Chapter 2: The first 100 days: Client engagement and onboarding 

As a vCISO, you are in a key position, balancing the development and implementation of the business’s cybersecurity strategy with its broader needs, while fostering trust within the organization. Even if you’re not officially on the company’s payroll, you still hold a leadership role within the organization. 

The first 100 days are critical for navigating your professional responsibilities and positioning yourself as a reliable decision-maker.

Goals for the first 100 days include:

  • Build relationships with key stakeholders
  • Align security goals with business objectives
  • Deliver a number of quick wins 
  • Leverage automation for efficiency 

The 100-day action plan should cover these 11 strategic security programs:

  1. Asset Management: Knowing what important things (like people, tools, and data) you have so you can protect them.
  2. Controls Management: Putting up strong defenses to keep your important things safe.
  3. Change Management: Carefully planning and checking every change you make to avoid breaking things or creating vulnerabilities.
  4. Vulnerability Management: Finding and fixing weak spots before they can be exploited.
  5. Incident Management: Being ready to act quickly if something goes wrong to fix it and learn from it.
  6. Service Continuity: Making sure important work can keep going if something bad happens.
  7. Risk Management: Figuring out what could go wrong and deciding how to deal with it.
  8. External Dependencies Management: Making sure anyone you work with is also keeping your important things safe.
  9. Training and Awareness: Teaching everyone how to stay safe and smart about security.
  10. Situational Awareness: Continuously monitoring the security landscape.
  11. Governance: Setting up policies, procedures and standards and making sure everyone follows them to keep things secure.

Phase 1: Research (Days 0-30)

This phase is your opportunity to get to know the organization. It involves a deep dive into the company’s current security status and business goals, building relationships with stakeholders, and evaluating existing security controls.

Research (Days 0-30) key activities: The vCISO security strategy and plan begins with examining the current state of the organization’s security posture and business objectives. 

  • Meet stakeholders and management to understand their expectations and learn about the organization. 
  • Meet with the individuals responsible for configuring security systems and related tasks (whether internal or part of an MSP). If they are from an MSP, clarify what package was purchased, what is included, and what is not included. If they are internal, focus on building relationships, assessing the team’s skills, understanding current workflows, and identifying any gaps in expertise or resources.
  • Identify the tools (not just security tools) you will need to interface with the company. For example, if all policies are stored in SharePoint, you will need access to SharePoint to review them. If you design your vCISO offering to be both strategic and tactical, you will need access to various tools, data, and systems to review configurations, management practices, and security controls for the tactical aspect.
  • Analyze existing infrastructure, tools, frameworks, policies and reports to gain insights into potential vulnerabilities and the effectiveness of existing security controls and procedures. 
  • Obtain and understand network and data flow diagrams to recognize critical data flows and potential points of exposure. also look for completeness and to validate what you learned in the interviews. The critical systems for the business are covered – and how do they interact – and maybe expose other questions and other interviews you need to have to understand how systems work together. 
  • Review past security incidents and the organization’s responses to assess their ability to effectively manage and recover from such events. *Do they document previous incidents? Do they conduct tabletop exercises to test their security plans or perform penetration tests?
  • Conduct threat intelligence research of the threat landscape, including CVEs, zero-days, regulations and key players. Take note of which threat actors are targeting these types of clients, how they get access, and preferred methods of persistence. 
  • Understand the existing vendor management process to reveal third-party risks and compliance with security policies. 
  • Review customer contracts to ensure that customer-imposed security requirements are met, as these can influence the prioritization of security tasks. 
  • If clients you’re working with have internally developed software or work with developers, then you need to understand the Software Development Life Cycle (SDLC) program to see how security is integrated into application development. 

Sample questions to ask stakeholders:

Before you begin, remember that the better you conduct these interviews, the less you’ll need to disrupt these individuals and their work. Interviewing is a soft skill—approach it with curiosity. Aim to gain a comprehensive understanding from the outset to reduce the need for frequent follow-ups. The clearer they can explain their processes, the better you’ll be able to perform your role and minimize interruptions. 

