The First 90 Days of an MSP vCISO Engagement: A Practical Playbook

Why the First 90 Days Make or Break Your vCISO Practice

Most MSPs have the same experience with their first few vCISO clients:

• The sales call goes well, everyone agrees on “doing security properly”
• A loose scope is agreed, often wrapped into a bigger managed services deal
• Three months later, the team is buried in unplanned work and the client still doesn’t feel “secure”

The problem isn’t intent. It’s structure.

Without a clear 90‑day plan, vCISO work collapses into an endless list of tickets: policy edits, vendor reviews, security questions from sales, the occasional incident. Your senior security person becomes an expensive fire‑fighter, your margin disappears, and the client can’t point to concrete progress.

A simple 90‑day playbook fixes that. It gives your team:

• A repeatable onboarding path for every vCISO client
• Clear expectations to set with decision‑makers
• A structure that maps naturally to a platform like GetCybr’s vCISO services stack

In this guide, we’ll walk through how an MSP should run the first 90 days of a vCISO engagement in three phases:

1. Days 0–30: Triage and quick wins
2. Days 31–60: Governance and compliance baseline
3. Days 61–90: Roadmap and operating rhythm

By the end, you’ll have a template you can apply across clients instead of treating every vCISO engagement as a bespoke project.

---

Before Day 0: Set the Rules of the Game

The 90‑day plan only works if you lock in scope and expectations before kickoff. That means a clear answer to three questions:

1. Who owns security outcomes inside the client?
2. What are we optimising for in the first 90 days?
3. How much time does the vCISO actually have?

Define the internal security owner

Every vCISO engagement needs a counterpart on the client side. If you don’t have one, you’ll spend months chasing people for decisions.

Before you start, agree on:

• Accountable owner: usually the COO, CTO, or Head of Operations
• Day‑to‑day contact: someone who can schedule workshops, chase evidence, and unblock access
• Decision rights: what the MSP vCISO can decide alone vs what needs approval

Write this down. It belongs in the engagement letter and in the first slide of your kickoff deck.

Agree the first 90‑day outcome

“Improve security” is not an outcome. For most MSP vCISO clients, the real drivers are:

• A specific audit or attestation (SOC 2, ISO 27001, Cyber Essentials Plus)
• A major customer pushing for security assurances
• Board pressure after an incident or near‑miss

Pick one or two concrete outcomes for the first 90 days, for example:

• “Be audit‑ready for a Type 1 SOC 2 readiness assessment”
• “Close the top 10 critical risks in the environment”
• “Have a board‑approved security roadmap and budget for the next 12 months”

Those outcomes should link directly to your tiered offering and how you use a frameworks‑driven GRC platform to show progress.

Be honest about vCISO time

If your vCISO service tier promises “up to 10 hours per month” and the first 90 days demand 40 hours, you have a mismatch.

Do a rough estimate:

• Intake and discovery workshops
• Framework mapping and risk assessment
• Policy work
• Vendor and asset inventory
• Board‑level communication

Then either:

• Adjust the tier (e.g. a one‑off onboarding package on top of the monthly fee), or
• Tighten the scope for the first 90 days

This is where an AI‑assisted GRC platform like GetCybr lets you keep scope tight without cutting corners: you reuse content, automate evidence collection, and let the system handle a lot of the mapping work that normally eats hours.

---

Days 0–30: Triage and Quick Wins

The aim of the first month is simple: understand where the risk is, stabilise obvious issues, and show the client that there’s a plan.

You don’t need perfect inventory or gold‑plated policies yet. You need:

• A clear picture of business‑level risk
• Enough information to prioritise work
• One or two visible wins that build trust

1. Run a focused intake, not a free‑form interview

Many MSPs treat the first vCISO call as an open discussion. That wastes time.

