vCISO Platform
AI-powered cybersecurity posture management, compliance tracking, and risk assessment
Last assessment: --
70
/ 100
Overall Security Posture
Security Categories
Compliance Framework Status
Identified Risks
Security Policies
| Policy Name | Framework | Status | Last Updated | Owner |
|---|
Prioritized Remediation Tasks
Vulnerability Scan Results
TotalCareIT vCISO Blueprint
Preliminary AnswersThese are TotalCareIT's working answers to the vCISO Blueprint worksheet. Review, refine, and submit via the live form.
Your vCISO Program — Clarity First
1. What problem does our vCISO actually solve for clients?
Guidance: Describe the business problem, not the service.
We help small and mid-size business owners make informed, defensible cybersecurity decisions without needing to hire a full-time security executive. We translate technical risk into business terms so leadership can prioritize spending and reduce exposure.
2. If a CEO asked, "Why do I need you as a vCISO?" what is my one-sentence answer?
Guidance: Understandable to a non-technical CEO, focus on outcomes.
Because someone has to translate your technical vulnerabilities and compliance obligations into business decisions you can stand behind — and that person should understand both your technology stack and your risk tolerance.
3. Are we selling advice, leadership, outcomes, or compliance?
Guidance: Pick what you actually deliver today.
Primarily leadership and decision support. We provide a security roadmap, prioritize risks, and guide implementation — with compliance documentation as a natural byproduct of doing the work right, not the primary deliverable.
4. What do we explicitly NOT do as a vCISO?
Guidance: Boundaries increase credibility.
We do not act as hands-on security engineers, SOC analysts, or tool administrators. We do not perform penetration testing or forensic investigations in-house. We do not write custom security software. We provide strategic direction — our delivery teams and vendor partners handle implementation.
Who Is Our vCISO For (and Not For)?
5. What size, maturity, and leadership profile is our ideal vCISO client?
Guidance: Think revenue size, internal maturity, and leadership mindset.
$5M to $100M organizations with 25-500 employees who have outgrown ad-hoc security but can't justify a full-time CISO. They have an executive team that wants guidance and accountability, not just tickets closed. Industries with regulatory pressure (manufacturing, healthcare, legal, financial services) are ideal.
6. What types of clients should never buy our vCISO services?
Guidance: Disqualifying bad fits protects margin and sanity.
Cost-only buyers who want a compliance checkbox without actually changing their security posture. Organizations that refuse executive participation in security decisions. Companies that expect a vCISO to also be their helpdesk escalation path or daily IT manager.
7. What signals tell us early that a prospect is a bad fit?
Guidance: Identify red flags you've already seen.
They ask for pricing before discussing risk, goals, or leadership involvement. They want a "security audit" but have no plan to act on findings. They've churned through multiple IT providers in 2 years. Their leadership refuses to attend a kickoff meeting.
8. Which verticals do we actually understand well enough to speak executive language?
Guidance: Depth beats breadth.
Manufacturing, construction, professional services (legal/accounting), and healthcare. We understand operational risk, downtime impact, regulatory pressure, and the executive concerns specific to these industries through our existing managed services client base.
Define the Value We Deliver (Close the Value Gap)
9. What decisions does our vCISO help clients make?
Guidance: Decisions, not reports.
Which risks to accept, mitigate, transfer, or ignore — and why. Where to invest their limited security budget for maximum risk reduction. Whether they're ready for a compliance audit. When to upgrade infrastructure vs. add controls. How to respond when an incident occurs.
10. What risks do we help them see clearly that they don't see today?
Guidance: Focus on blind spots.
The gap between having security tools deployed and actually being protected. The difference between passing a compliance check and having a defensible security program. Insider risk from over-permissioned accounts. The business impact of downtime they've never calculated. Supply chain risk from unvetted vendors.
11. What outcomes should exist after 90 days, 6 months, 12 months?
Guidance: Think progression, not perfection.
90 days: Completed risk assessment, shared risk language with leadership, identified top 5 critical gaps, established a security baseline score.
6 months: Funded security roadmap in execution, measurable improvement in security posture score, key policies drafted and approved, incident response plan documented.