  1. Describe your role and responsibilities and how your work supports the business. 
  2. Can you list the mission-critical applications your department uses daily? Given 40 hours a week, which applications do you regularly use during that time (besides email/office) to do your job? 
  3. What data types (financial, health, etc.) are stored in these applications, and how does your department use this data? 
  4. What is acceptable downtime for these applications?
    • How does this application affect the business if it is down for X days? 
    • If the application was restored from backup, how many days would you have to revert? 
  5. Could you walk me through the business workflow using these systems? 
  6. What are your primary concerns about your current systems and data security? 
  7. What ongoing projects or major changes are planned and/or are being conducted? And what is the timeline? 
  8. How can the vCISO and the security team support your line of business?
    • What information do you need, and how would you prefer to receive it? Email, Slack, or perhaps through documents or PowerPoint? 
    • How frequently would you like updates? Establish a regular communication and reporting schedule. *Reports should be provided at least monthly.

Phase 2: Understand (Days 0-45)

Now, it’s time to consolidate your findings into a comprehensive view of the organization’s security maturity and posture. 

  1. Conduct a risk assessment. The purpose of the risk assessment is to identify, evaluate, and prioritize risks to an organization’s information assets. It focuses on understanding the potential threats and vulnerabilities that could exploit those threats, and the impact they would have on the organization. 

Take all the information you gathered in Phase 1 and collate and synthesize it in a formal risk assessment. Use a standard onboarding questionnaire and scanning tool to provide an objective assessment of current risks. 

Components:

  • Threat identification: Recognizing potential sources of harm (e.g., hackers, natural disasters).
  • Vulnerability assessment: Identifying weaknesses that could be exploited by threats.
  • Impact analysis: Determining the potential consequences of various risks.
  • Likelihood determination: Estimating the probability of different risks occurring.
  • Risk prioritization: Ranking risks based on their potential impact and likelihood to determine which ones need immediate attention.

Learn how to complete a risk assessment in the course The vCISO Toolkit – Guidance & Templates

  1. Conduct a gap analysis: The purpose of the gap analysis is to measure the organization’s security practices against industry benchmarks, such as established cybersecurity frameworks like NIST. It focuses on identifying the gaps between the current security controls and the desired or required security controls. This includes compiling the data from your initial assessments into clear, executive-friendly reports that include technical metrics and an evaluation of the processes, people, and technology in place. 

Components:

  • Baseline assessment: Documenting the current security measures in place.
  • Standards comparison: Identifying the desired or required standards (e.g., ISO 27001, NIST CSF) against which the current state will be compared. There are mandatory requirements versus discretionary requirements – what you must do according to industry regulations versus what you should do as best practices. For example, frameworks like the NIST Cybersecurity Framework (CSF) are discretionary, offering guidelines to enhance security. However, if you’re in the healthcare sector, compliance with HIPAA is mandatory. Similarly, GDPR is a mandatory requirement for handling personal data in the EU.
    • We recommend following NIST CSF or CIS.
  • Gap identification: Highlighting areas where current practices fall short of the required or desired practices.
  • Action plan: Formulate a plan (the people, processes and tools needed) to address the identified gaps and bring the organization’s security posture up to the desired level.
  1. Conduct a compliance assessment: The purpose of a compliance assessment is to evaluate an organization’s adherence to relevant laws, regulations, and standards specific to its industry. This process involves assessing current security controls and practices to ensure they meet mandatory requirements, such as those outlined by HIPAA for healthcare or GDPR for data protection in the EU. A compliance assessment aims to identify areas of non-compliance and develop strategies to achieve full compliance, thereby reducing legal risks and protecting sensitive information.

