What Happens in the First 90 Days with a Fractional CISO?

A week-by-week breakdown of deliverables, quick wins, and measurable risk reduction — no vague consulting. Phase 1, Discovery and Quick Wins (Days 1-14): stakeholder interviews with leadership, IT, and key staff. Technical assessment of current security controls, policies, and architecture. Risk snapshot delivered by Day 8 with top findings and immediate priorities. Quick wins implemented by Day 14 addressing the highest-risk gaps. Phase 2, Foundation and Planning (Days 15-42): strategic security roadmap with prioritized actions and budget estimates. Essential policy framework covering acceptable use, incident response, and data handling. Control baseline establishment aligned to NIST CSF 2.0. Incident response playbook development with roles, communication plans, and recovery procedures. Phase 3, Implementation and Measurement (Days 43-90): priority control implementation coordinated with your IT team and MSP. Staff security awareness program launch. KPI and KRI dashboard setup for ongoing measurement. First quarterly strategy review with executive leadership. What success looks like at Day 90: documented security program with clear risk ownership, prioritized roadmap tied to business goals, measurable improvement in security posture, and executive-ready reporting that communicates value to leadership.