What Happens in the First 90 Days with a Virtual CISO
If you've read the first two posts in this series, you've probably worked out that a Virtual CISO makes sense for your business. The gap is real. The full-time hire doesn't fit. The math on a V-CISO works.
So you start looking at providers. You read the websites. You book a couple of intro calls. And somewhere around the second conversation, the same thought hits everyone:
What does this actually look like once we sign?
Not the marketing version. The real version. Who shows up on day one. What do they ask for. What gets disrupted. How long before something actually changes. How do I know if it's working.
That's a fair set of questions and most V-CISO providers don't answer them honestly. They sell you on the strategy and leave the execution as a black box. So I'm going to walk you through the actual first 90 days of an SSO V-CISO engagement. Not what we hope it looks like. What it looks like.
The Real Goal of the First 90 Days
Here's what I want you to understand before we get into the weeks and the deliverables.
The goal of the first 90 days is not to assess your environment and hand you a report. That's the advisory-only model and it's the reason most security engagements feel like a waste of money. You pay for an expert to tell you what's wrong, and then you pay someone else to fix it, and the gap between those two things is where security programs die.
The goal of the first 90 days is to build a living security program. Discovery, decisions, policies, fixes, and operational rhythm. All of it. By day 90 you don't have a binder. You have a program that's running.
That's the difference. And it's why we structure the 90 days the way we do.
Phase 1: Days 1 to 30. Discover and Align.
The first 30 days are about getting the truth on the table.
Week 1: Kickoff and Business Context
The first meeting isn't about security. It's about your business. Where is the company going in the next 12 to 24 months? What's the growth plan? What are you trying to build? What keeps you up at night that has nothing to do with cybersecurity?
This sounds soft. It isn't. Security strategy that doesn't align with business strategy ends up either slowing the business down or getting ignored. We need to understand where you're going before we can help you protect what you're building.
We also map the stakeholders. Who owns what. Who has decision authority. Who needs to be in the loop on what. This becomes important fast.
Week 2: Data Discovery
This is where the heavy lifting starts. We deploy our Data Discovery Survey to key stakeholders, or in many cases, to your full team. The survey is designed to surface what doesn't show up in a network scan. Where is sensitive data living. Who is sending it where. What workarounds people are using because the official tools are clunky. What systems are in use that IT may not even know about.
Simultaneously, Cynomi gets loaded with your company profile. Industry, size, compliance obligations, current tooling, regulatory exposure. Cynomi is the backbone of our V-CISO service. The platform handles the analysis, policy generation, and compliance mapping that would otherwise take a full-time team weeks to produce.
The combination of the survey results and the Cynomi profile gives us a real picture of your environment within two weeks. Not a guess. Not an assumption. The actual state of things.
Week 3: Policy and Procedure Audit
Now we look at what's documented and what's enforced. Most businesses have some version of a security policy somewhere, but the gap between the document and the daily reality is usually significant. We catalog what exists, what's outdated, what's missing, and what people are actually doing regardless of what the policy says.
We also map your compliance landscape. HIPAA, CMMC, PCI, CCPA, SOC 2, cyber insurance requirements. Whatever applies. We identify the gaps between where you need to be and where you actually are.
Week 4: Strategic Alignment Session
Everything we've found gets tied back to the business conversation from Week 1. This is the meeting where strategy gets real. We present an initial risk register. The top 10 risks to your business, ranked, with effort and impact estimates. We identify the quick wins that can happen in Phase 2. We agree on priorities.
What you have at day 30: A plain-English summary of where your company stands. Not a 200-page document nobody reads. A working summary the CEO can read in 15 minutes and act on. This is where the translation work matters, and I'll come back to that.
Phase 2: Days 31 to 60. Build and Fix.
This is where SSO separates from advisory-only providers. The gaps we identified in Phase 1 start getting closed. Same team. Same engagement. No handoff to a different firm.
Weeks 5 to 6: Foundational Policy Buildout
We build out your foundational policy framework. Acceptable use, data handling, incident response, access control, vendor management. The basics, done right and tailored to how your business actually operates.
Cynomi generates the initial drafts based on your profile and industry. Our team customizes them to fit your specific business. Then we review them with your leadership. Not as a rubber stamp. As a real conversation about whether these policies match the way work actually happens at your company. Policies that contradict daily reality don't get followed. So we make sure they don't.
Weeks 7 to 8: High-Priority Remediation
The top risks identified in Phase 1 get addressed. Stale access from former employees gets cleaned up. MFA gets enforced where it wasn't. Encryption gaps get closed. Whatever the top 3 to 5 risks were, they get fixed.