Components:

  • Regulatory identification: Documenting all relevant regulatory requirements that apply to the organization based on its industry, location, and operations.
  • Current compliance review: Assessing the existing policies, procedures, and controls to determine how well they align with the identified regulations and standards. This involves reviewing documentation, conducting interviews, and testing processes to gather accurate data.
  • Non-compliance identification: Identifying any areas where the organization’s current practices do not meet the mandatory requirements. This involves comparing current practices with those required by regulations and best practices frameworks, such as ISO 27001 or NIST CSF.
  • Risk assessment: Evaluating the potential risks and impacts associated with non-compliance. This includes considering the likelihood of breaches, penalties, and damage to reputation, which helps prioritize the areas that need immediate attention.
  • Compliance improvement plan: Developing a comprehensive action plan that outlines the steps, resources, and timeline required to achieve compliance. This plan should address the gaps identified, specifying the necessary changes to policies, procedures, technology, and training. This will be incorporated into the Plan of Action and Milestones you created above.

Learn how to complete a compliance assessment in the course The vCISO Toolkit – Guidance & Templates.

Phase 3: Prioritize & Communicate (Days 15-60)

The third phase involves using the foundational understanding of the organization’s security landscape to develop actionable plans and effectively communicate the current security posture and gaps to management.

Define short-term (30-day), mid-term (60-day), and long-term (90-day) goals. Create specific, measurable, achievable, relevant, and time-bound (SMART) objectives for the next 100 days, the end of the year, and the following year, prioritizing the mitigation of the most significant risks first. These goals should align with the 11 programs mentioned in Introduction to vCISO Service. Each program includes specific goals as well as people, processes, and technologies to achieve these goals.

Keep in mind that in the first 100 days, you won’t be able to make substantial changes as you’ll still be learning the business processes and identifying security vulnerabilities.

Identify 2-3 quick wins within the first 100 days that can enhance the security posture with minimal effort or investment. For example, enable MFA, optimize existing security tool configurations for better coverage, or update Microsoft 365 settings to filter out more phishing emails. These actions will demonstrate immediate value and build momentum for ongoing improvements.

Create a strategic remediation plan for the next 1, 3, and 5 years based on those goals, outlining the steps necessary to achieve each objective. This plan should align with the 11 programs mentioned in Introduction to vCISO Services. Each program includes specific people, processes, and technology you can implement to meet your goals. The plan should include timelines, responsible parties, and expected outcomes. 

Communicate to management – The following should be presented to leadership: 

  • Risk assessment
  • Gap analysis
  • Goals and remediation plan
It’s crucial that everyone has a shared understanding of risk. If they don’t see the risk the way you do, it will be difficult to secure buy-in for your plans. If there’s a disconnect, it’s important to determine whether they lack understanding of the risks or have additional information that might require you to adjust your perspective. For effective budgeting and security improvements, it’s essential to establish a common vocabulary. For example, when you describe something as a “critical risk,” does that imply a billion-dollar impact or a million-dollar one? Does it suggest an imminent failure? What does “critical risk” mean in your context? Is it a low-impact event that happens once every 10 years?
Team members sitting at a computer
Clearly communicate where the organization stands versus where it needs to be. This should be done in the context of the organization’s risk appetite, regulatory requirements, and business goals. 
Academy-Lesson-1-Image-4.2
Present recommendations for short and long-term plans and how much they will cost. This should be based on a deep understanding of how security investments translate into business value, considering factors like reduced downtime, compliance fines avoided, and reputational benefits. 
office-v6

Work with management to plan budgets and allocate resources for security initiatives, ensuring they are cost-effective and align with broader financial goals. Identify opportunities where automation can reduce resource demands and streamline current operations, leading to cost savings and improved efficiency. While providing a short-term budget is feasible, estimating the total costs within the first 100 days can be challenging. It’s important to explain to clients that Year 1 will likely be more costly due to immediate fixes addressing the most significant risks – as this cost may come as a shock. However, this is essential for achieving the greatest impact on risk reduction. Emphasize the long-term journey towards developing a security culture, which takes time to mature. Explain that building security processes and maturity won’t happen overnight. 

