Monthly vCISO · Senior security leadership without hiring a full-time CISO | OCIRIA
A senior engineer puts your security in order. No full-time cost, with quarterly minimum commitment.
Monthly vCISO
Senior security leadership without hiring a full-time CISO
Most mid-sized companies do not need a full-time CISO. What they need is someone who makes security decisions with judgement, who can say no to a vendor selling smoke, and who can sit in a board meeting without the room emptying of technical context the moment they speak.
---
What it is
A vCISO (virtual Chief Information Security Officer) is a senior engineer who assumes the security leadership of your organisation for an agreed number of hours per month. Not a consultant who drops in, says four things and leaves. Not a junior with an inflated title. A professional with more than ten years in operational security, with prior experience as in-house CISO or board-level advisor, who takes responsibility for your security programme and reports back every month.
You save two things: the cost of a senior profile on payroll (between salary, benefits and recruitment effort, it does not come in under six figures annually in most European markets) and the friction of managing the rotation that, in this sector, runs high. In exchange, you get continuity, independent judgement and the flexibility to scale hours up or down according to the moment.
What separates a vCISO well done from a vCISO badly done is that the well-done one gets into the trenches: reads vendor contracts, pushes the technical team to close open tickets, prepares audit responses and sits in front of the board with a live risk spreadsheet, not a slide deck of good intentions.
---
When you need one
Three typical signals suggest it is time to bring in a vCISO:
They ask you for things you do not know where to start. A corporate customer sends you a fifty-page security questionnaire. An insurer asks whether you have an incident response plan. A fund, in the middle of due diligence, wants to see your access management policy. Your in-house team can answer operational questions, but someone is missing to sort, prioritise and sign off.
You had an incident, or one close to it. Ransomware in a peer company, a data breach at a shared supplier, a phishing email that almost made it. The board wants to know whether you are prepared. You need someone who diagnoses and designs the plan, not someone who simply says "all good" or "all bad".
You grow faster than your security organisation. From fifty to two hundred employees in two years. New offices in another country. Your product begins to handle sensitive data. Security that worked for forty people does not work for two hundred, and reacting late is expensive.
---
How we work
Phase 1 · Initial diagnosis (week 1-2). Interviews with board, technical team and, where relevant, business leads handling sensitive data. Review of asset inventory, existing documentation, current contracts with technology providers and past incident records. We close with a situation report, a prioritised risk matrix and a proposal for the quarterly plan with three to five measurable objectives.
Phase 2 · Plan implementation (month 1-3). The vCISO leads execution. Coordinates the in-house technical team or external providers, validates deliverables, escalates blockers and keeps the board informed. One monthly meeting with the board, one weekly with the technical team, asynchronous communication the rest of the time.
Phase 3 · Review and adjustment (end of each quarter). Progress report against plan, lessons learnt, adjustment of the next quarter's plan. If new risks emerged, they are incorporated. If something does not add value, it is dropped without ceremony.
Phase 4 · Ongoing accompaniment. Once the rhythm is established, the vCISO is available to represent the organisation in front of external auditors, handle client security questionnaires, attend negotiations with technology providers and resolve specific questions from the executive team.
---
What we deliver
- Monthly minutes of decisions taken and pending decisions for the board.
- Live risk matrix, updated at least quarterly, with owner and timeline per risk.
- Annual security plan reviewed quarterly, aligned with business objectives.
- Quarterly report with metrics (mean time to detect, critical tickets closed, budget executed vs. planned, regulatory compliance status).
- Validated answers to customer and insurer questionnaires.
- Support in external audits and technical representation in front of the board.
- Centralised documentary repository, owned by the organisation (we do not keep it if the relationship ends).
---
Who it is for
SMEs and mid-market companies of 30 to 500 employees with sensitive data, demanding corporate customers or regulatory exposure. Typical profile includes:
- B2B SaaS company with recent Series A/B, enterprise contracts demanding compliance (ISO 27001, SOC 2, NIS2) and a technical team that knows how to build but not how to attest.
- Industrial manufacturer or distributor with international presence, OT (operational technology) in production, and growing obligation to demonstrate resilience to customers and insurers.
- Professional services firm (consultancy, legal, accountancy) handling third-party information and needing to cover their liability without over-engineering.
---
FAQs
How many hours per month should I contract?
Depends on size and maturity. The typical band for mid-market is between twenty and sixty monthly hours. The initial diagnosis defines the right band. It can be adjusted quarterly.
Is there a minimum commitment?
Yes, quarterly. It spares you the uncertainty of an indefinite contract and gives us the minimum horizon to deliver results. After the first quarter, you can exit without penalty with one month's notice.
Remote or on-site?
Remote by default, with on-site visits where they add value (kick-off, key board meeting, handling a major incident). We do not require mandatory office presence nor charge travel without prior agreement.
What happens if I need someone outside contracted hours?
If it is a real incident, we respond. If it is additional planned work, it is agreed and billed separately without surprises. We do not use the "hour pool that evaporates" method nor charge for unconsumed hours.
Can you cover multiple regulatory frameworks or only one?
We cover those that apply to your sector: NIS2, GDPR, ISO 27001, ISO 42001, DORA if applicable, and contractual demands from corporate customers. The vCISO is briefed specifically on the regulatory framework relevant to you.
How is confidentiality managed?
Non-disclosure agreement signed before the diagnosis. The vCISO does not share information about your company with other clients, not even anonymised in public reports. If a conflict of interest arises (direct competitor), we tell you before accepting the engagement.
---
Typical use cases
Case 1 · The SaaS preparing its first certification. Software company with seventy people, recently closed Series B, two enterprise customers demanding SOC 2 Type II as a renewal condition. Initial diagnosis reveals absence of formal access management policy, partial audit logs and missing continuity plan. vCISO leads the programme for six months, coordinating the in-house technical team to implement controls and prepare the external audit. Outcome: certification obtained on first attempt, enterprise contract renewed.
Case 2 · The industrial manufacturer post-incident. Family-owned company, one hundred and twenty employees, two production plants. After a ransomware attempt contained by an old internal system but only just, the board decides to professionalise the function. vCISO comes in as security leadership without formal appointment, defines a twelve-month plan, segments OT/IT network, formalises incident response, and represents the company in front of the insurer when the cyber-risk policy is renegotiated (with effective reduction of premium due to improved controls).
Case 3 · The professional firm with crossed obligations. Law firm with forty professionals, client data with high-value profiles, exposure to both GDPR and sector-specific regulation. vCISO leads security programme focused on confidentiality and traceability, formalises protocols for collaborations with foreign firms, and prepares responses to questionnaires from banks and listed companies demanding annual due diligence.
---
How to start?
The first step is always an initial diagnosis of one week. No commitment. If, after the diagnosis, we decide not to work together, there is no cost.
We tell you the name and surname of the engineer who would take charge before any signature. If it does not fit, there is no relationship. It is that simple.
Write to us at [[email protected]](mailto:[email protected])
---
Other services
- [ISO/IEC 42001 · Responsible AI management pilot](/en/services/iso-42001-detalle)
- [Corporate OSINT audit](/en/services/osint-detalle)