What Does a vCISO Do in the First 90 Days? A Week-by-Week Breakdown.

Have you ever wondered what a Fractional Chief Information Security Officer (vCISO) actually does once they partner with your business? The first three months are a critical period where the foundation for a robust, long-term security strategy is laid. It’s not about instantly installing complex new technologies; it’s a methodical process of discovery, planning, and executing foundational improvements that deliver immediate value and build momentum for the future. This period is designed to move your business from a state of uncertainty to one of control and clarity regarding your cyber risk.

Weeks 1-2: Discovery and Baseline Assessment

The initial two weeks of a vCISO engagement are dedicated to deep discovery. The primary goal is to understand your business, its assets, and its current security posture. This isn't a superficial check; it's a comprehensive information-gathering exercise. The vCISO will work to create a detailed asset inventory, identifying every piece of technology, data, and software critical to your operations. Think of it like a detailed stocktake of your digital estate, from the servers in your Sligo data centre to the cloud applications your sales team uses daily. This inventory is crucial because you can't protect what you don't know you have.

Parallel to this, the vCISO conducts a preliminary risk assessment and reviews existing policies. This involves interviewing key personnel, analysing network architecture, and examining any security documentation you might have. The objective is to identify the most significant threats facing your business and the potential impact they could have. This initial analysis provides the essential baseline against which all future progress and risk reduction will be measured. According to a report by the National Cyber Security Centre (NCSC) of Ireland, many Irish businesses struggle with this foundational step, leaving them exposed to common threats that could be easily mitigated [1].

Weeks 3-4: Gap Analysis and Strategic Roadmap

With a clear picture of your assets and initial risks, the focus shifts to a formal gap analysis. The vCISO compares your current security measures against established industry frameworks (like NIST or ISO 27001) and regulatory requirements relevant to your sector, such as the upcoming NIS2 Directive. This process highlights the specific areas where your defences are weakest. It’s not about finding fault; it’s about identifying opportunities for improvement in a structured and objective way. The output is a clear, prioritised list of vulnerabilities and control deficiencies.

This analysis directly feeds into the creation of a strategic security roadmap. This isn't a generic, one-size-fits-all plan. It's a bespoke, prioritised action plan tailored to your organisation's specific risk profile, budget, and business objectives. The roadmap outlines a series of initiatives for the next 12-18 months, breaking down a seemingly monumental task into manageable, sequential projects. The roadmap’s most critical function is to provide a clear, actionable path from your current state to your desired security posture, ensuring every action taken is a step in the right direction.

---

Not sure where your business stands on cyber risk? Download the Irish SME Cyber Survival Guide — a free, plain-English guide to the 10 controls every Irish business needs. No jargon, no sales pitch.

---

Month 2: Implementing Quick Wins

The second month is all about building momentum and demonstrating tangible risk reduction. Using the prioritised roadmap, the vCISO focuses on implementing 'quick wins'—high-impact, low-complexity controls that address the most pressing vulnerabilities identified during the discovery phase. These are the foundational security measures that provide the biggest return on investment in the shortest amount of time. This phase is critical for building trust and showing immediate value from the vCISO engagement.

Common quick wins include deploying multi-factor authentication (MFA) across all critical systems, establishing a robust patch management process to protect against known vulnerabilities, and verifying the integrity of your data backups. For a business in Donegal, this might mean ensuring the backups of their customer database are not just running, but are regularly tested and can be restored successfully. As An Garda Síochána frequently warns, ransomware attacks often succeed not just by encrypting data, but by targeting and deleting backups, making recovery impossible without paying a ransom [2]. Implementing these fundamental controls effectively closes the door on the most common and opportunistic cyber attacks.

Month 3: Board Reporting, Insurance, and Training

As the 90-day mark approaches, the vCISO's role evolves from hands-on implementation to strategic guidance and communication. A key activity is developing and presenting the first formal security report to the board or leadership team. This report translates technical metrics into clear business language, outlining the risks identified, the progress made, and the priorities for the next quarter. It provides leadership with the visibility they need to make informed, risk-based decisions about security investment and strategy.

This period is also the ideal time to prepare for or renew your cyber insurance policy. With a detailed understanding of your security posture and a clear roadmap for improvement, the vCISO can help you navigate the complex application process and negotiate better terms and premiums. Insurers are far more likely to offer favourable coverage to a business that can demonstrate a mature, proactive approach to risk management. This data-driven approach transforms the cyber insurance conversation from a painful compliance exercise into a strategic business advantage.

Finally, the vCISO will often initiate the first wave of security awareness training. This might be a general session for all staff on phishing awareness or a more targeted workshop for a high-risk department. The goal is to begin embedding a culture of security within the organisation, turning the 'human firewall' from a liability into a key defensive asset. This aligns with guidance from the Data Protection Commission (DPC), which consistently highlights human error as a leading cause of data breaches in Ireland [3]. For more information on key terms, you can always visit our glossary.

Building a Secure Future, 90 Days at a Time

The first 90 days of a vCISO engagement are a microcosm of the entire security journey. It’s a structured, methodical process that moves from discovery and planning to execution and reporting. By the end of this initial period, your business will have a clear understanding of its cyber risk, a prioritised plan to address it, and a series of foundational controls already in place to provide immediate protection. This isn't just about ticking boxes; it's about building a sustainable, long-term security program that supports and enables your business goals, whether you're a tech startup in Sligo or an established professional services firm in Dublin. You can learn more about how regulations like NIS2 might affect you or check out other articles on our blog.

Related Reading

• vCISO vs In-House CISO: Which Is Right for a Donegal SME?
• How a vCISO Helps You Pass a DORA Supplier Assessment First Time.
• How a vCISO Makes You More Insurable — and Saves You Money at Renewal.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.