You hired a vCISO because you needed senior security leadership without the cost or commitment of a full-time executive. Maybe you're preparing for an audit, responding to customer security questionnaires, or finally addressing the governance gap your board has been asking about. Whatever the reason, the engagement starts with a handshake and a promise of strategic guidance. What should actually happen in those first 90 days determines whether you get a trusted advisor or an expensive report generator.
I've been on both sides of this arrangement—as a full-time CISO watching outside consultants come and go, and as an advisor helping organizations build security programs from scratch. The difference between a competent vCISO engagement and a wasteful one becomes apparent quickly. The first three months should produce tangible value: clarity about your current state, a roadmap tied to business priorities, and momentum on the problems that matter most. If you're getting PowerPoint decks that could apply to any company in your industry, something is wrong.
What Should Happen in the First Two Weeks
The initial discovery period separates professionals from poseurs. A competent vCISO spends the first two weeks listening, not prescribing. They need to understand your business model, revenue drivers, regulatory obligations, and what keeps your executive team awake at night. This isn't about running a vulnerability scan and declaring victory—it's about mapping the relationship between your technology infrastructure and your business operations.
During this period, expect structured interviews with key stakeholders: the CEO, CFO, heads of operations, IT leadership, and anyone who touches sensitive data or critical systems. The questions should be specific to your business, not generic. A vCISO working with a defense contractor should ask different questions than one advising a healthcare SaaS company. If your vCISO shows up with a standard questionnaire that doesn't reflect your industry's regulatory environment, that's a warning sign.
The documentation review starts immediately. A good vCISO wants to see your existing policies, past audit reports, customer security questionnaires, insurance applications, vendor contracts, and any compliance artifacts you've already generated. They're not looking for perfection—they're looking for patterns. Do you have policies that no one follows? Have auditors flagged the same issues repeatedly? Are there customer requirements you're ignoring because you don't understand them?
The Stakeholder Map
One deliverable I always create in the first two weeks is a stakeholder map. This document identifies who owns what, where authority lies, and where coordination breaks down. In smaller organizations, you often find one person wearing six hats, which creates hidden dependencies and single points of failure. In larger ones, you find security responsibilities scattered across IT, compliance, legal, and operations with no one actually in charge.
This mapping exercise reveals organizational friction points before you try to implement anything. If your IT director and your compliance officer haven't spoken in six months, you need to know that before proposing a policy that requires their collaboration.
Weeks Three Through Six: The Current State Assessment
By week three, the vCISO should shift from listening to structured assessment. This is where technical evaluation meets business context. The goal isn't to catalog every vulnerability—it's to identify gaps that create actual business risk. The difference matters. A missing patch on a development server might be a low priority; missing encryption on customer payment data is a crisis.
The assessment should cover both technical controls and governance processes. On the technical side, that means reviewing network architecture, access controls, endpoint security, data handling practices, and backup procedures. On the governance side, it means evaluating policy documentation, training programs, vendor management, incident response capabilities, and compliance program maturity.
The pattern I see most often: organizations have decent technical security but almost no governance. They've installed firewalls and antivirus, but they don't have an asset inventory, a risk register, or a documented process for handling security incidents. When a customer sends a detailed security questionnaire, someone spends three days scrambling to figure out who knows what. That's not a technology problem—it's a management problem.
Assessment Deliverable Expectations
By the end of week six, you should receive a written current state assessment. This document needs to be specific, not abstract. It should identify concrete gaps with business context: "Customer contracts require annual penetration testing, but none has been performed. This creates contractual risk and limits our ability to bid on enterprise deals." That's actionable. "Security posture needs improvement" is not.
The assessment should also acknowledge what's working. If you've built a solid patch management process or implemented effective security awareness training, the vCISO should document that. Organizations that only hear about their failures stop listening. A credible assessment recognizes both strengths and weaknesses.
Expect the vCISO to present findings to leadership, not just send a report. The presentation should be tailored to the audience—more business impact for executives, more technical detail for IT leadership. If your vCISO can't explain technical risks in business terms, they're not ready for an executive advisory role. Cybersecurity leadership requires communicating risk to boards and executives who don't share your technical background.
Building a Security Program That Works
Carl keynotes on practical security leadership for organizations navigating regulatory complexity, from CMMC to HIPAA to emerging AI governance requirements. His talks focus on what actually works in real-world environments, not vendor theory.
