What is a virtual CISO?

A virtual CISO is a senior security executive on a monthly retainer rather than a full-time hire. The vCISO sets program strategy, owns the roadmap, signs off on architecture and vendors, presents to the board, and runs point during incidents.

Can I cancel the retainer?

Yes. The retainer is month-to-month with a 30-day cancellation clause.

Do you also do hands-on architecture?

Yes. The vCISO retainer includes security architecture review and sign-off across identity, network, cloud, SaaS, and endpoint. Hands-on configuration is scoped separately when you don't have an internal team.

Services · Virtual CISO

Virtual CISO.

Q: How is this different from an MSSP?

An MSSP runs the tools (SIEM, EDR, SOC). A vCISO runs the program: strategy, governance, risk, vendor selection, and executive communication. Many clients use both.

A senior security executive on a monthly retainer. The same strategic leadership, board reporting, and accountability as a full-time CISO, month to month, with thirty days notice to cancel.

Overview

The vCISO retainer is for companies that need senior security leadership but aren't ready, or large enough, to hire one full time. The retainer covers everything an internal CISO would: monthly program steering, quarterly board updates, security roadmap, vendor reviews, architecture sign-off, audit liaison, and incident command. You get a named executive, not a rotating bench.

What's included

Monthly executive steering meeting with security leadership and IT
Quarterly board-ready security report (metrics, risks, incidents, roadmap)
Annual roadmap and budget recommendation
Vendor and tool selection (SIEM, EDR, IAM, MDM, backup, cloud security)
Security architecture review and approval (Zero Trust, identity, network, SaaS)
Auditor and regulator liaison
Incident command for material events

What you get

Roadmap. Living document, refreshed quarterly, sized to your team and budget.
Board report. Quarterly, in a format directors actually read.
Risk register. Maintained continuously, not at year-end only.
Architecture sign-off. Written approval (or revision request) for major changes before they go live.

Engagement sizes

Small. Under 50 employees, single product line. Around 10 hours per month.
Mid-sized. 50 to 200 employees, regulated, multi-cloud. Around 20 hours per month.
Large. 200 or more employees, multiple business units, board-mandated. Around 32 hours per month.

Onboarding is included. Hours not used in a month roll forward up to one quarter. The retainer can flex up by written agreement during audit prep, M&A diligence, or major migrations.

Common questions

How is this different from an MSSP?

An MSSP runs the tools, the SIEM, EDR, the SOC. A vCISO runs the program: strategy, governance, vendor decisions, board communication. Many clients use both.

What if we have an incident?

The vCISO assumes incident command for material events. If response work exceeds the retainer hours, it overflows to the IR retainer or is invoiced at the standard hourly rate with your approval.

Can the retainer flex up for a project?

Yes. Audit prep months, M&A diligence, or a major migration commonly run hot. We agree the surge in writing in advance.