Instead, use a standard intake pack with:

• A short, plain‑English questionnaire covering business model, regulatory exposure, and key systems
• A request list for basic artefacts: org chart, key policies, any past audit reports, list of critical vendors
• A simple data‑flow sketch: who the client serves, what data they hold, and where it lives

Capture all of this directly into your GRC platform, not in scattered notes. In GetCybr, that means creating the client workspace, mapping business processes, and linking documents to controls from day one.

2. Run a lightweight risk and control review

You want enough structure to avoid firefighting, but not a six‑week assessment.

A practical pattern for the first 30 days:

• Pick one anchor framework that fits the client (NIST CSF for many, ISO 27001 or SOC 2 for more mature teams)
• Score current state at a rough level (e.g. 0–3) against a core subset of controls
• Capture top risks in a central register, with plain‑English descriptions

Tools like GetCybr let you do this quickly by mapping answers and artefacts to multiple frameworks in the background. That matters if your client needs to juggle SOC 2, ISO 27001, and something sector‑specific later on.

3. Deliver one or two visible quick wins

Quick wins are not “finish your SOC 2”. They’re tangible improvements clients can feel in weeks, not months.

Typical first‑month wins for MSPs:

• Close obvious access issues: stale admin accounts, shared credentials, weak MFA coverage
• Ship a minimum viable incident response plan: one or two pages that everyone can find
• Stabilise backups and monitoring: make sure someone will actually see the next critical alert

Make these part of a simple 30‑day action list with owners and due dates. Use your platform to track them so you can show completion at the first review.

4. Communicate like a leader, not a ticket queue

At the end of the first month, you should be able to sit with the client’s leadership and answer:

• What did we learn about your risk profile?
• What changed in the environment in the last 30 days?
• What are we doing next?

Send a one‑page summary that covers:

• Top 5 risks (with business language, not just CVSS scores)
• The quick wins you’ve delivered
• The focus for the next 60 days

This is where many MSPs lose momentum. They do good technical work but don’t translate it for leadership. If you want vCISO to become a premium recurring service, that translation is your product.

---

Days 31–60: Build the Governance and Compliance Baseline

Once the initial fires are under control, the second month is about structure.

The goal for days 31–60 is to move from “we did some good cleanup” to “we have a basic security management system”: policies, roles, a cadence, and enough framework coverage to satisfy auditors and big customers.

1. Freeze a target framework and scope

Many MSPs try to cover every framework a client might ever need. That slows you down.

Instead, pick a primary framework based on the first month’s intake:

• Growth‑stage SaaS chasing enterprise deals: SOC 2
• European company with regulatory exposure: ISO 27001
• UK public sector or government‑adjacent: Cyber Essentials Plus + ISO 27001
• Less regulated SMBs: NIST CSF or a slimmed‑down control set

Then use a platform that can map that primary framework to others automatically. With GetCybr’s frameworks engine, you can do the heavy lift once and still answer questions about ISO, SOC 2, and sector frameworks later.

2. Stand up a usable policy set

“Usable” here means:

• People can find policies quickly
• They’re short enough that someone might actually read them
• They reflect how work really happens, not an idealised version from a template

For most new vCISO clients, focus on a core set in the first 60 days:

• Acceptable use
• Access control and identity
• Change management
• Incident response
• Vendor and third‑party risk
• Backup and recovery

Don’t build a separate policy for every edge case. Use your platform to generate and track one standard library, then apply client‑specific exceptions where needed.

3. Build out the asset and vendor picture

You can’t manage risk if you don’t know what you’re defending.

By the end of day 60 you should have:

• A list of critical systems and data stores
• A map of production vs non‑production environments
• A register of key third‑party services and suppliers

This is another place where GRC automation pays off. Instead of manual spreadsheets, use integrations and questionnaires to pull this data into a central place. In GetCybr, that means:

• Linking vendors to the controls they support
• Tracking contract and renewal dates
• Recording which frameworks each vendor touches

4. Formalise roles, RACI, and cadence

Your vCISO engagement will stall if everyone assumes “security” is somebody else’s job.

