The situation: “We didn’t lose a person—we lost the system”
A Canadian mid-market B2B company was running an ISMS to support enterprise deals and ongoing compliance needs. They were not perfect, but they were moving in the right direction.
What was already in motion
- policies existed and were mostly current
- evidence was being collected
- internal audits were planned
- vendor reviews were underway
- management review was on the calendar
Then the security lead resigned with short notice. Within two weeks, the symptoms started showing up everywhere.
Immediate symptoms
- access reviews were missed
- vendor questionnaires piled up
- sales evidence requests slowed down
Hidden control drift
- the risk register stopped updating
- owners no longer knew what to do next
- “we’ll handle it later” became the default
What the vCISO saw
This wasn’t primarily a security failure. It was an operating model failure. The ISMS lived in one person’s head.
What was at risk (and why leadership panicked)
The vCISO framed the risk in business terms, not security terms. That mattered because leadership did not need a lecture on controls—they needed to understand what would break next.
| Risk area |
What could go wrong |
Why leadership cared |
| Audit readiness |
missed management review inputs, overdue corrective actions, evidence continuity gaps |
Type II timing and certification confidence could start slipping fast |
| Sales velocity |
evidence took too long to assemble and questionnaires became inconsistent |
buyers lose confidence at the worst possible stage of the deal cycle |
| Operational exposure |
privileged access review, vendor monitoring, incident drills, and patch exceptions quietly stopped |
these are the controls that reduce the chance of a real incident |
The leadership takeaway:
if the ISMS was not stabilized quickly, the company risked both compliance drag and real operational weakness at the same time.
The vCISO approach: stabilize first, improve second
The vCISO did not start by rewriting policies or launching a broad initiative. They ran a 72-hour stabilization plan, followed by a 30-day rebuild.
Phase 1: First 72 Hours — Stop the ISMS from bleeding out
Step 1: Identify the must-not-fail controls for the next 30 days
Instead of trying to maintain everything, the vCISO selected the controls that would create immediate audit and risk exposure if they were missed.
Priority controls
- privileged access governance
- incident response readiness
- critical vulnerability and patch exceptions
- critical vendor list and top-vendor monitoring
- evidence continuity for recurring controls
Outcome: leadership understood the priority list and agreed to focus the next month around it.
Step 2: Freeze scope changes and stop documentation drift
One hidden risk during turnover is uncontrolled change. People start making edits, storing evidence in random places, and introducing new tools because no one is holding the line.
The short stability rule
- no major ISMS changes for 2–4 weeks without approval
- all evidence goes into one controlled location
- all exceptions require a formal record
Outcome: chaos stopped spreading.
When a security owner leaves, don’t try to “keep everything alive” at once. Lock the scope, protect the critical controls, and restore ownership first.
Step 3: Create an ISMS continuity map
A vCISO knows the ISMS fails when ownership is unclear. Interim ownership was assigned using a simple RACI-style model so everyone knew what they owned for the next month.
| Interim owner |
Primary ownership |
Why it worked |
| IT Manager |
access control operations and account lifecycle |
kept day-to-day identity work moving |
| Ops Lead |
change control and service continuity |
stopped operational processes from drifting |
| Procurement / Finance |
vendor renewals and contract touchpoints |
kept supplier dependencies visible |
| vCISO |
governance, evidence structure, reporting, audit readiness |
kept the ISMS governable instead of personal |
| CEO / COO |
final risk acceptance approvals |
ensured leadership owned material tradeoffs |
Outcome: everyone knew what they were accountable for during the transition.
Phase 2: Days 4–30 — Rebuild the ISMS so it’s not person-dependent
Step 4: Convert tribal knowledge into runbooks and cadence
Instead of writing long procedures, the vCISO created lightweight runbooks for recurring controls. The goal was not elegance. The goal was repeatability.
Runbooks created first
- monthly log review
- quarterly access review
- vendor review checklist
- risk acceptance workflow
Each runbook included the owner, frequency, evidence produced, storage location, and escalation path if overdue.
Outcome: the ISMS became operational, not personal.
Step 5: Build the Evidence Continuity Pack
The hardest part of turnover is proving that controls operated consistently over time. The vCISO solved that by creating a 90-day evidence continuity structure.
Structure
- monthly evidence folders
- standard naming convention
- due / missing tracker
Auditor View
- management review minutes
- internal audit status
- corrective actions
Fast-access evidence
- access review proof
- vendor review proof
- recurring control evidence
Outcome: the team could answer evidence requests in minutes again.
Step 6: Fix the three silent failures that show up after turnover
In almost every “security lead left” scenario, a few control areas fail first because they rely on recurring follow-through rather than one-time documents.
Three silent failures the vCISO fixed first
A) Privileged access sprawl
Removed stale admin roles, validated break-glass accounts, and confirmed MFA enforcement for privileged roles.
B) Vendor risk going stale
Reduced scope to critical vendors only, refreshed the top vendor list, and flagged renewals and missing assurance evidence.
C) Corrective actions stopping closure
Rebuilt the corrective action register so every item had an owner, due date, proof requirement, and effectiveness check.
Outcome: controls that usually drift quietly were pulled back under governance.
Phase 3: Days 30–60 — Make it resilient and board-readable
Step 7: Implement a quarterly management review that can’t be skipped
The vCISO created a management review structure that did not depend on one person remembering how to assemble it.
What changed
- fixed agenda aligned to ISO and SOC expectations
- standard input pack covering risks, incidents, vendor status, audit actions, and KPIs
- action tracker with owners and due dates
- recurring calendar invites and reminders
Outcome: leadership oversight became routine instead of heroic effort.
Step 8: Create the handover-proof ISMS dashboard
This was the lasting change: a simple dashboard that told the organization what needed attention next without relying on tribal knowledge.
The dashboard showed:
- evidence due this month
- overdue actions
- expiring risk acceptances
- critical vendor review status
- top residual risks
Outcome: anyone could see what needed to happen next without relying on one former employee’s memory.
Results: What changed after 60 days
After two months, the company was not just “back to where it was.” It was stronger because the ISMS now ran on structure rather than one person’s effort.
Results after 60 days
- evidence continuity was restored with no major gaps in recurring controls
- audit readiness stabilized across management review, internal audit cadence, and corrective actions
- questionnaire responses became faster and more consistent
- privileged access sprawl was reduced and admin access cleaned up
- a documented operating model existed that could survive staffing changes
Most important shift:
leadership stopped fearing that one resignation could break compliance.
Lessons you can copy—even if you’re not in crisis yet
1) Your ISMS must run on cadence, not personalities
If controls are not scheduled and owned, they disappear during turnover.
2) Evidence must be structured like a system
Evidence spread across inboxes is not evidence. It is luck.
3) Reduce scope during crisis, then rebuild properly
Trying to maintain everything is how you maintain nothing.
4) The board pack is the stabilizer
If leadership can see risk posture and actions clearly, they can support fixes faster.
If your ISMS still depends too heavily on one person, the time to fix that is before the next resignation, not after it.
Final takeaway
The lesson from this case study is not just that a vCISO can “fill a gap.” The real lesson is that a strong vCISO operating model can prevent a staffing change from turning into a control failure.
When the security lead left, the company did not need a heroic replacement overnight. It needed stabilization, ownership, evidence continuity, and simple workflows that could run without tribal knowledge. That is what restored readiness and reduced leadership panic.
A resilient ISMS should survive turnover because it runs on ownership, cadence, and evidence not one person’s memory.
Follow Canadian Cyber
Practical cybersecurity + compliance guidance:
