Starting Strong: Taming AppSec Chaos from Day One

A 30/60/90 Guide to Help New AppSec Leaders Hit the Ground Running
A 30/60/90 Guide to Help New AppSec Leaders Hit the Ground Running
March 5, 2025
Whats on this page
The Role of Design Partners
See the Platform Live
Subscribe
Share this content

This is an excerpt from Starting Strong: Taming AppSec Chaos from Day One: A 30/60/90 Guide to Help New AppSec Leaders Hit the Ground Running, complete the form below to gain access to the full report.

Introduction

The moment you accept an offer for a new role as an AppSec leader, the challenges start. Whether you join a large enterprise or a small startup—and whether your title calls you a Team Lead, a Director, a VP, or something else—you start on Day 1 with a limited understanding of the environment you’re getting yourself into.

To create this guide, we interviewed experienced AppSec leaders on how they see the challenges and opportunities offered by a brand-new role in the first 90 days on the job. 

Every one of our interviewees agreed: the first 90 days in an AppSec leadership role can make or break your long-term impact. Jump in too fast, and you risk fighting fires reactively instead of setting strategic priorities. Spend too much time observing without action, and security debt piles up while developers stick to old habits. The key is striking the right balance—building relationships, assessing gaps, and securing quick wins—so that by day 90, you're not just reacting to risks, but driving real, iterative security improvements.

Understanding Your Domain: Foundations of Security Success

Discovery Phase (Days 1-30): Understanding Your Team and the Business Landscape

In your first month, multiple security leaders said to ignore any impulse to dive right in to security architecture, tools, and challenges. Instead, they encourage a broader approach based on understanding business fundamentals.

Start Relationships Right: For this phase to be most successful, you’ll need to spend time meeting and beginning to build relationships with your counterparts in engineering, QA, DevOps, IT, and other security teams—as well as teams further afield, like customer success and marketing.

“Start by discovering as much as you can about the business—don’t ask so many AppSec questions,” said Naor Penso, VP of Product Security at FICO. “A good AppSec leader has a deep understanding of the business and how they deliver value to their customers.”

No Rabbit Holes: Teja Myneedu, Director of Security at Navan and formerly Director of Product Security at Splunk, puts the brakes on before delving too deep into security. “As a hands-on security engineer, I gravitate toward looking at source code and infrastructure, architecture diagrams, things like that,” he said. “I have to consciously stop myself before I dive deeper and say, ‘let’s not go down the rabbit hole, let me look at the big picture.’” 

According to Myneedu, “It’s really crucial to understand breadth: overall, what does the company do? What do its products do? What kind of data do we have? That’s where I’d spend my first weeks, which will help me get clarity on where I need to dive deeper.”

Look Before You Leap: Even if you’re eager to roll out process changes, the first 30 days isn’t the right time. “Successful security strategies start with empathy, and that comes from developing relationships,” said Sumeet Jain, VP of Product Security at BeyondTrust. “Learn the lay of the land, how many customers, how many products. ”Get the relationship angle covered first, before showing people the problems and changing anything in the process.”

Observe Without Changing: One big security-related task for your first 30 days can be to learn what security tooling is being used across the organization—and make a note of any duplicate tools, where different teams use products that solve the same problem. You should also note where there are manual processes and handoffs that seem broken at any point in the SDLC, from design to deployment. You don’t need to change anything yet. Just write it down for your own reference.

Quick Win For Day 30: Model the Business

Making initial connections across departments and domains can help you map out a high-level model—either a mental or digital one—of the organization itself. According to Naor Penso, that model can be more valuable to more parts of the business than you think.

“The thing that distinguishes AppSec and product security leaders from everyone else is that they’re the only ones, along with their teams, who have a view of every part of the SDLC from the design phase to when clients are using it,” he said. “IT, engineering, architecture, account management, post-sales, professional services—everyone is siloed. Security people are the only ones who get to see the whole story.”

Because of that visibility, Penso said, “As an AppSec leader, you can create huge business value by creating an outline of how the business works. Here’s this process with many subprocesses, here’s how these teams fit together, here’s the handovers—and this one or that one is broken.”

By sharing this bird’s eye view of the business with your counterparts in other departments, you can start off relationships right, using your unique position in the organization to help others understand it better.

The Bottom Line: What Matters is the Bottom Line

While relationship building isn’t every AppSec leader’s favorite part of the job, skipping out on building this initial understanding can be a critical mistake. Change too much without enough business context, and you’ll find you’re costing the business more than you’re saving.

Penso said the focus on fundamentals and relationship building is a simple matter of business priorities: “Ultimately, the company’s job is to deliver software to clients and bring money in. If you don’t understand who the clients are and what you’re selling, you can’t meet those needs and solve for client demands.”

Checklist For Discovery Phase (Days 1-30):

  • Meet with counterparts in engineering, DevOps, QA, customer success, sales, and marketing.
  • Discover organizational structure and processes.
  • Learn how your new organization’s products are built and sold.
  • Build a mental or digital model of the organization’s SDLC.
  • Note any broken handoffs or processes in your SDLC.
  • Identify specific security issues that have previously had a business impact.
  • Assess the state of automation—what’s manual? What slows people down?
  • Identify duplication in security tooling across teams and products.

