When we engage with a new client as a Fractional CISO, we don't simply build a roadmap or deploy new tools. We start by evaluating and understanding the business and the computing environment that supports it, with or without a formal security assessment (almost always recommended but not always required). During that informal evaluation or formal security and risk assessment, we inevitably identify some number of high impact issues that require little time and little to zero cost to fix.

Quick wins, which tend to be related to long-standing issues that nobody addressed because nobody was looking, are often straightforward: flip a switch, change a setting, or remove something that shouldn't be there. They immediately improve security posture and reduce risk and can be used by sponsors of new or renewed security programs to win hearts and minds, improve security awareness and establish security program momentum with management, engineering, IT and operational departments.

Here are some quick wins that we consistently find in the first two to four weeks.

File Sharing Is Always Out of Control

Every company without a functioning security program has this issue. Employees, contractors, suppliers, partners and customers share documents via Google Drive or Microsoft 365, Box or Dropbox. Business happens, time passes, documents, spreadsheets and other files are forgotten and nobody tracks what's been shared or with whom.

When we integrate a SaaS security posture tool and look at file sharing, here's what we find:

• Sensitive documents accessible to "anyone with the link"
• Contracts with customers publicly accessible
• Internal financial documents shared externally and never unshared
• Employee personal information in documents shared across the company
• API keys and credentials in documents that got shared for debugging

The fix is often straightforward: lock down sharing defaults, audit what's currently shared, and remove access that shouldn't exist. It's not glamorous work. But a single sensitive document exposed publicly carries real risk, and companies accumulate dozens of these over time.

We end up helping companies tackle this issue because it's never been tracked, and once you track it, the cleanup is usually a few hours of work spread over a week. Once the initial knot is untied, ensure IT has a periodic task and quarterly KPI tied to this critical IT hygiene issue. As you mature your security program your team might begin classifying data and files based on their sensitivity and rolling out tools that monitor and prevent data leaks. In the beginning don't let perfect be the enemy of solid risk reduction. Take the quick win.

Dormant Cloud Resources Nobody Remembers

If you're running on AWS, Azure, or GCP, you probably have some infrastructure that's running right now that nobody can explain. A developer spun up an EC2 instance to test something two years ago, and it's still running and costing money even though nobody remembers what it's for. It's just sitting there with whatever security configuration it had when it was created for testing purposes.

We use cloud security posture tools that have complete visibility into cloud environments via API and agents to assess all cloud environments. You can do the same thing from the cloud consoles themselves but not as easily (a CSPM or CNAPP trial is worth the time and usually free). There's always cloud assets that:

• Have no owners and forgotten purposes
• Are running outdated software with known vulnerabilities
• Have security configurations that were fine for testing but not for production
• Are actively costing money and increasing cyber risk while doing nothing

The cost savings angle is compelling enough that organizations love this finding, but the security angle matters too: forgotten infrastructure is unmaintained infrastructure, and unmaintained infrastructure is vulnerable infrastructure.

The fix involves identifying the resource, determining if it's needed, and either shutting it down or properly configuring and tagging it. It might take a few discussions or publishing a list of shutdown candidates on Slack or Teams with a timeframe for response. Within a week or two of identifying the candidate assets you've saved the company money and reduced its risk. Quick wins.

Offboarding Gaps Everywhere

When someone leaves the company, their access should be reviewed and likely removed. In practice, most companies have partial offboarding where terminated users are removed from the main systems but linger across dozens of SaaS tools that are not configured for single sign on (SSO) and yet enable users to access sensitive corporate, customer or partner data or represent the company or impact its operations in some way.

We've seen the following:

• Former employees with active accounts in Slack channels that discuss sensitive information
• Old accounts in GitHub with access to current repositories
• Former contractors with active credentials in cloud environments
• Accounts in analytics tools, CRM systems, and productivity apps that haven't been touched in years

SaaS security posture tools can correlate identity across non-SSO platforms. But a spreadsheet of active users from a maintained system can also be manually compared to the users in all non-SSO corporate SaaS platforms. A one time review removes orphaned identities and stale credentials and reduces risk while providing impetus to recruit stakeholders to build out more robust offboarding processes and restrict access to more corporate SaaS (ideally all corporate SaaS) to SSO.

Security Tools Nobody Looks At

Companies often have security tools that they bought at some point and someone set up, but have fallen out of use. We'll look at existing security tool dashboards and find:

• Endpoint agents that haven't checked in for months
• Security tools with critical and high priority alerts nobody has reviewed
• Logging enabled but logs never analyzed
• Vulnerability scanners that run but produce reports nobody reads

The tools were deployed but the ongoing operational work was never staffed, so the tools exist without providing any value. One time reviews of these tools will often yield high priority items that can and should be rapidly fixed to reduce risk or stop an active attack and the unmonitored existence of the issues can be used to prioritize longer term staffing and process creation.

The fix is to either staff the operational work or acknowledge you don't have the capability, because deployed-but-ignored security tools create false confidence where you think you have detection when you don't.

The Security Narrative Is Missing

Often the most important quick win isn't technical at all.

Companies that have gone without proper security leadership often don't have a way to talk about their security program. When customers ask about security there's no coherent story even if the company has made real security investments.

Once we've done a basic assessment and understand where things stand, we can build the security narrative for the company. This is the document that says: here's how we think about security and the risks our customers take in using our products and services, here's what we have in place, here's what we're building, and here's how we handle specific concerns.

Such security narratives deliver consistent answers to customer questions, the right response to security questionnaires and a foundation for talking to the board and other external stakeholders about security. The quick win is creating a credible security narrative about what already exists and what the company is building.

What Makes These "Quick Wins"

Each of these quick wins shares characteristics:

Visibility and focus are the main barriers. Nobody fixed these problems because nobody was focused on finding and fixing them. Once focus on security is funded or prioritized, the problems and solutions are often obvious.

Fixes are straightforward. These aren't architectural changes or major projects. They're configuration changes, one time or periodic cleanup tasks, and documentation.

Impact is immediate. Fix file sharing and you've reduced real exposure. Shut down unneeded infrastructure and you've reduced your attack surface and saved money. Build a credible narrative and you can answer customer security questions tomorrow.

They build momentum. Quick wins demonstrate value because the executive team sees problems getting solved, which builds confidence for the larger roadmap discussions.

What Comes After Quick Wins

It's important to remember that quick wins aren't the security program. They're the first results that come out of looking at your environment systematically.

After quick wins, you can progress with the initiation of an evergreen security governance process that creates and maintains your security roadmap, budget and resource plans and prioritizes your longer efforts and investments. All the real work of building a security program.

Quick wins matter because they win hearts and minds, increase security awareness and create momentum among key internal stakeholders in your security program.