Definition

The vCISO first-90-days intake is a structured engagement model that takes a new Virtual CISO from zero baseline to an operational security programme within three months. It covers risk baselining, governance framework reset, quick-win control deployment, and delivery of the first board-ready cybersecurity pack, all documented for continuity if the engagement ends.

Why it matters

The pressure on Virtual CISO programmes is shifting in specific, observable ways:

• SAMA CSF §3.1.1 and NCA ECC-1 domain 1 require a designated cybersecurity leader with documented responsibilities; a vCISO engagement letter and governance charter fulfils this on day one without a 6–12 month permanent hire timeline.
• CBUAE and DFSA licensing inspections routinely request evidence of an active CISO function within 30 days of application; a structured vCISO intake produces the required governance documentation within that window.
• GCC mid-market firms (200–2,000 employees) face an average AED 180K–380K cost for a permanent CISO plus benefits; a vCISO engagement at AED 30K–80K/month provides equivalent coverage at 40–60% lower cost.
• Without a structured 90-day plan, vCISO engagements drift into reactive advisory with no measurable outcome, undermining board confidence and regulatory evidence trails.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Risk register (Week 1 baseline) — top 20 risks scored by likelihood and impact in AED, mapped to NCA ECC or SAMA CSF control domains.
• Gap assessment report — current control maturity vs. target per SAMA CSF or ISO 27001:2022 Annex A, with remediation priority and estimated effort in person-days.
• Governance charter — documented vCISO mandate, reporting line, decision rights, and escalation path signed by CEO/board.
• Board pack v1.0 — 12-slide deck covering risk posture, top gaps, quick-win roadmap, and AED budget ask.
• Quick-win delivery log — list of controls implemented in 90 days (e.g. MFA enforced, EDR deployed, backup tested) with completion date and evidence reference.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: vCISO conducts stakeholder interviews (IT, Legal, Finance, Operations) and runs a rapid gap assessment against SAMA CSF or NCA ECC-1; produces a risk register with top 20 items scored and an executive summary.
• Day 31–60: vCISO defines governance structure (security steering committee, RACI, policy framework) and delivers three quick wins (e.g. MFA on all admin accounts, EDR baseline deployed, backup integrity test completed).
• Day 61–90: vCISO prepares and presents first board pack (12 slides) covering risk posture, regulatory gap status, quick-win outcomes, and a 12-month roadmap with AED budget breakdown.
• Day 90+: vCISO formalises the ISMS document set (policy library, SoA, risk treatment plan) and transitions operating rhythm to monthly steering committee reviews and quarterly board reporting.
• Ongoing: vCISO attends monthly steering committee, updates risk register quarterly, and maintains regulatory submission calendar (SAMA CSF self-assessment, NCA ECC audit, CBUAE reporting).

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Risk register completion — target: ≥20 risks scored and risk-owner assigned by Day 30.
• Quick-win control deployment rate — target: ≥5 high-impact controls live by Day 60.
• Board pack delivery — target: first pack presented by Day 90 with documented board resolution.
• Governance charter sign-off — target: CEO-signed charter within Day 15.
• Regulatory gap closure rate — target: ≥30% of critical gaps remediated within 90 days.

A 90 days working plan

MAST Consulting Group runs this Virtual CISO work in four moves. Each move is short, evidence-producing, and signed off by a Lead Practitioner before the next begins.

• Frame (week 1). Confirm scope, regulators in play, and the decisions the work has to enable — referenced against the 90-day intake. Without that framing, the rest becomes a documentation exercise the audit committee will not read.
• Diagnose (weeks 2–4). Walk through the board pack template and the hiring scorecard for the eventual full-time CISO as they exist today. Capture not just gaps but the design decisions behind every existing control — those are usually where audit findings hide.
• Design (weeks 5–8). Make the contested choices early and pre-clear them with enterprise customers asking 'who's your CISO?' in due diligence. Document the rationale; Virtual CISO reviewers care more about reasoned decisions than perfect ones.
• Operate (weeks 9–12). Move evidence collection into the customer's existing stack — vCISOs do not introduce new tools without business cases and a lightweight reporting dashboard. A control that depends on a separate GRC tool nobody opens will fail within two cycles.

Pitfalls we keep seeing

Across MAST Consulting Group's Virtual CISO portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: no handover artefacts when the engagement ends. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: board reporting that drifts back to operational metrics within two cycles. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: a vCISO who acts as a consultant rather than an accountable executive. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Virtual CISO engagements because the integrations are cheap and the evidence is defensible:

• the customer's existing stack — vCISOs do not introduce new tools without business cases — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• a lightweight reporting dashboard — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• a runbook library — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Virtual CISO programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this playbook is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Virtual CISO programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.