12 months: Measurable risk reduction across all categories, compliance readiness for target framework, security culture shift visible in employee behavior, board-ready reporting in place.
6 months: Funded security roadmap in execution, measurable improvement in security posture score, key policies drafted and approved, incident response plan documented.
12 months: Measurable risk reduction across all categories, compliance readiness for target framework, security culture shift visible in employee behavior, board-ready reporting in place.
12. How do we prove credibility early, before trust is fully earned?
Guidance: First impressions matter.
Clear prioritization of risks in business language during the first meeting. A 30-day quick wins list that shows immediate value. Business-context reporting that executives actually read. Saying 'no' or 'not yet' to low-priority requests instead of billing for everything. Showing we already know their environment from our managed services data.
Core vCISO Skills
13. Who on our team is responsible for executive communication?
Guidance: Names, not roles.
Charles owns executive communication. If it's going to a CEO, board, or business owner, it goes through Charles. TAM team members handle day-to-day client communication but escalate strategic conversations.
14. Who owns risk interpretation vs. technical findings?
Guidance: These are not the same skill.
Engineering and the ROC team provide technical findings (vulnerability scans, patch status, incident data). The vCISO function — Charles and the TAM team — own interpretation: what it means for the business, how to prioritize it, and what to communicate to leadership.
15. Who builds and maintains the security roadmap?
Guidance: Roadmaps must be owned, not crowdsourced.
The vCISO (Charles) owns the roadmap. It is built using data from Datto RMM, Autotask, Microsoft Secure Score, and the vCISO platform assessments. Delivery teams (ROC, Pro Services) align their work to the roadmap priorities. The roadmap is reviewed quarterly with each client.
16. Who is comfortable saying, "Here are your options, and my recommendation"?
Guidance: Leadership requires opinion.
Charles. Our vCISO explicitly recommends a path with rationale, not just presents choices. We lead with "Here's what I'd do and why" rather than deferring all decisions to the client.
17. Where do we have skill gaps today?
Guidance: Be honest.
Board-level presentation experience and executive storytelling for larger clients. Deep compliance expertise in CMMC and HIPAA (currently building). Formal risk quantification methodologies (FAIR framework). Dedicated GRC tooling experience beyond our custom platform.
Speaking the Language of Risk
18. How do we explain cyber risk without controls, acronyms, or fear?
Guidance: Think analogies and impact.
We explain risk in terms of operational disruption, financial exposure, and leadership accountability. Instead of "you need MFA on all accounts," we say "right now, any employee's compromised password gives an attacker full access to your financial systems — here's what that costs if it happens." We use business impact language, not technical severity scores.
19. What is our repeatable structure for exec conversations?
Guidance: Consistency builds trust.
Education — Information — Options. First, we educate on what changed or what we found. Then we share the data in business context. Finally, we present options with our recommendation. Every QBR and executive meeting follows this structure so clients know what to expect.
20. How do we answer: Are we ok? How do we know? What should we do next?
Guidance: These should feel rehearsed.
Are we ok? "Based on your current security posture score of X and the risks we've identified, here's where you stand relative to your industry and your own goals." How do we know? "We measure this through your Microsoft Secure Score, Datto patch compliance, backup success rates, and our quarterly risk assessment." What should we do next? "The next prioritized item on your roadmap is [specific action], and here's why it matters most right now."
21. What language do we need to unlearn?
Guidance: Jargon kills credibility.
Stop leading with control IDs, CVSS scores, and vendor product names. Stop saying "you need to" and start saying "here's what I recommend and why." Drop "best practices" (too vague) in favor of specific, measurable actions. Replace "security incident" with plain language about what actually happened and what it means for the business.
Trust & First 90 Days Plan
22. What MUST happen in the first 30 / 60 / 90 days?
Guidance: Trust is built early.
30 days: Understand business goals, meet leadership, complete environment discovery, deliver a quick-wins report with 3-5 immediate actions.
60 days: Complete formal risk assessment, establish security baseline score, identify top 10 risks in business context, present findings to leadership.
90 days: Deliver funded security roadmap aligned to business priorities, have first QBR with measurable progress, establish recurring cadence with executive sponsor.
