 90-Day Plan Does Not Cover

To be clear about scope: this 90-day plan is focused on external risk visibility and the most impactful early actions. It does not cover internal endpoint management, email security configuration, identity and access management maturity, or a complete policy library, all of which matter, but none of which are the right place to start when you have limited time and are starting from zero visibility.

The principle is: start with what an attacker would see. An attacker does not begin with your password policy document. They begin by scanning your external attack surface, looking for exposed credentials, and checking whether your brand has any impersonation infrastructure. Starting where they start gives you the fastest path to meaningful risk reduction.

The Mindset Shift That Makes the Difference

The most effective solo security managers are not the ones who know the most about security. They are the ones who have accepted that they cannot know everything, cannot fix everything, and cannot do it alone, and have built a programme that reflects that reality.

Prioritise ruthlessly. Communicate constantly. Automate wherever possible. And remember that your job is not to be the person who keeps your organisation safe from every threat. Your job is to be the person who makes sure your organisation knows what threats it faces, makes informed decisions about which ones to address, and has a visible, improving security posture. That is achievable from day one. The alternative, trying to build a complete enterprise security programme as a team of one, is not.

Frequently Asked Questions

Where should a solo security person start?

Start with external attack surface visibility. Before writing policies, deploying tools, or building processes, you need to know what internet-facing assets your organisation has, what is exposed, and what credentials are already circulating in breach datasets. A free external scan of your primary domain gives you a factual baseline in under 10 minutes, and that baseline determines everything you do next.

What security tools does a one-person team need?

At minimum, you need an external attack surface monitoring platform, a dark web credential monitoring service, and a way to track findings and remediation progress (even a spreadsheet works initially). You do not need a SIEM, a SOAR platform, or an endpoint detection tool on day one. Those come later once you have visibility into your actual risk posture and can justify the investment with data.

How do you prioritise security work with limited resources?

Use the principle of attacker-first prioritisation: fix what an attacker would exploit this week before fixing what scores highest on a theoretical severity scale. Internet-facing systems with known active exploits come first, followed by exposed credentials for privileged accounts, then unauthenticated admin panels. Everything else gets scheduled and tracked monthly. The goal is risk reduction per hour of effort, not completeness.

When should a solo security person escalate to leadership?

Escalate immediately when you find a Critical-severity exposure that requires engineering resources you do not control, when remediation timelines are slipping on high-risk items, or when you discover a risk that exceeds the organisation's stated risk appetite. Present findings in business language with clear impact statements. Leadership responds to "this exposure could result in a data breach affecting 50,000 customer records" far more effectively than "we have a CVSS 9.8 RCE on our edge server."