Book Carl to Speak
Weeks Seven Through Ten: The Roadmap
Assessment without a plan is just expensive documentation. By week ten, your vCISO should deliver a prioritized roadmap that connects identified gaps to business objectives. This roadmap needs to account for budget constraints, staff capacity, regulatory deadlines, and strategic priorities. A 50-item list organized by NIST control families is useless. A phased plan that starts with contractual obligations, then addresses regulatory requirements, then tackles aspirational improvements—that's useful.
The roadmap should distinguish between quick wins and long-term initiatives. Quick wins might include implementing multi-factor authentication for privileged accounts, documenting an incident response procedure, or creating an asset inventory. These are achievable in weeks, not quarters, and they demonstrate progress while building momentum for harder work.
Long-term initiatives might include implementing a formal risk management program, achieving SOC 2 certification, or rebuilding network segmentation. These take months and require executive commitment, budget allocation, and sustained effort. The roadmap should be realistic about timelines and dependencies.
I've seen too many roadmaps that ignore resource constraints. Proposing 30 major initiatives to an IT team of three people isn't strategic planning—it's wish-casting. A competent vCISO understands your capacity and builds a plan you can actually execute. They should also identify where you need outside help: specialized expertise, staffing augmentation, or tool implementation support.
Regulatory and Compliance Integration
If you operate in a regulated industry, the roadmap must explicitly address compliance obligations. For defense contractors, that means CMMC and NIST 800-171. For healthcare organizations, HIPAA Security Rule requirements. For federal technology vendors, FedRAMP controls. The roadmap should map security initiatives to specific regulatory requirements, making it clear which projects address compliance obligations and which go beyond minimum standards.
This integration prevents duplicative work. When you implement multi-factor authentication, you're not just improving security—you're also satisfying specific CMMC, HIPAA, or state privacy law requirements. The roadmap should make these connections explicit so leadership understands how security investments create compliance value. Organizations new to working with a vCISO often miss this strategic connection between security and regulatory obligations.
Weeks Eleven Through Fourteen: Policy and Process Development
With the roadmap approved, the next phase focuses on foundational documentation. Most organizations need better policies, procedures, and standards. This isn't about creating binders that sit on shelves—it's about documenting how you actually operate and establishing clear expectations for your team.
A good vCISO doesn't start from scratch. They adapt existing frameworks to your specific environment. If you're subject to NIST 800-171, your policies should map to those 110 controls. If you're preparing for ISO 27001 certification, your policy structure should align with that standard. The goal is documentation that serves double duty: guiding your team and satisfying auditor requirements.
The policy development process should involve the people who will follow the policies. An acceptable use policy written without input from your operations team will be ignored or circumvented. A data classification standard created without sales team feedback will miss how customer data actually flows through your organization. The vCISO should facilitate this collaboration, not dictate from a conference room.
During this period, expect to review and approve multiple policy documents: information security policy, acceptable use policy, incident response plan, access control standards, data handling procedures, and vendor management requirements. Each should be specific to your environment. If the policies could apply to any company in any industry, they're too generic to be useful.
Practical Implementation Guidance
Policy without procedure is wishful thinking. Alongside each policy, you need practical guidance that explains how to comply. Your data classification policy might define four data categories, but your staff needs a decision tree that helps them classify actual documents. Your incident response plan might assign roles and responsibilities, but your team needs a step-by-step playbook for common scenarios.
The vCISO should create these practical tools, not just policy statements. In my experience, the organizations that succeed are those that make compliance as easy as possible for busy employees. Complex policies with no implementation guidance get ignored.
Strategic Security Leadership for Your Audience
Carl speaks on cybersecurity governance, regulatory compliance, and risk management at industry conferences, board retreats, and executive offsites. See all keynote speaking topics or reach out about your event.
Book Carl for Your Event
The Final Month: Initial Execution and Program Infrastructure
The last month of the first vCISO 90 days should demonstrate progress on the roadmap. This isn't about completing everything—it's about establishing momentum and proving the engagement delivers value beyond documentation. Expect visible improvements: MFA deployed for critical systems, security awareness training launched, an asset inventory completed, or a vulnerability management process implemented.
This is also when program infrastructure takes shape. The vCISO should establish regular communication rhythms: weekly check-ins with IT leadership, monthly reporting to executives, quarterly briefings for the board. They should create tracking mechanisms so everyone can see progress against the roadmap. A simple risk register, a control implementation tracker, or a compliance calendar—these tools make the security program visible and accountable.
If your organization has specific compliance deadlines, the 90-day mark should show measurable progress toward those milestones. If you're preparing for CMMC assessment, you should have a gap analysis complete and remediation underway. If you need SOC 2 certification by year-end, the first 90 days should have established the control environment and evidence collection processes.
