CTF Challenge #4: 90 Days to Secure Your Business — What Would a CISO Do First?
Difficulty: Intermediate | Reading time: 10 minutes | Product tie-in: CISO-in-a-Box: 90-Day Security Roadmap ($197)
TL;DR
- A new CISO joins a 40-person company with no security program — what do they do in the first 90 days?
- This challenge tests your ability to prioritise correctly under real business constraints
- Most businesses spend money on the wrong security controls first — this challenge shows you what the right order is
- The lil.business CISO-in-a-Box gives you the complete 90-day roadmap without hiring a full-time CISO
The Scenario: Day 1 at SolarPath Energy
SolarPath Energy installs commercial solar systems for Australian businesses. 42 staff. $8M annual revenue. They have just been awarded a contract with a state government agency which requires them to demonstrate a documented security program within 90 days.
Their current security state:
- No documented security policies
- No security awareness training ever conducted
- All staff use password-only authentication (no MFA)
- Critical project data lives on a shared OneDrive with link-sharing enabled externally
- No formal vendor vetting process
- IT is managed by one internal "IT person" with no security background
- Some systems run legacy software that hasn't been updated in 18 months
- Antivirus on most machines (not all)
- No security incident history on record (but no incident log either)
You are the fractional CISO they have hired for 2 days per week.
You have 90 days and approximately $15,000 to spend.
Phase 1 (Days 1–30): The Questions
Question 1: Where Do You Start?
You have one week to do your initial assessment. You must triage by risk, not by what looks impressive.
Which activity do you prioritise in Week 1?
A) Deploy a SIEM (Security Information and Event Management) platform — you can't detect threats without visibility
B) Run a phishing simulation to measure staff susceptibility
C) Complete a rapid risk assessment: map all systems, data, and third-party access — understand what you have before you protect it
D) Change all staff passwords immediately — weak passwords are the #1 attack vector
Question 2: The Shared OneDrive Problem
During your first week you find that the company's commercial tender documents, client contracts, and government submission files are stored in a shared OneDrive folder. The folder has "Anyone with link" sharing enabled. Three former staff members still have active Microsoft 365 accounts.
What is the highest-priority action?
A) Disable link sharing immediately and revoke ex-staff accounts — this is an active data exposure risk
B) Document the finding for later — first assess whether anything has actually been leaked
C) Change the sharing setting to "people in the organisation only" and leave ex-staff accounts for now
D) Migrate everything to a different platform before making changes — OneDrive isn't secure enough for government contract data
Question 3: The $15,000 Budget Allocation
After Week 1, you have a clear picture. You now need to allocate your 90-day budget. You have $15,000 to work with.
Which allocation is closest to best practice for a 42-person company in this state?
A) $12,000 on a next-gen endpoint detection platform, $3,000 on training
B) $2,000 on MFA rollout, $3,000 on security awareness training, $4,000 on penetration testing, $3,000 on documented policies, $3,000 contingency
C) All $15,000 on a full penetration test — you need to know every vulnerability before spending on anything else
D) $10,000 on cyber insurance, $5,000 on a firewall upgrade
Phase 2 (Days 31–60): The Questions
Question 4: The Security Awareness Training Decision
You run a simulated phishing test in Week 3. Results: 38% of staff clicked the test phishing link. Six staff entered their credentials on the fake login page.
What is the correct response to these results?
A) Name the six staff who entered credentials to management — they represent the highest risk
B) Share the overall results with management, provide mandatory awareness training to all staff (not just the six), and run a follow-up test in 60 days
C) The results are embarrassing — only share with the IT person and handle internally
D) Immediately revoke remote access for the six staff until they complete training
Question 5: The Legacy Software Problem
You discover that SolarPath's project management software — which holds all active project data — runs on a version released in 2022 and hasn't been updated since. The vendor no longer supports this version. An upgrade costs $8,000 but wasn't in your budget.
What do you recommend?
A) Accept the risk — the software isn't internet-facing so it's low priority
B) Isolate the legacy system on a separate network segment to contain the blast radius, document the risk formally, and escalate to management for budget approval — operating unsupported software is a material risk that must be owned at the management level
C) Ask the vendor to extend support informally — this costs nothing and buys time
D) Rebuild the data in a different platform over the next month — no need to touch the legacy system
ISO 27001 SMB Starter Pack — $147
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for SMBs worldwide.
Get the Starter Pack →Phase 3 (Days 61–90): The Questions
Question 6: The Vendor Risk Question
SolarPath uses seven software-as-a-service vendors: M365, Xero, a project management platform, a CRM, a payroll tool, an estimating tool, and a safety compliance app. None have been security-assessed.
