vCISO — Virtual CISO

The external Chief Information Security Officer. Ongoing strategic support to leadership, roadmap, risk register and board-ready reporting — without the cost of a senior internal hire.

SMEs and growing companies cannot afford a full-time senior CISO, yet they need the strategic contribution: defining security governance, building the risk register, engaging with management and the board, managing critical suppliers, responding to regulatory requirements. Our vCISO service delivers these competencies in a flexible model, with a monthly commitment calibrated to your organisation.

-70% Compared to the cost of a senior internal CISO
4 monthly working sessions included
90d Onboarding and first strategic plan
NIS2 Regulatory compliance support included
01

You have no internal CISO but need the strategic vision

Your organisation is growing and the attack surface is expanding. The IT Manager alone cannot also cover the strategic security governance.

02

The board is requesting visibility on cyber risk

The Board of Directors or investors require structured reporting on cyber risk. You need someone to build this communication effectively.

03

You are building a security programme from scratch

You want to establish policies, procedures, risk management and a multi-year investment plan. You need expert guidance to avoid wasting budget.

04

You have NIS2 obligations and do not know how to structure governance

NIS2 requires a formalised security governance model, with risk analysis, documented measures and reporting to governing bodies.

What we do

  • Assessment of the current security posture
  • Risk register and risk management framework development
  • 12–24 month strategic security roadmap
  • Security KPIs and metrics for management
  • Policy framework: policies, standards, procedures
  • Critical supplier governance (TPRM)
  • NIS2, GDPR, ISO 27001 compliance support
  • Participation in board and management meetings (on-demand)

What you receive

  • Updated risk register with scoring and priorities
  • Security roadmap with objectives and budget
  • Quarterly board report (executive format)
  • KPI dashboard for management
  • Documented and updatable policies and procedures
  • Staff training plan
  • Ongoing support via email and call
CEO / Fondatori CDA / Board IT Manager CFO / Risk Soggetti NIS2
How many monthly hours does the vCISO service include?
The standard service includes 4 monthly sessions (one per week, 1–2 hours each) plus asynchronous email support. For organisations with greater needs, an enhanced plan is available with additional sessions and availability for extraordinary meetings.
Can the vCISO attend board meetings?
Yes. Attendance at Board of Directors or executive management meetings is included in the standard service up to 4 times per year, and on-demand for customised plans. We also prepare board-ready documentation for the presentation of the risk register.
How does the vCISO integrate with my internal IT team?
The vCISO does not replace the IT team but amplifies its effectiveness at the strategic level: setting priorities, building governance and providing the overarching vision that is often lacking in a team focused on day-to-day operations.

Start with a free assessment call

30 minutes to understand your current situation and propose a vCISO model tailored to your organisation.