60 days: Complete formal risk assessment, establish security baseline score, identify top 10 risks in business context, present findings to leadership.
90 days: Deliver funded security roadmap aligned to business priorities, have first QBR with measurable progress, establish recurring cadence with executive sponsor.
23. How do we learn the business, not just the environment?
Guidance: Tech ≠ business.
We interview leaders, not just scan systems. We ask: What keeps you up at night? What would a week of downtime cost you? What are your growth plans? What contracts or regulations apply to you? What happened the last time something went wrong? We map technology risks to business outcomes they care about.
24. What documents, contracts, and obligations must we fully understand?
Guidance: Risk lives in paper too.
Customer contracts with data handling requirements, cyber insurance policies and their exclusions, regulatory obligations specific to their industry (HIPAA, PCI, state privacy laws), vendor agreements with security SLAs, existing IT policies (even informal ones), and any previous audit or assessment reports.
25. How do we set expectations without over-promising?
Guidance: Underpromise, overlead.
Clear scope, clear cadence, clear decision ownership. We define exactly what's included in the engagement, how often we meet, and who owns what decisions. We use the roadmap as the source of truth — if it's not on the roadmap, it's a conversation before it's a commitment. We always say "here's what's realistic in this timeframe" rather than "we'll fix everything."
26. How do we demonstrate leadership, not just competence?
Guidance: Presence matters.
We challenge assumptions respectfully and consistently. We bring problems with recommendations, not just findings. We say "I wouldn't do that, and here's why" when needed. We proactively surface risks before they become incidents. We own the security narrative for the organization rather than waiting to be asked.
Packaging & Pricing Model
27. Are we selling time, access, outcomes, or leadership?
Guidance: Pick the truth.
Leadership and decision support. We don't sell hours — we sell the confidence that comes from having a security leader who understands your business. Clients get strategic guidance, a prioritized roadmap, and executive-level reporting. Time is the delivery mechanism, not the product.
28. Which pricing model fits our maturity today?
Guidance: Not aspirational.
Tiered monthly retainer with defined deliverables at each level. This gives clients predictable costs and us predictable revenue. Each tier has clear outcomes so clients can self-select based on their needs and budget. We avoid hourly billing because it creates the wrong incentives.
29. What deliverables are guaranteed vs. variable?
Guidance: Reduce confusion.
Guaranteed: Security roadmap, quarterly business reviews, security posture scoring and reporting, policy templates, risk assessment, incident response plan.
Variable: Depth of advisory hours, board/executive presentation frequency, compliance framework mapping scope, ad-hoc consultation availability, vendor evaluation support.
Variable: Depth of advisory hours, board/executive presentation frequency, compliance framework mapping scope, ad-hoc consultation availability, vendor evaluation support.
30. What does each tier unlock that the lower tier does not?
Guidance: Clear differentiation.
Foundation: Risk assessment, security roadmap, quarterly reporting, basic policy set.
Professional: Everything in Foundation + monthly executive meetings, compliance framework mapping, incident response planning, expanded advisory hours.
Enterprise: Everything in Professional + board participation, proactive decision modeling, multi-framework compliance, dedicated vCISO availability, tabletop exercises.
Professional: Everything in Foundation + monthly executive meetings, compliance framework mapping, incident response planning, expanded advisory hours.
Enterprise: Everything in Professional + board participation, proactive decision modeling, multi-framework compliance, dedicated vCISO availability, tabletop exercises.
31. Where do clients currently feel confused or disappointed?
Guidance: Listen to reality.
They don't always understand the difference between managed IT services and vCISO services. They expect security to be "handled" without their involvement. They want to see tangible progress month-to-month but security improvement is often invisible until something doesn't happen. We need better reporting that makes progress visible.
Roadmaps, Deliverables & Accountability
32. What does a "good" roadmap look like for our clients?
Guidance: Simple and prioritized.
12 to 18 months, aligned to business goals, with clear ownership and quarterly milestones. No more than 3-5 priorities per quarter. Each item has a business justification (not just technical reasoning), estimated effort, and measurable success criteria. It fits on one page for executive review.
33. How often is it reviewed and updated?
Guidance: Cadence matters.
