Building an IT Function From Zero
What the first 90 days look like when you stand up IT and security for a growing company.
I have built the IT and information-security function from nothing more than once: at an aerospace company spanning the US and EU, at a wellness startup across two states, and for clients in between. The context changes. The first moves rarely do.
Days 1 to 30: see clearly
You cannot fix what you cannot see. The first month is inventory and triage:
- Identities and apps: who has access to what, and through which login.
- Devices: how many, managed or not, and who owns them.
- Spend: every SaaS subscription, contract, and renewal date.
- Risk: the one or two things that would genuinely hurt if they failed tomorrow.
This is unglamorous and it is the entire foundation. Most surprises, and most savings, hide in this list.
Days 30 to 60: stabilize
Now put in the controls that stop bleeding. Single sign-on with MFA. Centralized device management. A real onboarding and offboarding process so access tracks reality. A help channel so people stop solving problems in side conversations. The goal is not perfection; it is a floor you can build on.
Days 60 to 90: make it scale
With the basics in place, shift from reactive to deliberate. Write the handful of policies that actually matter. Renegotiate the contracts you flagged in week two. Set a simple operating cadence with a few metrics leadership cares about. Hire or contract for the gaps you cannot cover alone.
The mindset
Building IT from zero is not about buying the most tools. It is about sequencing: visibility, then stability, then scale. Owning the budget, the audit, and the board update at the same time teaches you to spend effort where it compounds. That execution-first mindset is exactly what early-stage and mid-market companies need, and it is what Gemenon is built to bring.