Executive security leadership.
For a fixed monthly fee.

A senior consultant acts as your CISO. Strategy, board reporting, compliance, vendor management, incident response. At a fraction of the cost of hiring full-time.

What a vCISO does.

Strategic security planning, risk management, board reporting, vendor & supply-chain reviews, incident response leadership, security awareness programmes, and certification stewardship for ISO 27001 / SOC 2 / Cyber Essentials.

Days vs fees.

Typically 2-8 days per month, agreed in advance. Fees range from £3,000 to £15,000 monthly depending on scope, calendar, and incident-response coverage. Engagement length: 6 months minimum, no auto-renewal.

The cost case vs full-time.

A senior CISO in the UK market commands £180k-£280k base plus benefits. At 25-50% vCISO engagement you get the same strategic output for £36k-£70k a year. A 60-80% saving while you scale.

Benefits of a vCISO.

01

Fixed monthly fee

Predictable budget with days agreed in advance.

02

Cost effective

Senior strategic coverage at 25-40% of full-time cost.

03

Expert consultants

Every vCISO is a CISSP, CISM, or ISO 27001 Lead Implementer.

04

Maintains certifications

Keeps ISO 27001 and SOC 2 programmes alive between audits.

From day one to board-ready.

1

Discovery month

Current-state assessment, stakeholder mapping, top-3 risks identified.

2

Strategy & roadmap

90-day, 1-year, and 3-year security roadmaps. Board-ready.

3

Monthly cadence

Agreed days/month, fixed calendar, regular stand-ups with your team.

4

Quarterly board reviews

Formal reporting and roadmap updates to your board or executive team.

  • Security maturity assessment.Where you are today on NIST CSF, ISO 27001, or CIS Controls.
  • Strategic roadmap.90-day, 1-year, and 3-year plans with budgets and milestones.
  • Risk register & treatment plan.FAIR-quantified where useful, reviewed quarterly.
  • Vendor & supply-chain reviews.Risk-tiered with re-review cadence.
  • Incident response runbook.Roles, escalation paths, comms templates. Tested with a tabletop.
  • Quarterly board pack.Risk posture, programme progress, incidents, regulatory horizon.
  • Security awareness programme.Annual cadence with phishing simulation and onboarding modules.

Strategic and operational.

  • NIST CSF 2.0
  • ISO/IEC 27001
  • CIS Controls v8
  • FAIR (risk quantification)
  • NIST SP 800-53
  • HITRUST

Frequently asked.

Who's our vCISO?

A named senior consultant from day one. Not a rotating bench. They're backed by the wider team for continuity, holiday cover, and specialist input (e.g. pen testers, cloud architects).

How many days per month?

Typical scopes: 2 days/month for steady-state stewardship, 4 days/month during certification preparation, up to 8 days/month for organisations going through significant change or M&A.

What if we have an incident at 2am?

Add-on incident-response retainers are available with defined SLAs (typically 1-2 hour response, 24/7). Without a retainer, we still respond on best-effort during business hours.

Can the vCISO sign off on regulator submissions?

Yes, where their qualifications and the regulator allow. We're regularly named as the security lead on ICO submissions, FCA filings, and supply-chain attestations.

When should we graduate to a full-time CISO?

Common triggers: ARR exceeds £20-£30m, the security team grows beyond 4-5 people, or a regulator (FCA, PRA) explicitly requires a designated CISO. When you're ready, we help with the search and onboarding.

Pairs well with

ISO 27001 / SOC 2

The vCISO owns the ISMS between annual audits.

Learn more →

Cyber Security Audits

Annual internal audits delivered alongside steady-state vCISO support.

Learn more →

SIEM Solutions

Detection & response capability under vCISO governance.

Learn more →

Make compliance
feel inevitable.

Book a free consultation