    • Fill out the form below to access the complete report.

    What’s new on Heeler
    Thank you! Your submission has been received!
    Oops! Something went wrong while submitting the form.
    See the Platform Live
    Subscribe
    Share this content

    Related resources

    See All Resources
    Press
    March 6, 2025
    Heeler Named to Technical.ly’s 2025 RealLIST Startups
    Heeler has been named to Technical.ly’s 2025 RealLIST Startups in the DC region—coming in at No. 3!
    Heeler has been named to Technical.ly’s 2025 RealLIST Startups in the DC region—coming in at No. 3!
    Press
    March 3, 2025
    Heeler Recognized for Excellence in Application Security
    We’re thrilled to share some exciting news—Heeler has been selected as a winner in the 2025 Cybersecurity Excellence Awards in the Application Security category!
    Blog
    February 26, 2025
    Mastering Application Risk Profiles with Heeler: A Deep Dive into OWASP SAMM
    A strong application security program starts with a clear understanding of risk. Yet, many organizations still rely on intuition and implicit assumptions to assess risks, often leading to gaps in addressing real-world threats. In a recent article, Aram Hovsepyan explores how Heeler empowers organizations to master Application Risk Profiles (ARPs) and achieve higher maturity in OWASP SAMM.
    Blog
    December 23, 2024
    Predictions for Application Security in 2025
    The future of application security lies in actionable context, runtime context, and orchestrated workflows. Discover the four key trends reshaping how organizations build, deploy, and secure software in 2025.
    Where Context, Not Findings, Will Define Success
    Blog
    December 5, 2024
    AI-Assisted Coding Is Driving a Vulnerability Surge – Here’s How to Stay Ahead
    AI-assisted coding tools like GitHub Copilot and ChatGPT are driving faster software development, but also introducing new vulnerabilities and security challenges. The rapid rise in AI-generated code is leading to a significant increase in reported vulnerabilities, overwhelming traditional security frameworks that struggle to keep up. To thrive in this new environment, security teams must move beyond simply finding issues to a contextual prioritization approach—assessing vulnerabilities based on business impact, environmental exposure, and threat likelihood. This strategy helps focus efforts on what's truly critical, enabling faster, smarter remediation and supporting development velocity without compromising security.
    Blog
    December 3, 2024
    Why Assigning Remediation Ownership Takes Longer Than Fixing Issues—and How to Fix It
    According to our research, for many organizations, determining who will fix a security issue takes as much time as actually fixing it. This means that half of the time allocated to meeting security SLAs is spent simply routing issues to the correct team. This lack of clarity creates friction at every stage of the remediation process, leading to inefficiencies, delays, and strained relationships between security and development teams.
    Blog
    October 3, 2024
    Heeler at OWASP Global AppSec San Francisco: Closing the AppSec Context Gap
    We are excited to share that Heeler’s initial OWASP® Foundation Global AppSec in San Francisco was nothing short of incredible! The energy and expertise of the application security community were truly inspiring. From thought leaders to fellow startups, it was a fantastic opportunity to engage with others who share a common goal: solving today’s most pressing AppSec challenges.
    Blog
    September 12, 2024
    The Need for Continuous and Agile Threat Modeling
    In today’s agile development landscape, where cloud-based software is constantly evolving and deployed at unprecedented speed, traditional, manual threat modeling is no longer enough. As development teams iterate quickly and deploy in real-time, requirements and architecture changes rapidly, creating potential gaps in security that static threat models simply cannot keep up with. This has paved the way for continuous and agile threat modeling—a real-time approach to identifying, assessing, and mitigating risks early in the software lifecycle.
    Blog
    September 10, 2024
    Revolutionizing Application Security: The Heeler Story
    At Heeler, we’re not just building a product; we’re reshaping the future of application security. In today’s rapidly evolving digital landscape, the traditional approach to security has reached its limits. As applications grow more complex and threats become more sophisticated, the need for a unified security approach that integrates code, runtime, and business context is more critical than ever.
    Blog
    September 3, 2024
    The Challenges of Decomposing Cloud-Based Applications (and How to Implement Agile and Continuous Threat Modeling)
    In the fast-paced world of software development, the adoption of agile methodologies and continuous delivery practices has revolutionized how applications are built, deployed, and maintained. In an agile environment, where code and cloud are constantly changing and new features are continuously being integrated, threat modeling needs to be just as agile and continuous. The idea is to ensure that security is built into the development process rather than bolted on as an afterthought.
    See All Resources
    Platform
    PlatformUnderstand Risk in ContextSecure by DesignIntegrations
    Use cases
    ProductDNAASPMSCARuntime Threat ModelingResponse OrchestrationLifecycle Management
    Resources
    Resources HubFAQTrust CenterPricing
    Company
    CompanyContact UsCustomer SupportSubscribe
    © 2024 Heeler
    Privacy Policy
    Terms and Conditions
    Cookie Policy
    Cookie Preferences