Quarterly with executives during the QBR. Monthly internal review to track progress. Ad-hoc updates when a significant event occurs (new threat, business change, incident, or regulatory shift). The roadmap is a living document, not a shelf document.
34. What tasks and milestones prove momentum?
Guidance: Progress over activity.
Decisions made by leadership (not just recommendations delivered). Security budget approved and funded. Measurable score improvements (Microsoft Secure Score, posture score). Policies signed by executives. Incident response plan tested. Compliance gaps closed. These are outcomes, not activities.
35. Who owns execution vs. oversight?
Guidance: Avoid ambiguity.
The client's IT team or our managed services delivery teams (ROC, Pro Services) own execution. The vCISO owns oversight, prioritization, and guidance. When we recommend "enable MFA for all users," the delivery team does the work — the vCISO ensures it was done correctly and measures the impact.
36. How do we handle missed milestones without blame?
Guidance: Leadership response.
Reprioritize based on risk and constraints. We ask: "What changed? What got in the way? Does this item still matter as much?" Then we adjust the roadmap transparently with leadership. Missed milestones are data points for better planning, not failures. We own our part and help the client own theirs.
Stickiness & Long-Term Value
37. How do we report in a way that educates, not overwhelms?
Guidance: Less data, more meaning.
Executive summaries with options and implications. Every report leads with "here's what changed, here's what it means, here's what I recommend." We limit dashboards to 5-7 key metrics that executives actually act on. Technical detail is available in appendices for those who want it, but never leads the conversation. If a report doesn't drive a decision, we don't send it.
38. How do we continuously re-anchor to business goals?
Guidance: Avoid drift.
Every recommendation ties back to a business objective. Every QBR starts with "here are your business goals" before discussing security. We revisit the client's strategic priorities quarterly and adjust the security roadmap accordingly. If a security initiative can't be connected to revenue protection, cost reduction, compliance obligation, or operational resilience, we question whether it belongs on the roadmap.
39. How do we ensure every meeting answers: Are we ok? What changed? What's next?
Guidance: Consistency builds trust.
Those three questions anchor every agenda. We build meeting templates around them. "Are we ok" is answered with posture scores and risk status. "What changed" covers new threats, incidents, environment changes, and completed roadmap items. "What's next" is always the next prioritized roadmap item with clear ownership and timeline. No meeting ends without these three answered.
40. What would make it painful for a client to lose us?
Guidance: Real stickiness.
Loss of clarity, leadership guidance, and decision confidence. We become the institutional memory for their security program — the person who knows why decisions were made, what was tried, and what's next. Replacing us means rebuilding context, relationships, and trust from scratch. Our value compounds over time as we understand their business deeper than any new provider could on day one.
Reality Check (The Hard One)
41. If I were the client, would I buy this?
Guidance: Brutal honesty.
Yes, because it solves a leadership problem, not a technical one. Most SMBs know they have security gaps but don't know how to prioritize, budget, or measure progress. They're buying clarity and confidence from someone who understands both their technology and their business. The alternative is guessing, reacting to incidents, or overpaying for tools they can't fully use.
42. Where are we over-promising today?
Guidance: Risk lives here.
We sometimes promise strategic leadership but deliver tactical reporting. We need to ensure every client interaction is advisory-level, not just status updates. We also risk over-promising speed of transformation — security culture change takes 12-18 months, not 90 days. We need to be more disciplined about setting realistic timelines upfront.
43. What is the first thing we need to fix when we get back home?
Guidance: Actionable insight.
Clarify our vCISO scope and message. Create a one-page service description that every team member can articulate consistently. Define exactly what's included at each tier so there's no ambiguity in sales conversations or client expectations. Build the QBR template that enforces the "Are we ok? What changed? What's next?" structure for every client meeting.
44. What is one decision I will make differently next quarter?
Guidance: Commitment.
We will stop selling vCISO to bad-fit clients. If they don't have executive sponsorship, won't commit to quarterly reviews, or are only looking for a compliance checkbox, we'll refer them elsewhere. Protecting the quality of our vCISO program is more important than adding revenue from clients who won't get value from the engagement.
Live Worksheet
Complete the official vCISO Blueprint worksheet below. Use the preliminary answers on the left as a starting point.