This is also when we run the first monthly executive briefing. What we found. What got fixed. What's next. The briefing format gets established here because it's the rhythm that will run for the life of the engagement.
What you have at day 60: Foundational policies live, top risks remediated, executive briefing cadence established. You're no longer hoping someone is paying attention to your security. Someone is, and they're reporting to you on it.
Phase 3: Days 61 to 90. Operationalize.
This is where most engagements fail, because most providers treat day 90 as the finish line. It's not. It's the starting line. The first 60 days built the program. The next 30 days make sure it's actually running.
Weeks 9 to 10: Incident Response Tabletop
We run a tabletop exercise with your leadership team. A simulated incident. Could be a ransomware event, a business email compromise, a data exfiltration scenario, depending on what's most relevant to your business. We walk through the response in real time. Who makes the call. Who notifies whom. What gets shut down. What gets communicated to clients. Where the plan breaks.
This is the most valuable hour of the entire 90 days for most executive teams. It's the first time many of them realize that their incident response plan, even if it exists on paper, has gaps that would become very expensive in a real event. Better to find those gaps in a conference room than at 4:45 PM on a Friday with a wire transfer in motion.
After the tabletop, we refine the IR plan based on what we learned. The plan that comes out of this exercise is the one that will actually work when it has to.
Weeks 11 to 12: Compliance Documentation and Roadmap
Compliance documentation gets finalized and stored where it can be produced on demand. If your insurer or an auditor asks tomorrow, the answer is "yes, here it is" not "give us two weeks." This single capability is worth the engagement on its own for many businesses, because cyber insurance renewals are getting brutal and the documentation requirements aren't getting easier.
We also deliver a 12-month strategic roadmap. Quarterly milestones. What gets evaluated when. What initiatives are scheduled. Where the budget is going. Not "we'll figure it out as we go." A documented plan that aligns with the business goals we mapped on day one.
What you have at day 90: A living security program. Documented and enforced policies. Top risks remediated. A tested incident response plan. Compliance documentation ready to produce. A 12-month roadmap. Monthly executive briefings on the calendar.
The Thing Clients Tell Us Is the Most Valuable
When clients tell us what they got out of the first 90 days, the answer is almost never what we expect. It's not the policies. It's not the compliance documentation. It's not even the remediated risks.
It's that someone finally translated cybersecurity into English.
Most business owners and executive teams have been talked at by security vendors for years. The conversations are full of acronyms, technical jargon, and recommendations that don't connect to anything the business actually cares about. The result is that executives nod along, approve budgets they don't fully understand, and hope for the best.
Our team has worked in environments where security strategy had to be communicated to people who weren't technical but absolutely needed to understand the implications of every decision. That skill, translating security into language executives can act on, turns out to be the thing that matters most. When your leadership team actually understands their risk posture, they make better decisions about it. When they don't, they make decisions in the dark.
That translation is what changes the program from something IT manages to something the business owns. And that's the difference between a security program that works and one that lives in a folder nobody opens.
Three Things You Can Use
The big idea: The first 90 days of a V-CISO engagement shouldn't be an assessment. It should be a working security program. Discovery, decisions, policies, fixes, and operational rhythm. If a provider is selling you a 90-day assessment with implementation as a separate phase, you're buying half a service.
Over the next 30 to 60 days: If you're evaluating V-CISO providers, ask each one to walk you through their first 90 days week by week. Not their methodology. Their actual timeline. Who shows up, what gets delivered, when policies are live, when risks get remediated. The vague answers will separate themselves from the specific ones quickly.
Today: Look at your calendar for the next 90 days. Find a 30 minute slot. Use it to write down what you'd want to be different about your security program if you could wave a wand. Not in technical terms. In business terms. What conversation do you want to be able to have with your board. What document do you want to be able to hand your insurer. What sleep do you want to get back. That list is the brief for any V-CISO engagement you'd consider, ours or anyone else's.
What to Do Next
Figure it out yourself. Take that list from the section above and bring it to your current IT provider. Ask them which items they own and which items aren't being managed today. The gaps in their answer are the gaps a V-CISO would fill.
Ask for help understanding your situation. Book a Strategy Session with our team. 30 minutes, free, no pitch. Tell us what you're trying to accomplish and we'll tell you whether a V-CISO engagement is the right tool, what the first 90 days would look like specifically for your environment, and what it would cost. If a V-CISO isn't the right answer, we'll tell you that too.
Hire the experts and hand it off. If you're ready to start, we'll get the kickoff scheduled within a week. By day 30 you'll have clarity. By day 60 your top risks will be closed. By day 90 your program will be running. And unlike advisory-only providers, our team doesn't just tell you what's wrong. We fix it.