The first ninety days of a Fractional CISO engagement are the most intensive. Before ongoing oversight and governance work can begin, there is foundational work that needs to happen: understanding the current environment, identifying the most significant gaps, and building the structure that everything else will depend on.
What follows is a practical description of how that period typically unfolds.
Days 1 to 30: Baseline and Discovery
The first month is about understanding. Before your Fractional CISO can set priorities, they need an accurate picture of your current environment -- what you have, what you lack, and what risks are present right now.
This phase typically includes a review of your existing security documentation, interviews with key staff and leadership, an inventory of systems and applications, an assessment of access controls and identity architecture, and an initial review of your vendor and third-party relationships.
The output is a baseline risk assessment: a clear-eyed summary of where your organization stands, what the most significant gaps are, and what needs to happen first.
This is not a check-the-box compliance audit. It is a working document that reflects your actual environment, not a hypothetical ideal. The baseline will be used to prioritize work for the rest of the engagement.
What leadership should expect in month one: Regular check-ins, a lot of questions from your Fractional CISO as they learn the environment, and a candid summary of findings at the end of the month. Some of those findings will be uncomfortable. That is the point.
Days 31 to 60: Priority Setting and Policy Foundation
The second month moves from discovery to action. With a clear baseline in hand, your Fractional CISO builds the roadmap and begins the policy and governance work that the organization needs most.
Policy development is typically the most visible output of this phase. Most SMBs have either no formal security policies or policies that were written years ago and no longer reflect current operations. This month establishes the foundational documents: acceptable use, access management, incident response, data handling, and vendor security requirements.
Alongside policy work, this phase includes risk prioritization -- taking the gaps identified in month one and sequencing them in a way that addresses the highest-impact items first, without trying to fix everything at once.
It also includes a conversation with leadership about governance structure: who owns security decisions, how those decisions get made, and how security risk gets communicated upward.
What leadership should expect in month two: Draft policy documents for review, a prioritized risk roadmap, and clarity on what the organization should focus on for the next six to twelve months.
Days 61 to 90: Implementation Oversight and Steady State
The third month shifts toward execution oversight. The policies and roadmap are in place. Now the work is ensuring that the highest-priority items are moving, that the policies are being communicated and implemented, and that the organization is operating within the governance structure that has been established.
This phase typically includes vendor risk reviews for your highest-priority third-party relationships, initial work on any compliance alignment that is in scope (CMMC, SOC 2, HIPAA, or others), training or awareness activity for staff, and the first substantive executive or board communication on security posture.
By the end of month three, the engagement moves into steady-state mode. The foundation is built. Ongoing work shifts to maintaining oversight, responding to changes in the environment, supporting incidents when they occur, and continuing to close gaps identified in the roadmap.
What leadership should expect in month three: The security function beginning to feel like it has structure. Clearer answers to questions like "where are we on compliance," "what do we tell clients when they ask about our security," and "what happens if we have an incident."
What Comes After 90 Days
The steady-state engagement runs on a monthly retainer. The Fractional CISO remains available for strategic questions, leads the response when incidents occur, drives the ongoing roadmap, supports due diligence processes, and continues to refine governance as the business evolves.
Most organizations find that the engagement accelerates after the first ninety days. The discovery and foundation work is complete. Meetings are more focused, decisions are faster, and the security function begins to operate with the clarity that was missing before.
What the First 90 Days Is Not
The first ninety days of a Fractional CISO engagement is not a technology deployment project. It does not result in new tools being installed or a managed security service being stood up. Those are implementation activities that may follow from the roadmap, but they are executed by your IT team or security vendors -- not by the Fractional CISO.
The output of the first ninety days is governance structure, policy foundation, risk clarity, and a prioritized roadmap. That is the work that creates the conditions for everything else to succeed.
For organizations in Northern Virginia and the DC metro area, NightFortress Fractional CISO engagements follow this structured approach from day one. Learn more about how the retainer works or contact us to start with a conversation about your current environment.