Vendor and Tool Rationalization
Many organizations discover during the assessment phase that they're paying for security tools nobody uses or that overlap significantly. The final month is when the vCISO should present recommendations about vendor consolidation, tool replacement, or new acquisitions that fill genuine gaps.
These recommendations should come with business cases. Don't just hear "we need a SIEM"—expect to see why, what problems it solves, what the alternatives are, and how it fits into the broader security architecture. A vCISO who recommends expensive tools without explaining alternatives or considering your budget constraints is selling, not advising.
Red Flags: What Bad Looks Like
Not every vCISO engagement delivers value. I've watched organizations pay good money for poor advice, generic deliverables, and consultants who disappear after producing a report. Here are the warning signs that should concern you during those first 90 days.
Generic deliverables that could apply to anyone. If your current state assessment reads like it was written for any company in your industry, it probably was. Templates have their place, but the final product should be specific to your environment. Names, systems, technologies, and observations should be yours, not placeholders.
No engagement with your team. A vCISO who only talks to the CEO and never interviews IT staff, operations managers, or frontline employees isn't doing discovery—they're guessing. Security programs fail when they're built without input from the people who make them work.
Recommendations without business context. Technical suggestions divorced from business reality are worthless. If your vCISO recommends implementing controls without acknowledging budget, staffing, or competing priorities, they don't understand your actual constraints.
No measurable progress by day 90. Documentation matters, but it's not the only output. If you reach the three-month mark without any implemented improvements—not policies written, but actual changes to how you operate—something is wrong. Good vCISO engagements balance planning with execution.
Inability to explain risks in business terms. A vCISO who can't translate technical vulnerabilities into business impact isn't ready for executive advisory work. You should never leave a meeting confused about why something matters. If the explanation involves acronyms and compliance frameworks without connecting to actual business consequences, demand better communication.
Vendor favoritism without justification. Be skeptical if your vCISO consistently recommends specific vendors without evaluating alternatives or acknowledging trade-offs. Some consultants have financial relationships with technology vendors that create conflicts of interest. Ask about these relationships. A professional will disclose them upfront.
What Success Looks Like at the 90-Day Mark
A successful vCISO engagement should deliver clarity, direction, and momentum by the end of the first quarter. You should understand your current security posture, not in abstract terms but with specific knowledge of gaps, risks, and strengths. You should have a roadmap that connects security initiatives to business objectives and regulatory requirements. You should see visible improvements in how your organization handles security: better processes, clearer accountability, and early wins that demonstrate progress.
More importantly, you should have confidence in your vCISO's judgment. You should feel comfortable bringing them into strategic conversations, customer negotiations, or board presentations. They should have earned credibility with your technical team and respect from your executive leadership. If your staff sees the vCISO as an outsider imposing theoretical requirements, the engagement is struggling.
The relationship should feel collaborative, not transactional. You're not buying deliverables—you're gaining a trusted advisor who understands your business, respects your constraints, and helps you make better decisions about security and risk. That relationship takes time to build, but the foundation should be solid by day 90.
Beyond the First Quarter
The first 90 days establish the foundation, but vCISO value compounds over time. As the advisor learns your business more deeply, they spot risks earlier, connect dots faster, and provide guidance that becomes increasingly tailored to your specific challenges. The roadmap they created in month three evolves as your business changes, as threats shift, and as regulatory requirements expand.
Organizations that get the most value from vCISO relationships treat them as strategic partnerships, not project-based consulting. The best engagements extend well beyond initial assessments and policy development. The vCISO becomes part of your leadership team, participating in strategic planning, advising on M&A due diligence, representing security in customer conversations, and helping you navigate the expanding complexity of regulatory compliance.
If you're in a regulated industry, that ongoing relationship becomes even more valuable. Healthcare organizations face evolving interpretations of HIPAA, particularly as AI tools enter clinical workflows. Defense contractors navigate CMMC assessments, continuous monitoring requirements, and supply chain security obligations. Financial services firms manage state privacy law proliferation, data broker regulations, and increasing scrutiny of third-party risk. A vCISO who has worked with you for two years understands not just your technical environment but your organizational culture, risk tolerance, and strategic priorities. That context makes their advice exponentially more useful.
The first 90 days answer a simple question: can this person help us? If the answer is yes—if you see competence, judgment, and tangible progress—the relationship should continue. If the answer is no, you'll know quickly. Bad vCISO engagements reveal themselves through missed deadlines, generic deliverables, poor communication, or simple lack of progress. Don't wait a year to make a change. Three months is enough time to evaluate whether you have the advisor you need.