Skip to content
Jaime Pauline

The first 90 days: what a vCISO actually does in a regulated environment

What a fractional CISO engagement looks like in pharma, public-company, or healthtech contexts — week-by-week deliverables, how it differs from SaaS-startup engagements, and what to expect by quarter end.

4 min read

Most fractional CISO content is written for SaaS startups. Quarterly business reviews, SOC 2 prep, security-as-a-go-to-market enabler — that’s the playbook for a Series-B e-commerce platform. Regulated environments work differently. The cadence is the audit cycle, not the sprint. The deliverables are evidence-of-control, not feature flags. The audience for the security report is your audit committee, not your product marketing lead.

If you’ve never hired a vCISO and you operate under GxP, SOX, NIST, ISO, or HIPAA, here’s what the first 90 days actually look like.

Week 1 — Diagnose

The first week is reading and listening. I read the policies that exist (and the ones that should but don’t), the most recent audit findings (yours and your peers’), the IR plan if you have one, and the risk register. I talk to whoever owns security operationally today — usually a Director of IT, a Compliance Officer, or sometimes a CFO who’s been doing it on the side.

Outputs by Friday:

  • A current-state read against the frameworks in scope (GxP, SOX, NIST 800-53, ISO 27001, HIPAA, PCI as applicable). Not a long document — a tight gap analysis with severity and audit-cycle priority.
  • A “what an auditor would say today” memo. Three to five things that would surface in a real inspection right now, and what to do about each.
  • A quick-wins list: the things we can fix in week two without committee approval or new budget.

Month 1 — Foundation

Weeks two through four build the foundation that survives an audit. This is the unglamorous work that compliance officers will recognize and SaaS founders won’t:

  • Core policies with control-owner assignments. Information security policy, acceptable use, access control, change control, incident response, vendor risk management. Each control has a named owner and a defined review cadence. Not “owned by IT” — owned by Maria in IT, reviewed quarterly.
  • Incident response plan with executive escalation paths. Documented who gets called when, how the audit committee gets briefed if the incident has reportable implications, and what the regulatory disclosure trigger looks like under your applicable frameworks.
  • Baseline TPRM process. Vendor risk classification, due-diligence questionnaire, ongoing review cadence. Mapped to the controls your auditors expect (SOX 404 if public, GxP supplier qualification if pharma, HIPAA business associate agreements if healthtech).

By the end of Month 1, the security function has artifacts that any auditor would recognize. Not perfect — functional.

Days 60–90 — Operate

Weeks five through twelve shift from foundation-building to operational rhythm. The deliverables here are about cadence, not creation:

  • Monthly security review meeting. A standing one-hour meeting with the security stakeholders. Risk register update, incident review, control-evidence status, audit-cycle countdown.
  • First quarterly audit-committee or board-ready report. A one-page executive summary with supporting detail. Risk-state with quarter-over-quarter change. Key incidents and resolution. What changed in the regulatory landscape that affects you.
  • Control-evidence collection running ahead of the next audit window. The evidence-of-control trail is captured continuously, not assembled the week before the audit.

By day 90, the security program isn’t mature — but it’s legible. An auditor can walk in and follow the trail. A board member can read one page and know where you stand. A control owner knows what they own.

What you’ve got at day 90 vs. what’s still maturing

What you’ve got: a documented, owned, audit-legible security function with a defined operational cadence and a clean deliverable trail. The last 90 days of work would survive the kind of scrutiny that surprises companies who tried to “bolt on” security ahead of an inspection.

What’s still maturing: the depth of automation around control-evidence collection, the maturity of the metrics program, the organizational muscle memory around running tabletops without prompting. These are things that require time, not just engagement. The next quarter’s work continues.

If you’re heading into your first audit cycle and want a vCISO who’s been through it — let’s talk.

Talk to a vCISO who's been through your audit cycle.

Schedule a conversation