What the role actually is
A Chief Information Security Officer's job is to convert ambiguous risk into specific decisions. They make the call on which controls the organisation will operate, which it will accept the risk of skipping, how much it will spend, and how it will explain that to the board, customers, and regulators. A virtual CISO does the same job, on a fractional basis, usually somewhere between one and four days per month.
The work splits roughly into three buckets:
- Strategy and governance — multi-year roadmap, risk appetite, policy framework, control selection.
- External representation — board meetings, investor diligence calls, customer security reviews, regulator and auditor coordination.
- Programme oversight — managing the vendors, the audits, the penetration tests, and the in-house security engineers (if any).
The thing a vCISO doesn't do — or shouldn't — is operate controls hands-on. They aren't writing firewall rules, configuring EDR, or rotating KMS keys. If they're doing those things, you've hired a senior security engineer with the wrong title.
The honest signals that tell you it's time
Most companies don't need a vCISO. Most companies under 50 employees, not handling regulated data, not selling into enterprise, are better served by an annual security review and a competent IT lead. The signals that tip the balance:
1. You're pursuing certification
SOC 2, ISO 27001, SMB1001, HITRUST, PCI DSS — all require someone to own the programme. Auditors will ask, repeatedly, "who is accountable for this?" The answer cannot be "the engineering team." A vCISO becomes that named accountable person without you needing to hire one full-time.
2. Enterprise customers are now in the pipeline
Enterprise procurement processes include a security review. That review increasingly includes a video call where the customer's security team will ask your security leader very specific questions about how you handle their data. If "your security leader" is your CTO winging it, you'll lose deals you should be winning.
3. You're raising Series A or later
Sophisticated investors now include cybersecurity in their due diligence pack. They expect to see: a risk register, an incident response plan, a third-party penetration test in the last 12 months, and named executive accountability. Hiring a vCISO for the three months around a raise is one of the highest-leverage spends a founder can make.
4. You had an incident and didn't know what to do
The post-mortem after a near-miss almost always reveals the same three gaps: no documented IR plan, no clear authority to declare an incident, and no rehearsed external communications. A vCISO fixes all three within 60 days.
5. A new regulation now applies
NIS2 brings essential and important entities across 18 sectors into scope across the EU. DORA captures every financial entity and a wide net of critical ICT third-party providers. The regulatory landscape has expanded enormously between 2023 and 2026, and many organisations now find themselves in scope without realising it. A vCISO's first 30-day deliverable is usually an applicability analysis: which regimes apply, what the deadlines are, what's still missing.
The six recurring deliverables
A productive vCISO engagement produces these on a recurring cadence:
1. Strategy roadmap (quarterly)
A two-page document showing the next four quarters of security work, mapped to business priorities. Reviewed and re-baselined every three months.
2. Board pack (quarterly or semi-annually)
The artefact the board reads. Risk register, control maturity scores, programme progress, incident summary, ask for the next quarter. Eight to twelve pages, not eighty.
3. Risk register (continuously maintained)
Top 15–25 risks, each with owner, treatment plan, residual rating, last-reviewed date. The single most-asked-for artefact in any external review.
4. Policy framework
Acceptable use, access control, data classification, vendor management, incident response, business continuity — six to ten policies, six pages each, reviewed annually.
5. Incident response playbooks
Pre-written runbooks for the five most likely incident classes: ransomware, credential compromise, data exfiltration, third-party breach, business email compromise. Tested via tabletop twice a year.
6. KPI report
The metrics that demonstrate the programme is operating: MFA coverage, EDR coverage, patch SLA compliance, mean-time-to-detect, mean-time-to-respond, training completion rates, audit finding closure rates. Updated monthly.
What to look for in a vCISO
Five signals of a credible candidate:
- Operational scars. They've run a real security programme through a real audit, a real incident, or a real M&A diligence. Not just written about it.
- Both sides of the table. They've worked in regulated environments (financial services, healthcare, critical infrastructure) and in fast-moving tech. Pure consulting backgrounds tend to over-engineer; pure tech backgrounds tend to under-document.
- Willingness to write things down. A vCISO whose only output is meetings is not a vCISO. Their value lives in the artefacts they produce.
- Honesty about what to skip. A vCISO trying to sell you everything is trying to sell you everything. The good ones tell you which 30% of your wishlist to drop.
- Clear escalation contract. When (not if) an incident happens at 02:00, what does the response look like? If they don't have a clear answer, they're an advisor, not a CISO.
When to graduate from a vCISO to a full-time hire
Three triggers typically justify converting:
- You're past 150–200 employees and the operational security workload (vendor reviews, employee onboarding/offboarding, audit evidence, incident triage) consistently exceeds what a fractional engagement plus an in-house security engineer can absorb.
- You're approaching IPO, M&A, or a regulated business expansion where 24/7 security executive availability is required.
- The strategic ambiguity has resolved: you know what you're building, the security programme is mature, and the next phase is execution, not direction-setting.
A good vCISO will tell you when you've reached that threshold — and frequently helps recruit their full-time replacement.