Year one is overhead. Year two is when programs start to harden. Year three is when they get good. This is true with internal CISOs, fractional CISOs, advisors, anyone.

Most security advisor engagements are 12 months. The reason isn't that programs mature in twelve months. Nobody thinks they do. The reason is that procurement runs on a 12-month budget cycle, and the security work has been forced to fit. The label "fractional CISO" was invented to cover for the mismatch. The label is a workaround. The shape is the problem.

Three half-lives nobody tracks

The pen test finding: 30 days

A penetration test produces a report. The report produces a remediation plan. The remediation plan gets worked. Within 30 days of close, the highest-severity findings are fixed and the engineering team has moved on. Within 90 days, half the medium-severity findings are silently deprioritized because the team that owned them has changed shape. Within 180 days, the report has aged into a compliance artifact. Most of what was in it is either fixed, reframed as accepted risk, or quietly forgotten.

This is fine, but only if someone is around to drive the next test, the next iteration, and the program improvements that close the structural causes, not just the symptoms. If the engagement ended at month 12, the third pen test never happens with the same advisor in the room. The first two iterations are learning. The third is where the real fix lives.

The new policy: 90 days

A new policy lands in the GRC tool. People sign it. Training happens. For 60 to 90 days, behavior changes visibly. After that, enforcement decays. New hires don't see it. Edge cases aren't covered. The policy becomes wallpaper.

A real program treats policies as living artifacts that get reviewed against actual control behavior on a continuous loop. That loop is a multi-year discipline. If the engagement that introduced the policy ends before the loop is established, the policy survives. The program around it does not.

The new tool: 180 days

The vendor signed the SOW. The implementation went well. The dashboards are green. Six months later, alerts have decayed because no one has tuned them. A year later, half the integrations have drifted. Two years later, someone notices the tool no longer covers a third of the environment.

Tools have to be operated, not just deployed. Operating them is a multi-year capability that compounds with the staff who run them. A 12-month engagement is a deployment engagement. The work that makes the tool worth the spend happens after.

The procurement shape is the failure mode

Procurement teams buy security work the same way they buy any other professional services engagement: scope, deliverables, timeline, price. That shape works for things that are projects. Security programs are not projects. They are continuous capabilities that have to outlast the procurement cycle that bought them.

When you buy a security advisor on a 12-month timebox, what you are actually buying is:

  • 3 months of context-building (org chart, systems, vendors, business model)
  • 6 months of doing the visible work (assessments, policies, tooling)
  • 3 months of trying to leave behind something that survives departure

The math does not change because the title changes. A security program does not show up in twelve months.

Year one is overhead. Year two is when programs start to harden. Year three is when they get good.

Three questions before you sign

Ask any security advisor or fractional CISO three questions before the engagement starts:

  1. What is your average engagement length? If the answer is six to nine months, they are not in the program-building business. They are in the assessment-and-remediation business. Both are valid. Only one survives an audit two years from now.
  2. What is your client renewal rate at month 18? This filters for engagements that delivered enough value to justify a second budget cycle. If they cannot give a number, the answer is low.
  3. Show me the program at year three. A real engagement leaves a program that runs without the advisor: documented controls, named owners, escalation paths, vendor continuity, and an institutional muscle for handling incidents. If they cannot describe that artifact, they are selling you the assessment, not the program.

These three questions will close most pitch decks early. That is a feature.

What the buyer actually needs

The honest answer is that most companies do not need a 12-month security engagement. They need either:

  • A short, scoped piece of work (an assessment, audit prep, an incident response retainer) that is bought as a project, delivered, and ended cleanly. Twelve months is too long. Three to six is right.
  • A multi-year operating relationship that builds capability through cycles of audit, incident, board reporting, vendor change, and team turnover. Twelve months is too short. Twenty-four to thirty-six is the floor.

The 12-month engagement is the worst of both. Long enough to be expensive, short enough to be useless. It exists because the budget cycle is twelve months and procurement is built around it. That is not a security argument. That is an org-chart argument. Buyers should stop letting it be both.

Bottom line

The reason security programs fail two years after a successful engagement is not that the engagement was bad. It is that the engagement ended on schedule. Short engagements optimize for visibility (deliverables, status reports, audit pass). Programs require continuity (institutional memory, control evolution, multi-cycle hardening).

If your next security advisor's pitch is structured around what they will deliver in twelve months, they are pitching you a project. Buy it as a project. If you need a program, buy a program, and price it like the multi-year capability it is.

The 12-month security program is the one thing the cybersecurity industry has not quite admitted is broken. It is.

If you'd like the three vetting questions and the multi-year program shape as a one-pager you can use in your next advisor selection, reach out. We'll send it.