FOUNDED 2025 · INDEPENDENT UK PRACTICE
InfoSecAI
The Brief DISPATCH 002
CISO LEADERSHIP 20 MAY 2026 6 MIN READ

The First 90 Days as a vCISO. What I Actually Do.

There is a published playbook for the first 90 days of almost every senior role. Most of them are wrong, or right in the wrong order. This is what I do inside a fractional CISO engagement, week by week, and the reasoning behind the sequence.

Week one. Two conversations. No deck.

The first week of a fractional CISO engagement should not produce a deck, a plan, or a recommendation. It should produce two conversations, recorded in notes that nobody else sees.

The first conversation is with the executive who hired the vCISO. The question is simple: what does success look like to you, twelve months from now? The honest answer is rarely "we are certified" or "we have a SOC". It is more often "my board will stop asking me about cyber" or "the customer questionnaires will not delay sales" or "the regulator will leave us alone after the next visit".

The second conversation is with the operational leader who will live with the consequences. Sometimes the CTO. Sometimes the COO. Sometimes the head of operations. The question is also simple: where does the current control set break under pressure? The answer is always specific. A vendor onboarding queue. A patching SLA that nobody owns. An access review nobody trusts. A backup nobody has restored from.

Those two answers, taken together, are the engagement. Everything that follows for the next eleven weeks is the structured response to the two of them.

Weeks two to four. Mapping, not building.

The instinct of a new senior is to start building. Issue a policy. Order a tool. Stand up a steering committee. None of it should happen yet.

Weeks two to four are spent mapping what already exists. Not what the previous CISO documented. What is actually operating. Three artefacts come out of this phase.

  1. The asset and data flow map. Where the data lives, where it moves, who touches it, and which systems are out of scope but in the perimeter anyway.
  2. The control inventory. Every control the organisation believes it has, scored on a simple three-step rubric: documented, operating, and evidenced.
  3. The obligation register. Every external requirement the business is on the hook for. Frameworks, regulations, customer contracts, insurance, board-approved standards. With the renewal date and the owner.

If any of the three already exist in usable form, the engagement is in better shape than most. They almost never do.

Weeks five to eight. The control inventory pass.

By week five the picture is clear enough to do the work that earns the fee. The control inventory is walked through, control by control, with the person who actually operates each one.

Three things change during this pass. First, the documented-versus-operating gap closes. Either the control is updated to reflect what actually happens, or what actually happens is changed to match the document. The decision is taken in the room, not deferred.

Second, the evidence layer is rebuilt. Each control gets a named artefact, a named owner, a refresh cadence, and a location where it lives. By the end of week eight, the organisation can answer the question "can you show me the evidence" for every control on the inventory, with one click.

Third, the orphaned controls surface. Controls that nobody owns because the person who wrote them has left. Controls that have been replaced by a tool that nobody trusts. Controls that are documented because a customer asked for them in 2022 and never returned. These get a binary decision: kept and owned, or removed and minuted. Nothing stays in the inventory unowned.

Nothing stays in the control inventory unowned. Unowned is the same as broken.

Weeks nine to twelve. The board paper that earns the next quarter.

The final four weeks have one product: a board paper that the executive who hired the vCISO can take into the next risk or audit committee with confidence.

The paper has the same four sections every time. Where we are, in language the board will recognise, with the residual risk position stated and accepted. What changed, in the last ninety days, with the controls that were broken and have been fixed, and the controls that were unowned and now have an owner. What is next, in the next two quarters, with the named investments, the named risks, and the named decisions the board will be asked to make. What I need, from the board, to make the next ninety days deliver against the same standard.

If the board paper is right, the engagement extends or transitions to a permanent CISO. If it is wrong, the engagement should not extend. The 90-day mark is the right point to make that call, on both sides.

Paul Jolliffe, Founder of InfoSecAI
WRITTEN BY

Paul Jolliffe

FOUNDER · INFOSECAI · MBA · CISSP · ISO 27001:2022 LA / LI / IA · PRINCE2 Practitioner

Twenty years of senior security leadership across financial services, healthcare, government, telecoms and technology. Independent UK practice founded 2025.

Book a 30-minute working consultation About the practice
02Keep reading
DISPATCH 001 · 13 MAY 2026

The Multi-Framework Crosswalk Every UK Security Leader Should Have on Their Wall

 DISPATCH 003 · 27 MAY 2026

Why Most Cyber Transformations Stall, and How to Ship Them
03The Brief · subscribe

One email, when there is something worth saying.

Each dispatch sent on the day it is published. No tracking pixels, no marketing automation. Unsubscribe in a single click.