The job description rarely matches the actual work. "Set the security strategy, manage risk, report to the board." Read like that, a fractional CISO sounds like a strategy consultant who attends quarterly meetings.
The first three months of a vCISO engagement are nothing like that.
What the first 90 days actually look like
Most of the work in the first quarter is not strategy in the abstract. It is diagnostic, structural, and quietly remedial. Leadership has questions they have not articulated yet, and the new vCISO is the person who has to surface them.
The phases below are sequential in emphasis, not in calendar. Findings show up in week one. Quick wins land before the final readout. The structure describes what dominates the work at each stage, not a gating of when value appears.
- Weeks 1-2 — Establish the baseline. Inventory what security actually looks like in the business today. Read every contract that imposes security obligations. Talk to IT, the controller, the people who handle wire transfers, the engineering leads, the customer success leads who get phishing escalations.
- Weeks 3-6 — Validate the exposure. Confirm the gaps leadership has been worried about but has not had a person to ask. Vendor breaches. Auditor questions. Insurance renewal posture. The board member who keeps asking about ransomware. The exec who forwards their work email to a personal account.
- Weeks 7-12 — Translate findings into action. Produce the first board-ready risk narrative. Establish a monthly cadence with leadership and a quarterly cadence with the board. Pick the three things that will actually move the needle in the next year, with named owners and dates.
What the diagnostic surfaces
Concrete examples of what tends to come out of those first six weeks:
- A cyber insurance policy with a "reasonable security controls" clause that nobody has mapped to actual controls. The renewal is in four months.
- Three SaaS vendors with access to customer data. Two have SOC 2 reports nobody has read. The third declined to provide one.
- A Microsoft 365 tenant where Global Admin MFA is "enabled" but not enforced — the conditional access policy excludes the legacy admin account used for break-glass.
- A backup system that is running, but the last successful restore test was during the initial deployment two years ago.
- An engineering team that uses a shared production database password stored in a Notion page that twelve people have access to.
None of these are exotic findings. They are the operational reality of organizations that have grown past the point where IT can absorb security as a side responsibility, but have not yet hired a CISO.
What you should expect to read in a 90-day readout
The deliverable at the end of the first quarter is not a tooling dashboard. It is a written narrative that a non-technical board member can read in twenty minutes and walk away knowing:
- What the business actually depends on to operate, ranked.
- Where that operation is currently exposed, with each exposure mapped to a specific control gap.
- What it would cost to close the top exposures, framed in business terms — engineering hours, license uplift, third-party engagement — not in vendor SKU prices.
- What leadership should expect to spend on security as a percentage of revenue, with a defensible benchmark.
- The three things the vCISO is going to do in the next quarter, with named owners and dates.
Good readouts have something in common: they do not include the words "best practice." They reference specific business decisions, specific contracts, specific dollar amounts. They read like a memo from a colleague, not a report from a consultant.
Where vCISO engagements go wrong
The failure modes are predictable.
Scope drift. The vCISO becomes the de facto IT manager because the company does not have one. By month four, the strategic work has been replaced by ticket triage and vendor escalations. This is a contracting failure — the engagement letter did not draw the line between advisory work and operational ownership.
Leadership disengagement. The CEO or CFO who hired the vCISO stops attending the monthly review after the third month. The vCISO continues producing reports nobody reads. By month nine, the renewal conversation becomes a budget conversation about whether to keep the function at all.
The compliance trap. The engagement gets reframed around a single audit — SOC 2, HITRUST, the cyber insurance questionnaire. Everything outside that audit gets deferred. The audit passes, but the underlying posture has not improved, because the audit is a snapshot of policy, not a measurement of control effectiveness.
The tool-shopping mistake. Leadership expects the vCISO to recommend a stack. The vCISO obliges, and the next six months are spent on procurement instead of foundation work. Tooling decisions made before the inventory work is done tend to be wrong tools, or right tools applied to the wrong problems.
A vCISO engagement working well in year two is one where the diagnostic from quarter one has been acted on, the board is reading the quarterly narrative, and the conversation has shifted from "what is the security team doing" to "how should we be thinking about [specific business decision] from a risk perspective."
How we structure the work at Strace
Our vCISO retainer follows the pattern above. The first 90 days are weighted toward discovery and the board-ready readout. Engagements run on a monthly retainer with a defined scope of advisory hours — not a fractional-headcount fantasy of having a CISO on staff. Tabletop exercises, vendor reviews, policy work, and board narrative are all in scope. Implementation of remediations is scoped separately or handed back to IT. We do not bill advisory hours to install software.
If your organization has outgrown informal IT-led security but is not ready for a full-time CISO, the first conversation should not be about tools. It should be about what a diagnostic would actually find in your environment.