In the second month, agree and document:

• A simple RACI for core activities: risk management, change approvals, incident response, vendor reviews
• A recurring governance cadence: monthly or quarterly security reviews, who attends, and what gets reported
• Escalation paths: who gets called at 2am when something breaks

Capture this as part of your engagement documentation in the platform, not as a slide deck that disappears.

5. Show framework‑level progress

By day 60 you should be able to show a simple view:

• Overall framework coverage (e.g. 40% implemented, 35% in progress, 25% not started)
• Heatmap of high‑risk areas
• Top corrective actions and who owns them

This is where an AI‑assisted platform earns its keep. Instead of manually maintaining spreadsheets, you map evidence and controls once and let the system update progress views. Clients see a structured programme, not a list of tickets.

---

Days 61–90: Roadmap, Budget, and Operating Rhythm

The last 30 days of onboarding are about making the vCISO engagement sustainable.

You want the client to come out of the first 90 days saying:

• “We know where we’re exposed”
• “We have a plan and a way to track it”
• “We know what this will cost and how long it will take”

If you reach that point, it’s natural for them to keep you on as their ongoing vCISO rather than treating you as a one‑off project.

1. Build a 12‑month security roadmap

Use everything you’ve learned to build a simple, believable roadmap:

• Group work into quarterly themes (e.g. Identity, Data Protection, Resilience, Vendor Risk)
• List 3–5 initiatives per quarter with rough effort levels
• Tie each initiative back to risks and framework gaps you documented earlier

Keep it honest. It’s better to commit to a smaller set of well‑defined initiatives and deliver them than to over‑promise.

2. Tie roadmap items to budget and capacity

Roadmaps that ignore budget turn into wish‑lists.

In the final month, work with the client to:

• Estimate internal effort (who on their side needs to be involved, and for how long)
• Estimate MSP effort across your vCISO tiers
• Identify tooling or service spend: MDR, backups, logging, GRC platform

Use your vCISO service catalogue to show what’s covered by the monthly fee and what might need a separate project. Platforms like GetCybr’s vCISO services stack help here by standardising deliverables across clients.

3. Lock in the operating rhythm

An effective vCISO engagement looks boring from the outside. There’s a predictable set of meetings and updates, and everyone knows what happens when.

By day 90 you should have:

• A recurring security review call (monthly or quarterly) with a fixed agenda
• A standard metrics pack: risk changes, incidents, key control status
• A clear set of triggers that escalate beyond the regular cadence (major incidents, new regulatory exposure, big customer deals)

Document this rhythm in your platform and in the engagement letter. Treat it as part of the product you’re selling.

4. Capture and reuse what you’ve built

Finally, take everything that worked in this engagement and make it reusable:

• Templates for intake questionnaires and risk workshops
• Policy language that clients understood and accepted
• Roadmap slides and report formats that landed well with boards

Feed these back into your internal GRC automation approach and tools so the next client starts at a higher baseline.

The more you standardise, the more profitable your vCISO practice becomes. AI‑assisted platforms compound this effect by turning every engagement into reusable content and mappings.

---

Turning the Playbook Into a Repeatable Service

A 90‑day plan on its own doesn’t grow an MSP security practice. What moves the needle is turning that plan into a product:

• A clear vCISO tier that explains what happens in each phase
• A platform that keeps you out of spreadsheet land and lets you show progress in real time
• A repeatable way to communicate with leadership so they see security as an ongoing programme, not a cost centre

That’s exactly what we built GetCybr for: giving MSPs a way to run multiple vCISO engagements in parallel without burning their best people or drowning in admin.

If you want help turning this 90‑day playbook into a repeatable, profitable vCISO service for your clients, book a walkthrough of the platform and we’ll share how other MSPs are doing it.

Book a GetCybr demo to see how the vCISO workflows, frameworks engine, and reporting can plug straight into your next onboarding.