Virtual CISO

Executive security leadership, without the search.

A seated Chief Information Security Officer for organisations that need the function but not the headcount. Named. Cleared. Boardroom-fluent. Attending on a retained, not-fractional-in-name-only, basis.

01 — Overview

A vCISO engagement is not an advisory subscription. It is a seated executive function — with strategy authorship, budget ownership, board reporting, and accountability for outcomes.

Our vCISO clients hire us because a permanent CISO is either premature, in transition, or unnecessary at the scale they operate. What they need is the presence of the office — someone who can answer to the audit committee, negotiate with the enterprise procurement team, and lead the response when things go wrong.

Every vCISO engagement is led by a partner with prior in-house CISO or Group Head of Security experience. No exceptions.

02 — Engagement

Our approach.

  1. I

    Executive intake & mandate

    Two weeks with the CEO, board, and executive team to agree the mandate, decision rights, and reporting cadence.

  2. II

    Program baseline & strategy

    A written security strategy on a page, plus a costed three-year roadmap tied to business milestones — Series funding, ATL enterprise motion, geographic expansion.

  3. III

    Standing operating cadence

    Weekly with the security team, monthly with the exec, quarterly with the board or audit committee. All deliverables authored to that standard.

  4. IV

    Program execution

    The partner drives program delivery: risk management, GRC, architecture direction, vendor oversight, incident readiness.

  5. V

    Succession, where planned

    For clients planning to hire a permanent CISO, we author the role, run the search alongside your talent partner, and hand over cleanly.

03 — Deliverables

What you receive.

  • Written security strategy and three-year roadmap
  • Board-grade quarterly security reporting pack
  • Risk register and risk appetite statement
  • Security policy suite and control framework
  • Enterprise security questionnaire response function
  • Incident response plan, tabletop-tested
  • Vendor risk oversight and third-party assurance program
  • Cyber insurance renewal support and broker briefings
  • Audit committee and regulator engagement, where required

04 — Timeline

Expected duration.

vCISO engagements are retained on quarterly minimums with a twelve-month initial term. Most clients retain the function for two to four years — long enough to establish the program, exit the CISO-hire question decisively, and demonstrate a maturity trajectory to their board and their buyers.

Ready to begin?

A partner-led readiness call is complimentary. We'll scope your engagement inside forty-five minutes.

Schedule the call →

05 — FAQ

Common questions.

Is the vCISO a real person or a rotating team?+

A named partner is your vCISO. They lead every board attendance and own the strategy. A small delivery team supports execution beneath them. You will not encounter surprise faces.

Will the vCISO attend our board meetings?+

Yes. Boardroom presence is a defining part of the engagement, not an add-on. Our partners have sat across from FTSE, Fortune 500, and PE-backed boards, and know how to read the room.

Can the vCISO be named to our customers and regulators?+

Yes. Where appropriate, we accept being named as your Chief Information Security Officer in enterprise questionnaires, regulatory filings, and public-facing security pages.

What happens when we hire a permanent CISO?+

We plan for it from the outset if that's the trajectory. We author the role, participate in interviews, and execute a documented handover. Many of our clients retain us in a strategic-advisory capacity beyond the handover.