Service

Virtual CISO (vCISO) Retainer

Executive-level security leadership — without the full-time hire.

The problem

Most SMEs cannot justify a full-time Chief Information Security Officer. But without security leadership, decisions get made reactively, risks go unmanaged, and when auditors or regulators ask who is responsible for security — there is no clear answer. A vCISO provides the guidance, governance, and accountability of a security leader, at a fraction of the cost of a full-time hire.

Our methodology

Monthly risk register review and update — tracking open risks, mitigations, and changes to the risk landscape
Monthly board or executive security report — a one-page summary that decision-makers can act on
Policy review and approval — keeping your policy suite current as the business and regulatory environment evolves
Vendor risk oversight — reviewing assessment results, escalating concerns, and advising on vendor decisions
Incident triage support — available on defined notice to assist with security incident response
Regulatory correspondence support — helping you draft responses to auditors, regulators, or clients with security questionnaires
Quarterly security posture review — a deeper look at the overall programme health

What you will receive

Monthly risk register update
Monthly board security report (one page, non-technical)
Policy review log and version history
Quarterly security posture summary
Incident triage notes and recommendations (as required)

Estimated timeline

Ongoing monthly retainer. Quarterly and annual packages available. Minimum 3-month commitment.

Overview

Security leadership is not a one-time project. Risk evolves, the regulatory environment changes, staff turn over, and new technologies introduce new exposures. Without consistent leadership, even organisations that start in a good security posture drift toward risk over time.

The vCISO retainer gives you that continuity — a security professional who knows your business, tracks your risks, and is accountable for your security programme month after month.

What Security Leadership Actually Looks Like

In a well-run security programme, someone is doing these things regularly:

Updating the risk register as new risks emerge or existing ones change
Reporting to leadership on the state of security in language they can understand
Reviewing vendor assessments and advising on which risks to accept or remediate
Keeping policies current as the business evolves
Coordinating response when something goes wrong

For large organisations, that person is a full-time CISO. For SMEs, that is not economically realistic. The vCISO retainer provides the function without the overhead.

Who This Is For

The vCISO retainer is best suited to SMEs that:

Have reached a size where security decisions need dedicated oversight (typically 20+ staff)
Face regulatory requirements that require documented security governance
Want to demonstrate security maturity to clients, auditors, or investors
Have had a security incident and want to ensure it does not happen again

The Monthly Rhythm

Every month, we review your risk register together, update it to reflect new developments, and produce a one-page board report. Every quarter, we take a broader view of the programme — what is working, what is slipping, and what needs attention in the next quarter. You always know the state of your security, and your leadership team always has something to point to.

Frequently asked questions

What is the difference between a vCISO and a consultant?

A consultant is typically engaged for a specific project with a defined start and end — an audit, a policy review, an assessment. A vCISO is an ongoing relationship with accountability: they know your business, track your risks over time, attend relevant meetings, and are available when things happen. The value compounds with the relationship. We function as a fractional security leader, not a project vendor.

How much time do you spend with us each month?

The standard retainer involves a monthly governance call (60–90 minutes), async review of the risk register and any policy changes, and availability for ad-hoc questions via WhatsApp or email within 24 hours. Significant events — incidents, regulatory inquiries, major new vendor onboardings — trigger additional engagement within the retainer scope. We will be transparent about what is included and what would require a change in scope.

Can we use you for specific projects instead of a retainer?

Yes. Most of our other services are fixed-scope projects that stand alone. The vCISO retainer works best for businesses that want ongoing security leadership and continuous risk oversight. If you are not sure which model suits your situation, the free discovery call is the right starting point.

Do we need a technical team for this to be useful?

Not necessarily. The vCISO function is about governance, leadership, and decision-making — not hands-on technical implementation. However, some of the value of the retainer comes from being able to direct technical activity. If you have no IT resource at all, we can recommend managed service partners who complement the governance work.

What happens if we have a security incident?

Incident triage support is included in the retainer. You contact us via the defined channel, we assess the situation, advise on immediate steps, help coordinate response, and document the incident and lessons learned. For incidents requiring hands-on technical forensics, we will help you engage appropriate specialists.

Ready to get started?

All engagements begin with a free 30-minute discovery call. No commitment, no jargon — just an honest conversation about your situation.

Request a quote View all services