TL;DR: The first 90 days in an IT management role determine whether you build credibility and make meaningful improvements, or inherit a mess you spend years cleaning up. This guide gives you a structured framework for understanding what you have inherited, triaging what needs urgent attention, and building a roadmap for sustainable improvement.
Why the First 90 Days Matter
New IT managers — whether they are dedicated IT professionals stepping into a new role, or operations managers absorbing IT responsibility at a growing company — face the same challenge: they inherit an environment they did not build, do not yet fully understand, and are immediately accountable for.
The temptation is to act immediately. To fix things, to make changes, to demonstrate value. Resist this temptation in the first 30 days. The priority is to understand what you have before changing it.
The framework in this guide is structured around three 30-day phases:
- Days 1–30: Audit. Understand what exists.
- Days 31–60: Triage. Fix what is broken or actively dangerous.
- Days 61–90: Plan. Build the roadmap for systematic improvement.
Days 1–30: The Audit
Stakeholder Conversations
Before touching any technology, talk to people. Your goal is to understand what IT currently looks like from a user perspective — where it helps, where it frustrates, and where it is invisible when it should not be.
People to speak with:
- Your manager or the person you report to: What do they think IT is doing well? What are their biggest concerns?
- The CEO or business owner (if accessible): What technology decisions keep them up at night?
- Department heads: What do their teams struggle with in terms of technology? What works well?
- A sample of end users: What IT problems do they encounter most often? What do they wish worked better?
Questions to ask in each conversation:
- What is the most frustrating IT problem you experience regularly?
- What technology do you rely on that you would be lost without?
- If you could change one thing about IT in this business, what would it be?
- Have you ever been impacted by a security incident or data loss? What happened?
Document every conversation. Patterns across multiple people indicate systemic issues.
Infrastructure Audit
The goal is a complete, documented picture of what exists. Do not try to fix anything yet.
Network:
- Document internet connections: provider, speed, contract term, expiry date
- Photograph and document network rack configuration: firewall, switches, WAPs, patch panels
- Export firewall configuration (with appropriate authorisation)
- Document IP address scheme and DHCP ranges
- Identify and document all VLANs and network segments
- Document Wi-Fi networks (SSID names, security type, intended users)
- Identify any devices with default credentials
Servers and services:
- Inventory all on-premise servers: hardware specs, OS version, roles, last reboot
- Document all virtual machines and their hosts
- Check OS patch levels — are servers current?
- Document all server software and licences
- Identify any servers running end-of-life operating systems (Windows Server 2012, 2008 — these are a critical risk)
Microsoft 365 / cloud services:
- Audit Microsoft 365 tenant: how many licences? What types? Any unlicensed users?
- Check Security Score in Microsoft 365 Defender portal — what is the current score?
- Check whether MFA is enforced for all users
- Check whether legacy authentication is blocked
- Review Conditional Access Policies in Entra ID
- Check email authentication: SPF, DKIM, DMARC configured?
- Review admin accounts — how many Global Admins? Are admin accounts separate from day-to-day accounts?
Endpoints:
- Inventory all workstations and laptops: make, model, OS version, last update
- Check endpoint protection status — are all devices protected?
- Identify any devices running end-of-life OS (Windows 10 reaches end of support in October 2025)
- Check Intune enrolment — what percentage of devices are managed?
Backups:
- Document all backup jobs: what is backed up, how often, where to
- Check last successful backup for each job — when was it?
- Confirm whether any backup has ever been successfully tested (restored)
- Identify whether backup copies are stored off-site or in cloud
Licences and contracts:
- Inventory all software licences: what is licensed, how many seats, expiry dates
- Document all IT vendor contracts: provider name, service description, monthly cost, contract term, notice period
- Identify upcoming contract renewals (within 12 months)
- Confirm IT support contracts are current
Security Posture Assessment
Before your first month is out, complete a basic security posture assessment:
Immediate red flags to identify:
- Any accounts without MFA (especially admin accounts)
- End-of-life operating systems on any device
- No endpoint protection on any device
- Backup jobs not completing successfully
- End-of-life servers (Windows Server 2012 or older)
- Open RDP (Remote Desktop) ports on the internet
- Default or weak admin credentials on network devices
These are not “fix in 90 days” items. These are “fix this week” items if discovered.
