Blog | Charles IT

The Strategic Outline of a vCISO Program

Written by Foster Charles | May 9, 2022 12:00:00 PM

The Charles IT vCISO program is a multi-stage project that aims to completely revamp and improve the way your business approaches data protection. It’s a great way to keep up with the ever-evolving cybersecurity realm, not to mention the ever-evolving compliance requirements that your business has to follow.

Here are the steps we’ll take within the first year of your enrollment in our vCISO program:

Policy reviews

This stage of the vCISO program entails getting to know your business on a deeper level, particularly with regard to the policies that dictate how your data flows. This is to gain a better understanding of where gaps and bottlenecks may exist.

We will undertake the following activities with your team:

  • Review your current security and data policies
  • Recommend certain upgrades, changes, and improvements
  • Gather sign-offs on the changes to be made
  • Conduct follow-ups for any question that may arise

The policy review will help us set baselines to make your progress tangible. The findings of this stage will be used to check how effective your Charles IT vCISO strategy is. It will also help our team to properly set expectations for you, so we can provide realistic outcomes and nip issues in the bud.

Internal risk planning sessions

This is a necessary step that involves minimizing risks coming from inside the organization. Without internal risk planning, it will be easy for external threats to penetrate your system. 

We will undertake the following activities with your team:

  • Review or create baseline risk management assessments
  • Test and evaluate the internal risk plan
  • Assign tasks to your team as necessary

The key outcome of this stage is to provide your organization with its unique risk valuation. With proper risk valuation, we will know how to best allocate limited resources to protect your data.

KnowBe4 deep dive activities

Once we have a better understanding of your data risk profile, we can start doing deep dive activities to gain thorough insight of your current system’s problems. 

Activities we will undertake together include:

  • Review your current information security campaigns and configurations
  • Review additional tools and features you use with your software
  • Review your training materials and other educational content
  • Highlight issues and provide strategies to improve

The deep dive activity will be your opportunity to raise specific issues you may have encountered in your old system. So make sure you point out even the seemingly minor ones, as they may signal a larger issue that should be fixed.

Joint meetings

At this stage, we will shift our focus to the specific security outcomes for your business. This includes creating solutions for threats and scenarios that you may not have yet prepared for such as ransomware attacks.

Some activities we will undertake together are:

  • Discuss items being planned and make the security plan for each component more concrete
  • Discuss projects in the pipeline and discuss how the security plan will be applied to each one

Tabletop exercises

By month five of your vCISO program, we will conduct some tabletop discussions about the roles and responsibilities of your team members with regard to data protection. While these tabletop exercises will be conducted in an informal, classroom-type manner, we will still discuss it formally enough to provide each team member with an in-depth understanding of their roles. This will help ensure that all of the cogs of the deployment are working together smoothly, so as to give your data protection plan the best shot at success.

Gap assessments

Even the most well-funded projects inevitably turn up with performance or efficiency gaps, which are what a gap assessment aims to address. A gap assessment will minimize the risk of any problems going unnoticed, which can turn into bigger problems if left unresolved.

Some activities we will undertake together are:

  • Design an information security plan
  • Discuss our plan of attack and schedule deployments
  • Report on current findings and provide updates on the project progress

Internal risk planning sessions

At month seven or eight of your vCISO program, we will conduct internal risk planning together to measure any data integrity and security risk your organization still carries internally. This internal assessment also aims to evaluate the effectiveness of the new security plan we have deployed. During this stage, we will perform a second internal risk assessment to check the effectiveness of the program. 

Security budget meeting

Security solutions can get quite costly, so we’ll make sure to provide you insight on your security’s value vs. cost. The security budget meeting aims to ensure that all expectations are realistic and set accurately. 

Activities we will undertake together include:

  • Review security roadmap items
  • Discuss potential projects to address any issues found by the second gap assessment and audit

Tabletop exercises

Toward the 9th or 10th month of your vCISO program, we will conduct another round of tabletop exercises geared toward any changes or updates to the roles and responsibilities of your staff. Data security success depends on your team’s ability to adapt and adjust as necessary. 

Note that a static security plan is one that is headed for failure. Thus, we will ensure that your team understands the importance of periodic assessments and adjustments. We will also conduct a tabletop discussion to discuss each team member’s roles and responsibilities in the program and as a response to specific events and scenarios.

Vendor risk assessments

By this point, we would have spent nearly a year concentrating on minimizing or eliminating internal risk. The 10th and 11th months are the time to assess your vendor risk profile in which we ensure that everything we have worked on internally will not be derailed by vendor issues.

Some activities we will undertake together are:

  • Meet and discuss vendors from your previous information security plan
  • Discuss any potential new software and vendors you might need
  • Conduct risk assessments of your current vendor setup

Vendor risk reviews

Once we complete our vendor risk assessment, we will inform you of our findings and we will jointly conduct a vendor risk review. This is to address any potential data loss risks with regard to your vendors.

Some activities we will undertake together are:

  • Conduct a review of your vendor risk profile
  • Address any vendor concerns that may arise


With Charles IT’s vCISO program, you can be sure that we will leave no stone unturned in our pursuit of data security. Contact us today to learn more about our vCISO program!