What Does a vCISO Do? Deliverables in the First 90 Days

[OUTLINE — expand before publishing]

"Virtual CISO" is one of the most elastic titles in security — which is exactly why you should judge providers on deliverables, not descriptions. A competent vCISO engagement follows a recognizable arc, and the first 90 days are the most predictable part of it. If you know what should land in the first month, the second, and the third, you can tell within weeks whether you hired a security executive or an expensive attendee of your status meetings. Here's what that arc looks like.

Days 1–30: Understand and assess

  • Stakeholder interviews; access to systems, prior audits, and existing documentation
  • Baseline risk assessment against the frameworks that matter to the business (SOC 2, HIPAA, NIST CSF, CMMC)
  • Asset and data inventory: what matters most, and where it lives
  • Deliverables to expect: written risk assessment, initial risk register, first quick-win fixes shipped

Days 31–60: Prioritize and plan

  • Security roadmap with sequenced priorities, effort and cost estimates, and named owners
  • Policy gap analysis and the first policy drafts
  • Vendor and third-party risk snapshot
  • Deliverables to expect: a 12–18 month roadmap approved by leadership, a policy plan, and budget framing

Days 61–90: Operationalize

  • Operating cadences go live: leadership reporting, risk review, security metrics
  • Compliance calendar built — audits, assessments, and testing scheduled, including penetration testing windows
  • Incident response plan drafted or refreshed; tabletop exercise scheduled
  • Deliverables to expect: an operating program with metrics and dates — not a binder on a shelf

After 90 days: what steady state looks like

  • Ongoing: audit ownership, vendor reviews, board reporting, program iteration
  • Warning signs: no artifacts, meetings without decisions, roadmap slippage with no explanation

How to hold your vCISO to this arc

  • Put the 90-day deliverables in the contract
  • Ask for the artifact list — with dates — before you sign

How Essendis helps

Talk to a Cloud Cybersecurity Expert

Thank you for contacting Essendis. Our team is reviewing your submission and will be in touch shortly. 
We look forward to assisting with your cybersecurity and cloud computing needs. 

Continue Exploring Essendis’ Offerings

Return to Essendis
Oops! Something went wrong while submitting the form.