Rogue CISO

Rogue CISO is a governance operating model for security leaders who need clear decisions, accountable delivery, and board-ready visibility without fragmented spreadsheets and disconnected reporting.

Executive Summary

Security programs often fail on execution, not intent. Rogue CISO brings decisions, risks, actions, evidence, and assurance into one view so leadership can see what is overdue, what is blocked, and where exposure remains above appetite.

This repository captures the business design, governance model, and implementation direction for that capability.

Current Delivery Status

Rogue CISO is in active implementation.

• Sprint 3 assurance and reporting scope is implemented.
• Sprint 4 hardening and release-readiness closeout are complete.
• Sprint 4 trust and usability uplift is complete (framework review workflow, report reminders, encrypted-local mode operability, and first-run create support for stakeholder/risk appetite).
• The current packaging pipeline uses bundled output for leaner release artefacts.

Business Outcomes

• Reduce governance drag by consolidating scattered registers and updates.
• Improve decision quality with explicit risk appetite and linked evidence.
• Increase delivery accountability through owner-based action tracking.
• Strengthen audit and assurance readiness with traceable records.
• Improve board confidence through consistent, repeatable reporting.

Who It Is For

• CISOs and security leaders responsible for governance outcomes.
• Risk, assurance, and compliance managers who need traceability.
• Executive stakeholders who require concise, credible security posture updates.
• Organisations with moderate to high compliance expectations, including Australian Government-aligned environments.

What Rogue CISO Covers

• Governance forums and decisions.
• Risks, recommendations, and treatment actions.
• KPIs and maturity tracking (including E8 and PSPF contexts).
• Policy baseline oversight.
• Critical asset and assurance provider visibility.
• Incident response and continuity readiness checkpoints.
• Board and audit reporting outputs.

Operating Principles

• Single source of truth for governance artefacts.
• Evidence-linked decisions, not point-in-time commentary.
• Visibility of execution risk (overdue, blocked, and high-priority work).
• Structured governance cadence supported by clear ownership.

Deployment Position

Current design direction is local-first and controlled by the organisation, with emphasis on data ownership, low operational overhead, and practical adoption in existing governance workflows.

Core Capabilities Implemented

• Structured workflows for risks, actions, recommendations, forums, outcomes, and benefits.
• Assurance register workflows for KPI, policy, critical asset, assurance provider, and resilience checks.
• E8 and PSPF assessment workflows with pinned framework versions.
• Board and executive reporting outputs in markdown and PDF.
• Storage maintenance operations: backup, restore, diagnostics, compact, and repair.
• Data Workspace and Graph Explorer webviews for detail-first editing and relationship exploration.

Development Commands

• Build (typecheck + bundle): npm run compile
• Lint + tests: npm run test:quality
• Release smoke validation: npm run release:smoke
• Package VSIX manually: npx @vscode/vsce package

Release Artefact Posture

• Extension packaging is now bundled for reduced release footprint.
• Current VSIX packaging baseline is a compact artefact containing the bundled out/extension.js plus core metadata/assets.

Repository

• Canonical repository: https://github.com/MegaTobyOne/VSC_RogueCISO
• Issue tracker: https://github.com/MegaTobyOne/VSC_RogueCISO/issues

Licence

• Licence: MIT
• See LICENSE for the canonical licence text.
• See LICENCE.md for a Markdown copy.

Read Next

• Customer value and ROI framing: docs/CUSTOMER_VALUE_REVIEW.md
• End-to-end architecture: docs/ARCHITECTURE.md
• Feature and scope design: docs/RC_DESIGN.md
• Data model and entities: docs/RC_DATA_MODEL.md
• End-to-end implementation review (9 March 2026): docs/END_TO_END_REVIEW_2026-03-09.md
• Final design readiness review (archived): docs/archive/2026-03-phase-closeout/FINAL_REVIEW.md
• Release notes v0.400.0 (archived): docs/archive/2026-03-phase-closeout/RELEASE_NOTES_0.400.0.md

Current Status

Execution planning and delivery evidence are maintained in docs/IMPLEMENTATION_PLAN.md, with current trust/usability findings and release-readiness decisions captured in docs/END_TO_END_REVIEW_2026-03-09.md.