Solo Security Engineer First 30 Days: What to Do When You're the Entire Security Team

Your job in week 1 is to understand the business, not to audit the technology.

Stakeholder interviews to schedule before day 5:

What you're really listening for:

• What incidents or close calls happened before you arrived (these define your real threat landscape)
• What security requests have been rejected and why (these define your political constraints)
• What compliance obligations exist and their deadlines (these define your near-term deliverables)
• Who are the informal power brokers who make things happen (these define your coalition)

In parallel with interviews, map everything that exists. You cannot risk-rank what you don't know about.

Cloud accounts:

# AWS: list all accounts in your organization
aws organizations list-accounts --query 'Accounts[].{ID:Id,Name:Name,Email:Email,Status:Status}'

# AWS: find all regions with active resources
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  count=$(aws ec2 describe-instances --region $region \
    --query 'length(Reservations[].Instances[])' 2>/dev/null || echo 0)
  [ "$count" -gt 0 ] && echo "$region: $count instances"
done

# GCP: list all projects
gcloud projects list --format='table(projectId,name,createTime)'

# Azure: list all subscriptions
az account list --query '[].{Name:name,ID:id,State:state}' -o table

SaaS applications: Ask IT for the SSO configuration (Okta, Entra ID, Google Workspace). Every application in SSO is known; every application outside SSO is shadow IT. Export the list:

# Google Workspace: list connected third-party apps (requires admin)
gam all users show tokens | grep clientId

# Okta: list active applications
okta-sdk apps list --active true

Document as a simple spreadsheet:

Asset Type | Name | Owner | Data Classification | Internet Exposed | Last Reviewed
AWS Account | prod-main | CTO | Confidential | Yes | Never
AWS Account | dev-sandbox | Engineering | Internal | Partial | Never
SaaS: Salesforce | Salesforce CRM | Sales | Confidential | Yes | Never
SaaS: Notion | Company wiki | IT | Internal | No | Never

These are the actions that give you visible results before you've asked for budget or headcount. Complete all five before your first formal security update to leadership.

Quick win 1: Enable MFA everywhere it isn't Check: Google Workspace admin console, M365 admin center, AWS IAM, GitHub org settings, Okta (if used). For Google Workspace:

Admin console > Security > 2-Step Verification >
Enforcement: On for all users
Grace period: 1 week

Quick win 2: Enable audit logging in cloud accounts

# AWS: enable CloudTrail in all regions if not already on
aws cloudtrail create-trail --name org-audit-trail \
  --s3-bucket-name your-audit-log-bucket \
  --is-multi-region-trail
aws cloudtrail start-logging --name org-audit-trail

# GCP: verify audit logs are enabled
gcloud projects get-iam-policy PROJECT_ID \
  --flatten="auditConfigs" --format='table(auditConfigs.service,auditConfigs.auditLogConfigs)'

Quick win 3: Stale admin account audit

# AWS: find IAM users with console access who haven't logged in >90 days
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | \
  base64 -d | \
  awk -F, '$5=="true" && $6!="N/A" && $6<"2026-02-01" {print $1, $6}'

For each stale admin account: contact the account owner, disable if no response in 5 business days, delete after 30 days.

Quick win 4: Enforce a password manager If the company doesn't have 1Password, Bitwarden, or similar: get one, typically $3-5/user/month. This is the single highest-ROI security spend available. Send IT a request and get it approved before the end of week 2. Roll it out in week 3-4.

Quick win 5: Verify backups exist and are restorable

# AWS RDS: list automated backup status
aws rds describe-db-instances \
  --query 'DBInstances[].{ID:DBInstanceIdentifier,BackupRetention:BackupRetentionPeriod,Status:DBInstanceStatus}'

# Test restore on a dev instance -- do NOT skip this step
# A backup that has never been restored is not a backup

Document which critical systems have tested backups and which don't. This list becomes your first risk register entry.

With interviews done and quick wins complete, you now have enough context to write your first risk register.

Risk register template (start with 5-10 items max):

Risk | Likelihood | Impact | Current Controls | Risk Score | Owner | Target Mitigation | Date
No MFA on admin accounts | High | Critical | None | Critical | CTO | MFA enforced | Completed
No incident response plan | Medium | High | None | High | CISO | Draft IR plan | 2026-06-30
Third-party vendors with overprivileged access | High | High | No process | High | CTO/Legal | Vendor access audit | 2026-07-15
No data classification policy | Medium | Medium | None | Medium | CEO/Legal | Policy drafted | 2026-07-31
Untested backup and recovery | High | Critical | Backups exist, untested | High | IT/Eng | Restore test completed | 2026-06-15

Policy foundation (minimum viable set for year 1): Do not write 20 policies. Write 4 that people will actually read and reference:

1. Acceptable Use Policy (AUP): What employees can and cannot do with company systems. 2 pages max.
2. Access Control Policy: Who grants access, how, and the process for removing access when someone leaves.
3. Incident Response Policy: Who to call when something goes wrong, in what order, and what to document.
4. Data Classification Policy: What data categories exist (Public, Internal, Confidential, Restricted) and how each must be handled.

Get these reviewed by legal and signed off by the CEO before you go further. Policy without sign-off is not policy.

Being a solo practitioner means the opportunity cost of everything is everything else. Here is what to put off:

Do not:

• Write a security awareness training program (use a SaaS vendor if you need to check the compliance box; build a custom program in year 2)
• Stand up a SIEM (you don't have the alert triage capacity to use it; implement logging first, SIEM later)
• Purchase a vulnerability scanner (if you don't have a team to remediate findings, scanning creates more noise than value; address the obvious high-risk gaps manually first)
• Build a compliance program from scratch (if SOC 2 or ISO 27001 is required, engage a consultant for the framework; your job is to own the controls, not the methodology)
• Implement a zero-trust architecture (this is a multi-year program; focus on the fundamentals: MFA, least privilege, logging)

The test for whether to take on a project in month 1-3:

1. Does this directly reduce a top-5 risk I've already identified?
2. Can I complete it without cross-functional dependencies or budget approval?
3. Will completing it give me the political capital to tackle the next harder thing?

If the answer to at least two of these is yes, do it. Otherwise, put it in the backlog.

At 90 days, schedule a 30-minute meeting with your executive sponsor (CEO, CTO, or whoever hired you). The goal: get alignment on your top 3 priorities for the next 6 months and the resources needed.

90-day update structure:

1. What I found (5 minutes)
   "The asset inventory identified X cloud accounts, Y SaaS applications, 
   and Z vendors with access to our systems. The most significant risks are [3 items]."

2. What I fixed already (5 minutes)
   "In the first 30 days, without additional budget, I: enabled MFA for all 
   admin accounts, turned on cloud audit logging, removed 12 stale accounts, 
   enrolled the company in a password manager, and verified our backups are 
   restorable. These actions address [specific risk] that previously existed."

3. The three things that need executive decision (15 minutes)
   "There are three risks I cannot address alone. Each requires either budget, 
   headcount, or a decision only you can make:
   (1) [Risk + specific ask]
   (2) [Risk + specific ask]
   (3) [Risk + specific ask]"

4. What I am NOT doing and why (5 minutes)
   "I am deliberately not pursuing [X, Y, Z] because [reason]. If you think 
   any of these should be reprioritized, let me know."

This structure demonstrates competence (you found real things), results (you fixed things without asking for help), and strategic thinking (you know what to ignore). It also gives leadership a chance to redirect priorities before you invest further in the wrong direction.