What vendor risk process do you implement?
A) Cancel any vendor not holding ISO 27001 certification — all others are too risky
B) Build a simple vendor risk register: for each vendor, document what data they hold, their security certifications (ISO 27001, SOC 2), data residency, and breach notification obligations — then tier by data sensitivity
C) Require all vendors to complete a 50-question security questionnaire — any that refuse are dropped
D) Vendor risk is out of scope for a 90-day program — document it as a Phase 2 item
Question 7: The 90-Day Deliverable
At Day 90, the government agency asks for your documented security program. Which document set demonstrates a legitimate security program?
A) A penetration test report
B) Risk assessment, security policy framework, MFA rollout completion evidence, awareness training records, incident response plan, and vendor risk register
C) An ISO 27001 certification (most credible option)
D) Cyber insurance certificate
The Answers
Answer 1: C — Risk assessment first. You cannot protect what you haven't mapped. Every other action before a risk assessment is guesswork. A CISO's first week is always about understanding the environment, not deploying tools.
Answer 2: A — Disable sharing and revoke ex-staff accounts immediately. This is an active data breach risk. "Anyone with link" sharing on government tender documents is a critical exposure. Former staff account access is an immediate action — not a documentation task.
Answer 3: B — Balanced allocation across MFA, training, testing, and policies. Heavy spend on endpoint tools is the most common SMB security mistake. MFA and awareness training are statistically the highest-ROI controls. A penetration test without baseline controls is expensive noise. Insurance is not a substitute for controls.
Answer 4: B — Training for all staff, share results with management, retest in 60 days. Naming individuals is counterproductive and creates a blame culture that makes future incidents less likely to be reported. The correct response is systemic improvement, not individual punishment.
Answer 5: B — Isolate, document, and escalate as a formal risk. A CISO does not own budget decisions — they own risk identification and escalation. Unsupported software must be formally documented as an accepted risk at the management level or remediated. Informal vendor support agreements are not a control.
Answer 6: B — Build a tiered vendor risk register. ISO 27001-only policies exclude most SMB-appropriate vendors. A 50-question questionnaire will get no responses. A practical risk register covers what matters: what data they hold, what certifications they carry, and what your contractual protections are.
Answer 7: B — The complete document set. A pentest report alone proves you found vulnerabilities, not that you manage security. ISO 27001 certification in 90 days is not realistic for an SMB. Insurance is a risk transfer tool, not a security program. The full document set proves capability.
What the CISO-in-a-Box Gives You
The 90-day roadmap above is exactly what the lil.business CISO-in-a-Box delivers: a structured week-by-week action plan with templates for every deliverable — risk assessment, policy framework, vendor risk register, security awareness training materials, incident response plan, and 90-day board report.
Designed for SMBs that need a CISO-level output without paying $200K+ for a full-time hire.
$197 — Get the CISO-in-a-Box 90-Day Roadmap
FAQ
If you supply to government, hold personal data, or work with enterprise clients, yes. Government supplier requirements increasingly mandate a documented security program, not just antivirus. Enterprise procurement questionnaires now routinely include security policy questions. A structured program is a commercial asset.
A fractional CISO is a senior security professional engaged part-time (typically one or two days per week). For businesses that need strategic security direction but cannot justify a full-time hire, it is highly cost-effective. The CISO-in-a-Box provides the roadmap so a fractional CISO (or an internal champion) can execute efficiently.
Multi-factor authentication (MFA) across all staff accounts and security awareness training are consistently the highest-ROI controls for SMBs. Both address the human vector — which is responsible for over 80% of successful breaches through phishing, credential theft, and social engineering [1].
Industry benchmarks suggest 5–8% of IT budget for cybersecurity in regulated industries, and 3–5% for standard SMBs. For a 40-person business spending $50K annually on IT, that is $1,500–$4,000 per year on security — covering training, tools, and assessments.
References
[1] Verizon, "2025 Data Breach Investigations Report," Verizon, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[2] Australian Signals Directorate, "Small Business Cyber Security Guide," ASD, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/small-business-cyber-security-guide
[3] NIST, "Cybersecurity Framework 2.0," NIST, 2024. [Online]. Available: https://www.nist.gov/cyberframework
[4] Gartner, "SMB IT Security Spending Benchmarks 2025," Gartner, 2025. [Online]. Available: https://www.gartner.com/en/information-technology/smb-security
[5] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
Need the complete 90-day roadmap? The lil.business CISO-in-a-Box gives you every template and action plan — $197, instant download.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →