You have just agreed to engage a vCSO. Now what? This is a broad question — and we hear it a lot. Here's what to expect during the first week, month, and year.
What is a vCSO?
A vCSO is a Virtual Chief Security Officer — a part-time or full-time role staffed by one or more consultants from Digital Elevation and Springthrough. In most engagements a single consultant is assigned to your account and supported by the greater team. Your vCSO will endeavor to physically be where the rest of your leadership team and employees are; much of the work, however, is performed remotely.
Your vCSO will enter your organization with vast institutional knowledge in security frameworks, regulatory compliance, and technical risk — but little to none in your specific organization. The first thing your vCSO does, therefore, is enter into a time of listening.
At Digital Elevation and Springthrough our consultants have identified three distinct engagement phases: the first weeks, the first months, and the first year.
Phase 1: The first weeks (Days 1–10)
The very first thing your vCSO does is ask questions and listen. A roadmap, strategy, or plan cannot be built until a thorough understanding of what exists today has been established. While the vCSO will diligently work to meet with stakeholders and ask relevant questions, it's important that you — the client — seek out the vCSO and provide as much context and background as possible.
The vCSO will need time with stakeholders. This list includes (but is not limited to) the CEO or COO, CFO, General Counsel or Compliance Officer, the IT lead or CIO, HR leadership, and any business unit heads who own sensitive data or regulated processes. Expect roughly 30–45 minutes for each initial meeting. Be prepared to share overall goals, what keeps you up at night, previous incidents and what happened, where your concerns are, and what is and isn't working well.
The vCSO will immediately work on the most important aspect of any security program: inventory. Plan to surface and share the following so your vCSO has a complete picture before recommending any changes:
- Existing security policies and procedures
- Prior penetration test reports and vulnerability assessments
- Audit results — internal, external, and regulatory
- Cyber insurance applications and renewal documents
- Vendor contracts that include security or data-handling clauses
- Any regulatory correspondence, findings, or remediation plans
- Existing asset inventory lists
The vCSO will identify the "Crown Jewels" of the organization. With assistance from stakeholders, the vCSO will name the systems, data, and processes whose compromise would be most damaging — and which therefore deserve the most protection.
This initial phase is for learning. Do not expect the vCSO to make sweeping changes or deploy new tooling during this time. The vCSO may make some operational decisions (pay an invoice, approve previously contracted work), but don't expect major shake-ups in Phase 1.
Phase 2: The first months (Days 11–60)
Now that the vCSO and team have the lay of the land, the real work can begin. In this phase the vCSO is building the overall security program. The mode shifts from deliberate listening to concrete action.
Phase 2, in one line.
"Establish the baseline, demonstrate value, and set the direction."
Your vCSO will apply a well-known framework to anchor your security program. Based on the Phase 1 findings, one or more frameworks and regulations — NIST Cybersecurity Framework, CIS Critical Security Controls, HIPAA, SOC 2, GLBA, FFIEC, and so on — will be identified as the primary reference for your program.
You can expect the following activities in the first months:
Security assessment. Threat landscape mapped to your industry and data types. Control gaps documented. Initial risk register created.
Compliance mapping. Identify which frameworks apply (HIPAA, SOC 2, GLBA, NIST CSF, FFIEC, etc.) and document gaps relative to each.
Quick wins. Enforce MFA, audit admin accounts, verify patch cadence, tighten email security.
Board briefing. A first executive summary covering what's been found, the organization's risk appetite, and a draft of the security roadmap.
Incident response plan. Draft (or substantially update) the IRP to include escalation paths, notification procedures, and cyber insurance triggers.
Vendor risk. Inventory critical third-party vendors. Flag those with privileged access. Review security clauses and SLAs in vendor contracts.
Phase 2 will likely include some changes within the organization at the vCSO's direction with executive buy-in. That executive support is critical. If there's a substantial disconnect between the leadership team and the vCSO during this phase, it needs to be addressed immediately. A security program requires buy-in and support at all levels.
Phase 3: The first year
The remaining ten months are sustained program execution. The vCSO is no longer discovering — they're building. The goal by year-end is a measurable, documented, and defensible security program the organization can operate, audit, and improve on over time.
Policy and procedures library
A complete policy library is non-negotiable for regulatory compliance, cyber insurance underwriting, and audit readiness. Priority documents include:
- Acceptable Use Policy
- Access Control and Identity Management Policy
- Data Classification and Handling Policy
- Incident Response Plan (formalized from the Phase 2 draft)
- Business Continuity and Disaster Recovery Plan
- Vendor / Third-Party Risk Management Policy
- BYOD and Remote Work Policy
Additional policies and procedures will be developed as needed. Existing policies — after the initial inventory — will also be reviewed and updated.
Security awareness program
Training is a control, not a checkbox. Build a program that runs continuously rather than as an annual event. Core components include role-based training modules, monthly phishing simulations with immediate coaching for failures, and quarterly executive briefings on current threat trends. Track completion rates and click rates as reportable metrics.
Vulnerability management
Move from ad hoc scanning to a formal program with documented cadence, ownership, and SLA-driven remediation. A practical starting point:
- Critical vulnerabilities: remediated or mitigated within 14 days
- High vulnerabilities: remediated within 30 days
- Medium vulnerabilities: remediated within 90 days
- All findings tracked in a centralized register with assigned ownership
Penetration testing
At minimum, one formal penetration test should be completed before year-end (first quarter would be ideal). A scoped, documented, and tracked-to-remediation test is necessary. For organizations under SOC 2, PCI DSS, or HIPAA, testing frequency and scope may be dictated by the applicable framework. Ensure findings are tied to the risk register and that the executive summary is board-ready.
Tabletop exercises
Incident response plans that have never been exercised are just documents. Run at least one tabletop exercise with leadership at the six-month mark. A ransomware scenario or data breach scenario works well for most mid-market organizations — realistic, high-impact, and effective at exposing gaps in communication, decision-making authority, and vendor notification procedures.
Expect the vCSO to participate in these exercises, with one caveat: eventually the vCSO engagement will conclude. It is important that the IRP is not dependent on the vCSO.
KPIs and board reporting
By mid-year, the vCSO should be delivering regular security reporting to leadership on a monthly cadence. Metrics to track and report include (but are not limited to):
- Mean time to remediate critical and high vulnerabilities
- Phishing simulation click rates over time
- Patch compliance percentage by system tier
- Policy exception count and age
- Open risk register items by severity
- Security training completion rates
Year-end: maturity assessment and program review
Close year one with formal maturity scoring. The NIST Cybersecurity Framework (CSF) is the most accessible and widely recognized model for mid-market organizations. Score the program against the five CSF domains — Identify, Protect, Detect, Respond, Recover — and document where the organization started versus where it stands today.
In conclusion
At Digital Elevation and Springthrough we believe in the vCSO model for small and mid-sized businesses. Every organization has the same fundamental security risks and requirements. For many organizations, hiring a firm to fill this role just makes sense. Our vCSO program was built on strong fundamentals to deliver durable results to our clients.
Considering a vCSO engagement?
Get the strategic seat without the full-time hire. We'll walk you through what your first year would look like.
Start the conversation arrow_forwardW. Scott Montgomery is Director of Security at Digital Elevation. Richard Maloley is a Senior Security Consultant at Digital Elevation and Springthrough.