Contact us
XONO / Insights / vCISO

What a virtual CISO actually does (and when you really need one)

"vCISO" is one of the most over-marketed terms in cybersecurity. Here's the honest version: what the role looks like in practice, which deliverables justify the fee, and the signals that tell you whether your organisation actually needs one yet.

Key takeaways

  • A vCISO is an experienced security executive engaged 1–4 days a month to own strategy, governance, board reporting, and major incident leadership — at roughly 15–35% of the cost of a full-time CISO.
  • The clearest triggers: pursuing SOC 2 / ISO 27001 / SMB1001, fundraising due diligence, an enterprise customer security review, post-incident remediation, or new regulatory scope (NIS2, DORA).
  • A good vCISO produces six recurring artefacts: strategy roadmap, board pack, risk register, policy framework, incident playbooks, and a quarterly KPI report.
  • vCISOs should not double as DPOs (GDPR Art. 38 independence requirement) and should not hands-on operate the controls they're meant to govern.
  • If you have a senior security engineer in-house but no executive who can stand in front of a customer's CISO, that's exactly where a vCISO fits.

What the role actually is

A Chief Information Security Officer's job is to convert ambiguous risk into specific decisions. They make the call on which controls the organisation will operate, which it will accept the risk of skipping, how much it will spend, and how it will explain that to the board, customers, and regulators. A virtual CISO does the same job, on a fractional basis, usually somewhere between one and four days per month.

The work splits roughly into three buckets:

  • Strategy and governance — multi-year roadmap, risk appetite, policy framework, control selection.
  • External representation — board meetings, investor diligence calls, customer security reviews, regulator and auditor coordination.
  • Programme oversight — managing the vendors, the audits, the penetration tests, and the in-house security engineers (if any).

The thing a vCISO doesn't do — or shouldn't — is operate controls hands-on. They aren't writing firewall rules, configuring EDR, or rotating KMS keys. If they're doing those things, you've hired a senior security engineer with the wrong title.

The honest signals that tell you it's time

Most companies don't need a vCISO. Most companies under 50 employees, not handling regulated data, not selling into enterprise, are better served by an annual security review and a competent IT lead. The signals that tip the balance:

1. You're pursuing certification

SOC 2, ISO 27001, SMB1001, HITRUST, PCI DSS — all require someone to own the programme. Auditors will ask, repeatedly, "who is accountable for this?" The answer cannot be "the engineering team." A vCISO becomes that named accountable person without you needing to hire one full-time.

2. Enterprise customers are now in the pipeline

Enterprise procurement processes include a security review. That review increasingly includes a video call where the customer's security team will ask your security leader very specific questions about how you handle their data. If "your security leader" is your CTO winging it, you'll lose deals you should be winning.

3. You're raising Series A or later

Sophisticated investors now include cybersecurity in their due diligence pack. They expect to see: a risk register, an incident response plan, a third-party penetration test in the last 12 months, and named executive accountability. Hiring a vCISO for the three months around a raise is one of the highest-leverage spends a founder can make.

4. You had an incident and didn't know what to do

The post-mortem after a near-miss almost always reveals the same three gaps: no documented IR plan, no clear authority to declare an incident, and no rehearsed external communications. A vCISO fixes all three within 60 days.

5. A new regulation now applies

NIS2 brings essential and important entities across 18 sectors into scope across the EU. DORA captures every financial entity and a wide net of critical ICT third-party providers. The regulatory landscape has expanded enormously between 2023 and 2026, and many organisations now find themselves in scope without realising it. A vCISO's first 30-day deliverable is usually an applicability analysis: which regimes apply, what the deadlines are, what's still missing.

The six recurring deliverables

A productive vCISO engagement produces these on a recurring cadence:

1. Strategy roadmap (quarterly)

A two-page document showing the next four quarters of security work, mapped to business priorities. Reviewed and re-baselined every three months.