Days 31–60: Triage
With a complete picture of what you have inherited, prioritise what to fix. Not everything is equally urgent.
Priority 1: Active Security Risks (Fix Immediately)
- End-of-life servers and workstations with no security support
- Accounts without MFA — start with admins, then all staff
- Open RDP on internet-facing firewalls
- Backup jobs that have not completed in over 7 days
- Default credentials on any network device
- Missing endpoint protection on any device
Priority 2: High-Risk Items (Fix in Days 31–60)
- Legacy authentication protocols enabled in Microsoft 365
- No Conditional Access Policies in place
- Email authentication (SPF/DKIM/DMARC) missing or misconfigured
- No Microsoft 365 backup solution in place
- Significantly outdated application software (browsers, Office, line-of-business apps)
- No documented IT asset register
Priority 3: Important But Not Urgent (Plan for Days 61–90 and Beyond)
- Network documentation gaps
- Licence compliance issues
- Device standardisation
- IT policy gaps
- Training requirements
Quick Wins
In the first 60 days, identify and execute at least three “quick wins” — visible improvements that demonstrate value and build credibility. These are typically things that are:
- Highly visible to users (fixing a frustrating recurring problem)
- Low-risk to implement (no major migration or change management)
- Clearly measurable (you can point to before and after)
Examples: fixing a shared mailbox that everyone complains about, cleaning up a cluttered SharePoint that nobody can navigate, implementing MFA across the organisation.
Days 61–90: Build the Roadmap
With the audit complete and the urgent items addressed, the third phase is about planning.
The Technology Roadmap
A technology roadmap maps where your IT is today, where it needs to be to support business goals, and the specific steps to get there — sequenced to minimise disruption.
What goes in a roadmap:
Infrastructure lifecycle: When does existing hardware reach end-of-life and need replacement? A server bought in 2019 should be in your replacement planning now.
Security improvements: What controls are missing that should be added? What is the sequence and priority?
Cloud migration: What on-premise workloads can or should move to cloud? What is the business case for each?
Application modernisation: What legacy applications are limiting productivity or creating support burden? What are the replacement options?
Productivity improvements: What Microsoft 365 capabilities are being underutilised? What would deliver the most user value?
See Technology Roadmap for CX IT Services’ phased approach to IT maturity.
IT Budget Planning
By day 90, you should be able to produce a credible IT budget for the next 12 months covering:
- Software subscription renewals
- Hardware replacement (based on asset register and lifecycle dates)
- Security improvements (based on your assessment)
- Project work (migrations, upgrades, new implementations)
- Support costs
- Contingency for unplanned events
Most CFOs appreciate an IT budget that includes rationale — not just line items, but a brief explanation of what each investment achieves and what the risk of not doing it is.
Building Vendor Relationships
By day 90, you should have a clear view of which vendors are delivering value and which are not.
Key vendor relationships to establish or review:
- Managed IT or MSP provider (if applicable)
- Microsoft partner/licensing reseller
- Internet service provider
- Telephony provider
- Key software vendors for line-of-business applications
For guidance on evaluating your current IT provider, see 20 Questions to Ask Your IT Provider.
When You Need External Help
Not every IT manager inherits a well-resourced IT environment, and not every IT environment can be brought up to standard with internal resources alone.
Signs you need external expertise:
- Security risks that exceed your internal capability to assess and remediate
- End-of-life infrastructure that needs professional migration
- A Microsoft 365 tenant that was never properly configured
- Backup and recovery capability gaps that could expose the business to significant risk
A managed IT provider is not a replacement for internal IT capability — it is a complement to it. The combination of an engaged internal IT coordinator and a capable managed service provider produces better outcomes than either alone.
If you are newly responsible for IT at a Melbourne business and want an expert second opinion on what you have inherited, book a Right Fit Call with CX IT Services. We can conduct an independent IT assessment and give you a clear picture of where you stand.
For related resources: