Fractional CISO · US-based · Named on retainer

Virtual CISO that walks into your board meeting with answers, not jargon

Fractional security leadership for the spot between "too small for a full-time CISO" and "too important to wing it." Board reports, audit prep, M&A due-diligence, post-incident program rebuilds. By the hour or by the quarter.

82 active vCISO retainers 6 board decks delivered this quarter 12 yrs avg CISO experience $340M client revenue under our programs
Book a 30-minute vCISO discovery call Talk to a CISO directly →

No credit card. 30-minute Zoom with a named CISO, not a sales rep. Industry-matched: fintech for fintech, healthcare for HIPAA-covered.

0
Active vCISO retainers
across 6 industries
0
Board decks delivered
this quarter
$340M
Total client revenue
under our security programs
0
Years average CISO
experience on the bench
Service tiers

Three lanes of fractional security leadership. Named CISO. Predictable retainer.

Every tier puts a named CISO on your account, matched to your industry. The difference is hours per week, board cadence, and whether you need a CISO who can sit on a board call, sign a cyber insurance attestation, or run an M&A diligence room.

vCISO Advisory
4 hours per week. Monthly leadership review. Audit liaison. Right for SMBs that need direction, not coverage.
$4,800/mo
Annual agreement · 6-month minimum
  • 4 hours per week of named CISO time, scheduled or as-needed
  • Monthly 60-minute leadership review with founder or CEO
  • Risk register kept current, reviewed quarterly
  • Cyber insurance questionnaire completed and signed off
  • Audit liaison: CISO joins fieldwork meetings on request
  • Email + Slack response within 1 business day
Start Advisory →
Most chosen
vCISO Embedded
10 hours per week + on-call. Board reporting included. Right for companies in the middle of audit or insurance pressure.
$9,800/mo
Annual agreement · 6-month minimum
  • 10 hours per week of named CISO time + 24/7 on-call for P1 incidents
  • Weekly 30-minute leadership working session, plus the monthly review
  • Quarterly board deck (8 to 12 slides) presented live by your CISO
  • Tabletop exercises (ransomware, BEC, vendor outage) twice a year
  • Vendor risk program owned end-to-end by your CISO
  • Direct line to our SOC and GRC team for joint engagements
Start Embedded →
vCISO Executive
Named CISO with board-seat presence. M&A and exit support. Right for PE-backed and pre-IPO.
Custom
Scoped by board cadence & M&A activity
  • Named CISO with board-meeting attendance and audit-committee presence
  • M&A diligence: target risk reports, post-deal 100-day plans, integration support
  • Pre-IPO security readiness: SEC cyber disclosure (Item 106), S-1 review
  • Investor and customer security briefings on your behalf
  • Direct LP and board-member relationships across PE and VC
  • Path to FTE: structured handoff to a permanent CISO if you choose
Scope Executive →
The leadership stack we actually run · GRC, security, and reporting tools
Drata Continuous compliance Vanta Continuous compliance AuditBoard Internal audit OneTrust Privacy & vendor risk Microsoft Defender XDR Detection CrowdStrike Endpoint & identity ServiceNow GRC Enterprise GRC Splunk SIEM Tableau KRI dashboards Looker Board reporting Notion Policy library Confluence Runbooks
vCISO scope · what you actually get

Seven engagement patterns. One named CISO. The cadence depends on the problem.

A vCISO is not a single deliverable. It is a leader who handles the seven things a real CISO handles, on a cadence that matches your business. Here is what each one looks like in practice and how often we run it.

Need What you get Cadence
Board reporting Security KPIs deck (8 to 12 slides), risk appetite update, top-3 threats walk-through, audit-committee Q&A prep Quarterly
Audit prep Policy library (38 policies), control gap report, fieldwork co-pilot, prior-year findings answered point-by-point Per audit
Cyber insurance Carrier questionnaire completed and signed, coverage gap analysis, premium-reduction recommendations Annual
M&A due-diligence Target risk report, security debt valuation, post-deal 100-day plan, integration sequencing Per deal
Incident recovery Post-mortem (root cause + control failures), board comms, remediation roadmap, regulatory disclosure support Per incident
Vendor risk TPRM program, third-party reviews (SIG-Lite or CAIQ), tier-based re-assessment cadence, BAA tracking Quarterly
Tabletop exercise Ransomware sim, BEC sim, vendor outage sim, crisis comms script, leadership debrief and action items Semi-annual

Embedded and Executive tiers include all seven on the standard cadence. Advisory tier picks two to three based on your priorities. Ask for a redacted sample board deck.

Engagement case file · anonymized

Post Series B fintech. Board demanded a CISO and a SOC 2 in 9 months. Both delivered.

A 320-employee fintech in Miami had just closed a $48M Series B. The lead investor put two asks on the term sheet: a named security leader and a clean SOC 2 Type II by the next board meeting. They did not have either. Names changed, timing real.

Series B fintech · vCISO Embedded · 9-month engagement

"Tidewater Pay" fintech · 320 employees · Miami, FL

Engagement: vCISO Embedded, 6 hrs/wk · CISO assigned: Marcus Chen, Atlanta · Stack: AWS, Stripe, Plaid, Okta, Drata · Auditor: Big-4 regional
  1. Week 1 Marcus Chen kicks off discovery. NIST CSF gap assessment across all six functions. Tier 1.5 of 4. Found 3 admin accounts without MFA, no IR plan, no vendor reviews.
  2. Week 2 First board update presented to the lead investor: 90-day plan, 9-month SOC 2 timeline, $180K in tooling spend, 2 security hires. Approved same call.
  3. Week 4 MFA universal across the workforce. Drata deployed and integrated with AWS, Okta, GitHub, Jira. 26 controls flipped green in week 4 alone.
  4. Month 2 Policy library written and signed: 38 policies tailored to a fintech handling card-not-present payments. Engineering security training rolled out via KnowBe4.
  5. Month 3 First quarterly board deck presented live by Marcus. Risk register, top 3 threats (BEC, vendor compromise, insider risk), audit roadmap, KRI baselines. Board: "first useful security update we've gotten."
  6. Month 5 Vendor risk program live. 63 vendors inventoried, top 12 critical vendors completed SIG-Lite, BAAs and DPAs in place. Tabletop ransomware exercise run with leadership team.
  7. Month 7 SOC 2 Type I observation period closed. Big-4 fieldwork started. Marcus on every Zoom. Type I report issued in 18 days, zero exceptions.
  8. Month 9 SOC 2 Type II issued, zero qualified opinions, zero exceptions. Two enterprise sales unblocked. CFO renewed cyber insurance with $8K premium reduction tied to controls maturity.
  9. Month 10 Permanent CISO hire announced. Marcus ran the search alongside the CEO, sat on every interview panel, then ran a 30-day handoff. Tidewater stayed on for vCISO Advisory tier as a backstop.
Outcome: Series B board commitments delivered in full. SOC 2 Type II clean. Permanent CISO hired with vCISO support. Total engagement spend roughly 15% of one FTE CISO's all-in cost for the same 9 months.
Industries we run vCISO programs for

Eight industries. CISOs matched on background. No generalist sitting in a healthcare board meeting.

A vCISO who has never built a HIPAA program should not be your healthcare CISO. We match on industry first, then on company stage. Here is the bench.

Fintech & Payments
PCI-DSS, SOC 2, NYDFS Part 500, FFIEC. CISOs with prior payments, lending, or wealth-management leadership.
Healthcare & HealthTech
HIPAA, HITRUST, state privacy laws. CISOs with covered-entity or business-associate experience.
SaaS & B2B Software
SOC 2, ISO 27001, customer security questionnaires. CISOs who have closed enterprise security reviews.
Defense & Aerospace
CMMC, NIST 800-171, ITAR. CISOs with cleared backgrounds and DoD subcontractor experience.
Manufacturing & OT
NIST CSF, IEC 62443, ICS/SCADA. CISOs with OT-IT convergence and ransomware response experience.
Legal & Professional Services
ABA Model Rule 1.6, client security audits, M&A diligence rooms. CISOs with law-firm or Big-4 experience.
PE-Backed & Pre-IPO
Sponsor-driven cybersecurity programs, exit readiness, SEC Item 106 cyber disclosure, S-1 prep.
Education & Nonprofit
FERPA, GLBA, donor data protection. CISOs with constrained-budget program-build experience.
The CISO bench

The people who actually run your program. Named, on retainer, in your weekly meetings.

Our vCISO bench averages 12 years of CISO or deputy-CISO experience. Every CISO has carried at least one company through SOC 2 or HIPAA, presented to at least one board, and led at least one P1 incident response before they take a vCISO retainer.

MC
Marcus Chen
Virtual CISO · Atlanta
CISSP CISM CCSP
PV
Priya Venkatesh
Incident Response Lead · Tampa
OSCP GCIH CRTO
DW
Deandre Williams
Compliance Engineer · Chicago
CISA CISM ISO 27001 LA
MS
Miguel Santos
Lead SOC Analyst · Orlando
CISSP GCIH GCFA
AK
Aisha Khan
GRC Analyst · Orlando
CISA HCISPP CIPP/US
JR
Jordan Reyes
Auditor Liaison · Tampa
CPA CISA PCI QSA
FAQ · the ones that actually block the sale

Five questions. Honest answers.

How is this different from a security consultant?

A consultant writes a deck and leaves. A vCISO owns outcomes. Our retainer model puts a named CISO on your account week after week, attending your leadership meetings, owning the security roadmap, and signing the cyber insurance attestation. Consultants bill projects. We bill a flat retainer and live with the consequences of our recommendations because we are the ones implementing them with our SOC and GRC team.

Will you actually present to our board?

Yes. Every Embedded and Executive client gets a quarterly board presentation: 8 to 12 slide deck covering the risk register, top three threats, KRIs against last quarter, audit and compliance status, incident summary, and the next quarter's investments. We have presented to 6 boards this quarter. The CISO is in the room (or on the Zoom) live, taking questions. We do not hand the deck off.

Can a vCISO replace our CISO permanently or only as a bridge?

Both work. About 60% of our retainers are bridge engagements: company is between hires, or a CISO just left, or they need leadership for 6 to 18 months while a search runs. The other 40% are permanent: under 500 employees, a full-time CISO at $280K to $400K all-in is hard to justify, and a fractional CISO at $4,800 to $9,800 per month gets the same outcomes. We have clients on year five of a permanent vCISO retainer.

What if we don't have any security program today?

That is the most common starting point. The first 30 days is assessment: where are you against NIST CSF, what does your cyber insurance underwriter actually require, what controls would block your next sales deal, what is your real exposure. Then we build the program: policies, controls, runbooks, training, vendor reviews, incident response. Most clients have a board-presentable security posture within 90 days and a clean audit within 6 months.

How fast can you start?

Discovery call this week, signed engagement next week, vCISO on your calendar within 10 business days. We have done same-week starts when a client has an active incident or a board meeting in 5 days, but the standard timeline is 2 weeks from first call to first working session. The vCISO is named and matched to your industry: fintech vCISOs for fintech, healthcare for HIPAA-covered, defense for CMMC. No bait and switch.

Walk into your next board meeting with answers.

30 minutes with a CISO matched to your industry. We'll cover the security questions your board is actually asking, where you are against NIST CSF, what your cyber insurance underwriter needs, and what a realistic vCISO retainer looks like for your company. No sales rep on the call. No deck. Just a CISO.

Book a 30-minute vCISO discovery call Or call (888) 574-5120