2. Board pack (quarterly or semi-annually)

The artefact the board reads. Risk register, control maturity scores, programme progress, incident summary, ask for the next quarter. Eight to twelve pages, not eighty.

3. Risk register (continuously maintained)

Top 15–25 risks, each with owner, treatment plan, residual rating, last-reviewed date. The single most-asked-for artefact in any external review.

4. Policy framework

Acceptable use, access control, data classification, vendor management, incident response, business continuity — six to ten policies, six pages each, reviewed annually.

5. Incident response playbooks

Pre-written runbooks for the five most likely incident classes: ransomware, credential compromise, data exfiltration, third-party breach, business email compromise. Tested via tabletop twice a year.

6. KPI report

The metrics that demonstrate the programme is operating: MFA coverage, EDR coverage, patch SLA compliance, mean-time-to-detect, mean-time-to-respond, training completion rates, audit finding closure rates. Updated monthly.

What to look for in a vCISO

Five signals of a credible candidate:

  1. Operational scars. They've run a real security programme through a real audit, a real incident, or a real M&A diligence. Not just written about it.
  2. Both sides of the table. They've worked in regulated environments (financial services, healthcare, critical infrastructure) and in fast-moving tech. Pure consulting backgrounds tend to over-engineer; pure tech backgrounds tend to under-document.
  3. Willingness to write things down. A vCISO whose only output is meetings is not a vCISO. Their value lives in the artefacts they produce.
  4. Honesty about what to skip. A vCISO trying to sell you everything is trying to sell you everything. The good ones tell you which 30% of your wishlist to drop.
  5. Clear escalation contract. When (not if) an incident happens at 02:00, what does the response look like? If they don't have a clear answer, they're an advisor, not a CISO.

When to graduate from a vCISO to a full-time hire

Three triggers typically justify converting:

  • You're past 150–200 employees and the operational security workload (vendor reviews, employee onboarding/offboarding, audit evidence, incident triage) consistently exceeds what a fractional engagement plus an in-house security engineer can absorb.
  • You're approaching IPO, M&A, or a regulated business expansion where 24/7 security executive availability is required.
  • The strategic ambiguity has resolved: you know what you're building, the security programme is mature, and the next phase is execution, not direction-setting.

A good vCISO will tell you when you've reached that threshold — and frequently helps recruit their full-time replacement.

Frequently asked questions

What is a virtual CISO?

A virtual CISO (vCISO) is an experienced security executive engaged on a fractional or retained basis, typically 1–4 days per month, to provide the strategic, governance, and board-facing functions of a full-time CISO — without the USD 250,000–450,000 fully-loaded cost of a full-time hire.

When does my company actually need a vCISO?

Common triggers: pursuing SOC 2 / ISO 27001 / SMB1001; preparing for an enterprise customer security review; raising a Series A; a recent incident exposing governance gaps; or new regulatory scope (NIS2, DORA). If two or more apply, a vCISO usually pays back inside six months.

How much does a vCISO cost?

vCISO engagements typically run USD 6,000–18,000 per month depending on commitment (1–4 days/month), scope, and seniority. A full-time CISO total comp package is USD 250,000–450,000 — a vCISO is 15–35% of that fully-loaded cost.

What's the difference between a vCISO and a security consultant?

A consultant is engaged for a specific project with a defined deliverable and end date. A vCISO is engaged in an ongoing executive role with accountability for the security programme — board meetings, sign-off on policies, external representation, risk-register ownership over time.

Can a vCISO act as the Data Protection Officer (DPO)?

Generally no. GDPR Article 38(6) requires DPO independence from operational decisions affecting personal data processing. A vCISO actively designing those controls cannot independently audit them. Engage a separate DPO and have the vCISO advise on technical matters.

Looking for a vCISO?

We engage with organisations between 20 and 500 people, typically 2–4 days per month, with all six recurring deliverables listed above included as standard. Initial scoping calls are free and last 30 minutes.

Start a conversation

Read next