Plaidnox InfoSec
PLX-2025-010  .  Confidential
vCISO AdvisoryQ1 2025 ReviewStrategic Report

vCISO Quarterly Review
[REDACTED]

Q1 2025 security programme review covering risk posture, roadmap progress, board-level metrics, and strategic priorities for the next quarter. Engagement ref. ENG-2025-0210.

Report IDPLX-2025-010
Review PeriodJan . Mar 2025
Overall MaturityLevel 3 / 5
vCISOPlaidnox InfoSec
01 . Executive Summary

Q1 2025 Security Programme Review

During Q1 2025, Plaidnox vCISO engagement focused on three strategic priorities: completing the ISO 27001 gap assessment, closing the 14 critical findings from the Q4 2024 penetration test, and establishing a formal vulnerability management programme. Of the 14 critical and high findings, 11 have been fully remediated . 3 remain in active remediation with agreed completion dates.

The overall security maturity score increased from 2.6 to 3.1 (CMMI scale, 1.5) over the quarter. The board risk dashboard has been updated to reflect current threat exposure. This quarter's key risk remains the underfunded SIEM rollout, which is on track for Q2 completion.

02 . Risk Posture

Current risk register summary

3
High Risks
8
Medium Risks
11
Remediations Closed
3.1
Maturity Score
Risk AreaQ4 2024Q1 2025ChangeStatus
Identity & Access ManagementHighMedium? ImprovedMFA rollout 94% complete
Vulnerability ManagementHighHigh? UnchangedProgramme in build phase
SIEM / Detection CoverageCriticalHigh? ImprovedSIEM pilot live in 2 regions
Third-Party RiskMediumMedium? UnchangedVendor questionnaire process active
Data Loss PreventionMediumLow? ImprovedDLP policies deployed on M365
03 . Roadmap Progress

Q1 deliverables and Q2 priorities

InitiativeQ1 StatusQ2 TargetOwner
ISO 27001 Gap AssessmentCompleteBegin remediation planPlaidnox / IT
Pentest Finding RemediationIn Progress (11/14)Close remaining 3Engineering
SIEM Full DeploymentPilot (2 regions)All-region rolloutSecOps / Plaidnox
Vulnerability Management ProgramProgramme DesignFirst scan cycle completePlaidnox / IT
Security Awareness TrainingComplete (96% completion)Phishing simulation Q2HR / Plaidnox
Board-Level Risk DashboardCompleteQuarterly refreshPlaidnox
04 . Key Metrics

Board-level security metrics

MetricTargetQ1 ActualStatus
MFA Adoption (Privileged Accounts)100%94%Near Target
Mean Time to Detect (MTTD)< 4 hrs6.2 hrsBelow Target
Mean Time to Respond (MTTR)< 24 hrs18.4 hrsOn Target
Critical Vulnerability MTTR< 7 days5.1 daysOn Target
Security Training Completion95%96%On Target
Patch Compliance (Critical)100% in 72h89%Below Target
?Q2 Priority Actions: MTTD improvement requires completing SIEM full deployment. Patch compliance gap requires automated patching for critical CVEs . proposal circulated to board for approval.
Conclusion
Maturity trajectory positive . SIEM rollout remains the primary Q2 risk
The security programme made measurable progress in Q1 with maturity improving from 2.6 to 3.1. The primary risk for Q2 is the incomplete SIEM deployment, which limits detection coverage and is the root cause of the MTTD gap. The Q2 programme is focused on closing this gap, completing vulnerability management, and commencing ISO 27001 remediation.
Plaidnox InfoSec . PLX-2025-010
Confidential . Authorised Distribution Only