The 5 Identity Decisions a CISO Makes in the First 90 Days

  • BluEnt
  • IT Security
  • 02 Jul 2026
  • 7 minutes
  • Download Our IT Security Brochure

    Download Our IT Security Brochure

    This field is for validation purposes and should be left unchanged.

Five identity decisions land on a new CISO’s desk in the first quarter. They look independent. They’re not — each one constrains the next three. This article walks through the five, the trade-offs we see CISOs underestimate, and the counsel we give in our Stage 1 reviews. Read it before you commit budget for the year ahead.

A new CISO joins a regulated enterprise on a Monday. By the second Friday, five identity questions are on the desk. Which platform should we consolidate around? How aggressive should our MFA rollout be? Do we buy a PAM tool or extend what we already have? Should JML automation be built in-house or outsourced? And the one nobody asks unprompted: how will we measure whether any of this is working?

Most CISO advisory content treats these as independent decisions. In our experience, they’re not. Each one constrains the next three. Pick the wrong platform consolidation and the MFA rollout becomes politically harder. Defer the measurement decision and you’ll find yourself eighteen months in unable to justify the program to the CFO. The decisions are sequential, and getting the order right matters more than getting any one of them perfect.

What follows is the framework we use when we sit down with newly appointed CISOs in our Stage 1 reviews. Five decisions, the trade-off each one really hinges on, and the counsel we give based on patterns from engagements across the four verticals our practice serves.

If you’re reading this in week one

Resist the urge to make all five decisions in the first month. The CISOs we’ve watched succeed make Decisions 1 and 5 in the first quarter and let Decisions 2, 3, and 4 follow from those. The CISOs who struggle make Decisions 2, 3, and 4 first and try to reverse-engineer 1 and 5 afterward.

Why These Five (and Not Twelve)

Identity programs sprawl. A new CISO could in theory worry about authentication factors, identity provider choice, attribute sources, IGA modules, CIAM separation, machine identity, certificate lifecycle, secrets management, and so on. All of those matter eventually. None of them get traction until the five decisions below are settled.

We picked five because in our engagements that’s the number that consistently produces an executable program. Fewer than five and the program is too vague; more than five and the new CISO loses momentum trying to decide everything at once. Five is also the count our clients consistently take to the audit committee in the first quarter when asked “what’s your plan?”

Before reading further, the platform-choice context for Decision 1 is in our companion piece, Entra ID vs Okta: A Practical Decision Framework. This article assumes that decision is downstream of the five strategic questions below.

The Five Decisions, in Order

Decision 1: Declare your primary identity control plane

The question on the table: Will the organization consolidate around a single primary platform (Entra ID, Okta, or another), or will it accept that two coexist and define which one is the source of truth?

The trade-off most CISOs underestimate: Most new CISOs think this is a tooling decision. It’s actually a political decision. The platform that loses primary status will lose budget, lose roadmap attention, and slowly atrophy. The teams running the losing platform know this. That’s why a clean technical answer often takes three months of organizational work to actually implement. Underestimate that and Decisions 2 through 4 stall.

What we’d counsel: Make the call in the first sixty days, even if the migration takes eighteen months. Declare publicly. The single tenant rule we apply: organizations with two healthy tenants of either product spend more on identity than organizations with one slightly imperfect tenant. Don’t optimize for feature parity. Optimize for the platform you can actually consolidate onto with the least political friction.

Decision 2: Set the MFA target state and sequence

The question on the table: What’s the destination MFA posture (which factors, which user populations, what coverage percentage), and what’s the rollout sequence to get there?

The trade-off most CISOs underestimate: The temptation is to roll out FIDO2 or hardware keys universally as the goal. Adoption friction is the real constraint. We’ve seen ambitious MFA programs stall at sixty percent coverage because the remaining forty percent had legitimate edge cases (kiosk users, field engineers, integrations) that nobody planned for. The trade-off most CISOs underestimate is that the last twenty percent of MFA coverage takes as long as the first eighty.

What we’d counsel: Sequence the rollout. Administrators on phishing-resistant factors (FIDO2) in the first ninety days. Standard workforce on push-based MFA with number matching in the first six months. Edge cases (kiosks, field, integrations) planned in months six through twelve with explicit compensating controls where MFA truly cannot work. Set a coverage target that’s an honest reflection of the architecture, not a vanity number.

5 Identity Decisions for CISO

Decision 3: Choose the JML automation approach

The question on the table: Will Joiner-Mover-Leaver workflows be engineered in-house, bought as part of an IGA platform, or partnered with a managed service?

The trade-off most CISOs underestimate: Most new CISOs assume this is a tooling decision. It’s actually a sustained engineering commitment. JML automation is not configured once; it’s maintained as your SaaS estate changes. Every new application is a new SCIM connector, a new attribute mapping, a new role design. Underestimate the maintenance load and the program slips in year two. The trade-off most CISOs miss is that build-in-house looks cheaper at proposal time and is rarely cheaper at year three.

What we’d counsel: Buy the IGA platform; partner on the integration backlog. Entra ID Governance or Okta Identity Governance handle the platform layer. A partner (BluEnt or another) accelerates the integration backlog and adds connectors as new applications onboard. The in-house team owns the day-two operating model: attestations, exception handling, change advisory. This division has worked across our engagements.

Decision 4: Decide the privileged access architecture

The question on the table: Will privileged access be controlled through a dedicated PAM platform (CyberArk, BeyondTrust, HashiCorp Vault), through native cloud-IDP features (Entra PIM, Okta Privileged Access), or both?

The trade-off most CISOs underestimate: The standard advice is to deploy a PAM platform. The trade-off most CISOs underestimate is that PAM platforms are heavyweight programs requiring six to nine months of design, vault migration, and operational change. New CISOs frequently buy the tool, take six months to deploy it, and discover the cloud-native PIM features would have covered seventy percent of the use case in six weeks. The other thirty percent is real, but it’s worth checking whether it’s a year-one problem.

What we’d counsel: Lead with native cloud-IDP privileged features in months one through three (Entra PIM or Okta Privileged Access). Address the highest-risk on-premise and break-glass scenarios. Reassess in month six whether a dedicated PAM platform is needed for the residual scope. If the answer is yes, scope it deliberately rather than as a default buy. Most enterprises end up running both eventually; the order matters.

Decision 5: Define the measurement framework before you need it

The question on the table: How will the identity program report progress and effectiveness to the audit committee, the CFO, and the board?

The trade-off most CISOs underestimate: This is the decision most often deferred. It feels less urgent than the other four. But not defining measurement in the first quarter means that twelve to eighteen months in, when the CFO asks “what are we getting for the spend?”, the answer is anecdotal. Identity programs that can’t show measurable progress lose budget in year two regardless of how well they’re actually running.

What we’d counsel: Define four to six identity KPIs in the first thirty days and start collecting baseline data in week one. The ones we see work consistently: MFA coverage by user population, JML SLA compliance, quarterly access review completion rate, orphan-account count, privileged-account exposure (time-on-elevation). Report these to leadership monthly from month one onward, even when the numbers look bad. The trajectory becomes the story.

Where we disagree with the standard CISO advice

Most onboarding-CISO content focuses on the tactical wins of the first ninety days. We think the first ninety days should produce two things: Decision 1 (publicly declared) and Decision 5 (baseline established). The other three decisions follow naturally once those two are locked. CISOs who try to make all five in the first quarter end up making none of them defensibly. CISOs who make Decisions 1 and 5 quickly and let 2, 3, and 4 follow tend to be the ones still running the program three years later.

A Story From the Last Year

A new CISO joined a 1,200-person SaaS organization in early 2025. The previous CISO had departed mid-program. Identity was running on a hybrid of Entra ID and Okta with no declared primary, MFA at seventy percent coverage, JML mostly manual, and no measurement framework at all.

The new CISO made two calls in the first sixty days. Decision 1: Okta as primary, with Entra ID consolidated by end of year. Decision 5: four KPIs reported monthly to the audit committee starting in week three, even though the initial numbers were embarrassing. Decisions 2, 3, and 4 followed naturally over the next six months because Decisions 1 and 5 constrained them.

Eighteen months in, the program had visibly improved on all four KPIs. The CFO approved a renewal of the program budget with no debate because the trajectory was undeniable. The CISO told us later that the second decision (the measurement framework) was the one she’d consider the most important. Without it, every later conversation would have been a debate about whether the program was working. With it, the conversation was about how to accelerate.

If You’re a CISO Reading This in Week One

The five decisions above will land on your desk regardless of what we recommend. The question is whether you make them in the order that produces a defensible program or in the order that produces ninety days of activity without traction.

Our practice supports new CISOs through this period: Stage 1 review of the inherited environment, decision framework workshop with leadership, measurement baseline established within thirty days, and a ninety-day plan documented for board review. We do not run the program for you (you run it, with whatever team you have); we accelerate the moments where outside perspective is most valuable.

For the IAM operating model the five decisions are made against, see our Identity and Access Management service page. For the cybersecurity practice that supports the broader program, see the IT Security and Cybersecurity Hub.

cite

Format

Your Citation

BluEnt. "The 5 Identity Decisions a CISO Makes in the First 90 Days"Jul. 02, 2026, https://www.bluent.com/blog/ciso-identity-decisions-first-90-days.

BluEnt. (2026, July 02). The 5 Identity Decisions a CISO Makes in the First 90 Days. Retrieved from https://www.bluent.com/blog/ciso-identity-decisions-first-90-days

BluEnt. "The 5 Identity Decisions a CISO Makes in the First 90 Days" BluEnt https://www.bluent.com/blog/ciso-identity-decisions-first-90-days (accessed July 02, 2026 ).

copy citation copied!
BluEnt

BluEnt delivers value engineered enterprise grade business solutions for enterprises and individuals as they navigate the ever-changing landscape of success. We harness multi-professional synergies to spur platforms and processes towards increased value with experience, collaboration and efficiency.

Specialized in:

Business Solutions for Digital Transformation

Engineering Design & Development

Technology Application & Consulting

Connect Now

Connect with us!

Let's Talk Fixed form

Let's Talk Fixed form

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Services We Offer*
Subscribe to Newsletter