What to Expect in Your First 90 Days with a vCISO

What happens in the first 90 days when an Irish SME engages a vCISO? From initial assessment to quick wins and strategic roadmap — here is the process explained.

What to Expect in Your First 90 Days with a vCISO

When a Sligo accountancy firm engaged a vCISO for the first time, the managing partner admitted she had no idea what to expect. She had read about Virtual Chief Information Security Officers but had never worked with one. Would they ask for access to everything? Would they present a 200-page report no one would read? Would they actually fix anything — or just advise? That uncertainty is common. Most Irish SME owners who engage a vCISO for the first time are doing so without a clear picture of how the engagement actually works in practice.

For many, the idea of bolstering their cyber defences can feel overwhelming, especially without a dedicated in-house security expert. This article explains exactly what the first 90 days look like — from the initial conversation through to a working security roadmap and the first implemented controls.

The Initial Assessment: Understanding Your Unique Landscape

The first phase of a vCISO engagement is all about deep understanding. Your vCISO will conduct a comprehensive initial assessment to gain a clear picture of your current cybersecurity posture. This is not a generic checklist — it is a tailored deep dive into your specific business operations, IT infrastructure, existing policies, and regulatory obligations.

For Irish SMEs, this assessment typically covers four areas. Technical infrastructure — examining your networks, systems, applications, and cloud environments including Microsoft 365 and any line-of-business software. Policy and procedure audit — assessing existing security policies, incident response plans, and employee awareness programmes. Risk identification — pinpointing critical assets, potential vulnerabilities, and the specific threats your business faces given its sector and size. And compliance landscape — understanding your obligations under GDPR as enforced by the Data Protection Commission, and your readiness for NIS2[^1].

This initial assessment provides the foundation for all subsequent strategic planning. It identifies immediate gaps and long-term objectives, ensuring that the vCISO's efforts are aligned with your business goals and risk appetite.

Quick Wins and Immediate Impact

While the comprehensive assessment is underway, a good vCISO will also identify and implement quick wins within the first 90 days. These are high-impact, low-effort improvements that significantly enhance your security posture almost immediately and demonstrate tangible value early in the engagement.

Common quick wins include deploying Multi-Factor Authentication across critical systems such as email and cloud services — this single control blocks the vast majority of credential-based attacks. Rolling out initial security awareness training for employees to address common threats like phishing, which An Garda Síochána reports is one of the most prevalent attack vectors against Irish businesses[^2]. Ensuring critical security updates are applied promptly to mitigate known vulnerabilities. And reviewing and tightening permissions so that users have access only to what their role requires.

These early improvements not only strengthen your security directly — they also establish a security-conscious culture within your organisation, preparing the ground for the more comprehensive strategic work that follows.

Wondering what quick wins your business could implement in the first month? Book a free 20-minute strategy call — we will identify the highest-impact controls for your specific environment.

Strategic Planning and Roadmap Development

Following the initial assessment and the implementation of quick wins, the vCISO works with you to develop a robust cybersecurity strategy and a clear roadmap. This plan outlines the long-term vision for your security programme, prioritising initiatives based on risk, business impact, and regulatory requirements.

Your strategic roadmap typically covers risk mitigation strategies — detailed plans to address identified risks through technical controls, process improvements, and policy updates. Technology recommendations — guidance on selecting and implementing security tools that fit your actual environment and budget. Compliance frameworks — a plan to achieve and maintain compliance with GDPR and NIS2. Budgeting and resource allocation — recommendations for allocating resources effectively to support your cybersecurity objectives. And key performance indicators — metrics to measure the effectiveness of your security programme and demonstrate progress.

This phase transforms the assessment findings into actionable steps, providing a clear direction that everyone in your business can understand and support.

Ongoing Collaboration and Evolution

The first 90 days with a vCISO lay the groundwork. Cybersecurity is not a static state but a continuous process of adaptation and improvement. Your vCISO becomes an integral part of your team, providing continuous guidance, monitoring emerging threats, and adjusting your strategy as your business evolves and the threat landscape changes.

This ongoing engagement includes regular reporting — clear, concise updates on your security posture, progress against the roadmap, and any new risks that emerge. Incident response support — being available to assist when security incidents occur, from detection through recovery and post-incident analysis. Board and management briefings — translating complex technical issues into business language for your leadership team, as recommended by the NCSC Ireland for effective governance[^3]. And vendor security management — helping you assess and manage the cybersecurity risks associated with your third-party suppliers and cloud platforms.

The first 90 days with a vCISO move your business from reactive to proactive — from hoping nothing goes wrong to having a plan and controls in place when it does.

What This Means for Your Business

Engaging a vCISO in the Irish context means gaining access to expert cybersecurity leadership without the overhead of a full-time executive. It means moving from a reactive stance to a proactive, strategic approach to security. For Irish SMEs, this translates into better protection against cyber threats, enhanced compliance with GDPR and NIS2, and greater confidence in your digital operations.

The first 90 days are the foundation. By the end of them, you should know exactly where your business stands on cyber risk, which controls are in place, which gaps remain, and what the plan is to address them — with a qualified security partner overseeing the programme throughout.

What Next

  1. Prepare for the initial assessment by gathering what you have. Know your IT environment: how many users, which cloud services, who manages your systems. Know your compliance obligations: are you subject to GDPR? Do any of your customers operate under NIS2? This preparation makes the initial assessment faster and more useful.

  2. Set a clear outcome for the first 90 days. What does success look like? Is it having cyber insurance in place? Passing a supplier security questionnaire? Achieving NIS2 baseline compliance? A shared definition of success makes the engagement far more focused.

  3. Brief your IT provider before day one. A vCISO works alongside your IT provider — not instead of them. A brief introduction call before the engagement starts avoids the common awkwardness of two parties uncertain of their respective roles.

Related Reading

[^1]: Data Protection Commission Ireland [^2]: An Garda Síochána — Cyber Crime [^3]: NCSC Ireland — Advice for Organisations

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.