Phase 4: Execute (Days 30-80)

This phase is about putting the strategic plan into action, and establishing yourself as an organizational leader.

Key Activities:

Get stakeholder and management buy-in

 

Get stakeholder and management buy-in by explaining the strategic plan, its benefits, and its impact on the organization. Ensure that the value of your proposed security measures is clearly understood.

office-v3
Communicate the plan to all stakeholders
Focus on quick, impactful wins
Create high-priority policie
Recommend purchasing products or tools
Set and implement a vulnerability program
Continuously manage and adjust remediation plans

Phase 5: Report (Days 45-100)

The final phase involves validating the strategy’s effectiveness, crafting detailed reports, and continuously adapting the security measures.

The vCISO typically reports to the CFO and CIO, sharing updates on progress, upcoming tasks, and timelines. As part of the communication plan set with stakeholders, it’s important to understand what they want to know and how often they want updates. 

It’s essential to ensure that technical findings are translated into business impacts. Stakeholders care most about how cybersecurity measures affect their bottom line, growth, and operational efficiency. By explaining how risk assessments, compliance gaps, or remediation efforts translate into cost savings, risk mitigation, and competitive advantage, you’re making it easier for decision-makers to act. This alignment fosters trust, ensures your recommendations are prioritized, and highlights the value of your vCISO services in driving tangible business outcomes.

Measure success

Measure success by collecting and analyzing data that reflects how well the executed plan is performing. Establish a baseline and track improvements across the 11 key programs. Key metrics to consider include:

  • Reduced incident response times 
  • Fewer successful phishing attempts 
  • Improvement in security and compliance postures 
  • Reduced risk levels for malicious activities like data leaks, ransomware, fraud and website defacement 
  • Higher scores for domains like access management, threat intelligence, passwords, website and data protection 
  • Advancement in task progress
Developer Coding
Craft detailed reports for management
Integrate reporting into your overall plan
Reassess and readjust

Learn how to create engaging reports in the course The vCISO Toolkit – Guidance & Templates.

Ongoing client management

As with every client, maintaining the relationship is key. Here’s a checklist for ongoing client management:

  1. Establish a regular schedule for meetings and reporting.
  2. Update security measures as the business evolves (e.g., hiring a new CFO, implementing a new ERP system).
  3. Continuously assess their current security posture and identify critical priorities.

Next steps and long-term strategy

In your first 100 days, you have laid down substantial groundwork. You built relationships with key stakeholders, aligned security goals with business objectives, delivered a number of quick wins and leveraged automation for efficiency. 

Now, your efforts should focus on setting your long-term security plan in motion. On top of carrying out your tasks and activities, be sure to regularly review and revise your security practices, policies and technologies. 

Staying ahead of the curve also requires developing a culture of security within the organization. This includes regular training, proactive threat hunting, incident response drills and being on the constant lookout for automated solutions. These will ensure the team is well-equipped to manage and mitigate incidents effectively. Making meaningful choices, measuring your impact and maintaining a flexible mindset will set you up for success on your vCISO journey. 

Chapter 2 Key Takeaways

  1. Build strong relationships early: Establish connections with key stakeholders to gain trust and ensure alignment between security goals and business objectives.
  2. Understand stakeholders’ roles and communication styles: Get to know the different stakeholders, their roles, needs, concerns, and preferred communication styles. This understanding will help you tailor your approach and ensure effective collaboration throughout your engagement.
  3. Ensure a shared understanding of risk: Align everyone’s understanding of risk to secure buy-in for your activities and budget. Clearly communicate risks, relate them to business objectives, and establish a common vocabulary so that everyone is on the same page.
  4. Balance quick wins with strategic gains: Make sure you’re impementing quick wins along with your strategic plans. This approach will create momentum and lay the foundation for sustained improvements.
  5. Communicate clearly and regularly: Effective communication is key to aligning security initiatives with business goals. Regularly update stakeholders on progress, risks, and next steps, ensuring transparency and maintaining the urgency of cybersecurity efforts.