Choose a virtual CISO (vCISO) provider on five criteria: relevant sector and regulatory experience, recognised certifications (CISSP, CISM, ISO 27001 Lead Implementer), a measurable security roadmap with board-level reporting, an engagement model that matches your size, and verifiable references. Expect to pay £2,000 to £6,000 per month on a retainer in the UK, with a well-rounded service landing around £3,500 to £5,000, day rates of £750 to £1,500, and entry packages from roughly £6,000 per year. A full-time UK CISO costs £170,000-plus in salary alone, which is why most SMEs choose fractional. Insist the provider knows ISO 27001, Cyber Essentials, UK GDPR and, if you sell to government, the G-Cloud route. Be sceptical of any provider that cannot name case studies, refuses a reference call, or sells you tools before strategy. The right vCISO reduces risk, wins contracts and survives an audit.
Last updated: June 2026
A virtual CISO gives you the strategic security leadership of a Chief Information Security Officer on a fractional, part-time basis, without the six-figure salary of a full-time hire. The role is governance and direction, not hands-on firewall configuration. A good vCISO owns your security strategy, builds a prioritised roadmap, sets policy, manages risk, reports to the board in plain English, and acts as the accountable security voice when an auditor, insurer, regulator or enterprise client asks who is in charge.
The confusion most UK buyers carry is that they expect a vCISO to do the technical work. They do not. A vCISO decides what needs doing and why, then directs your internal team or an external managed security provider to execute it. Think of the vCISO as the architect and project lead for security, not the bricklayer. If a provider is pitching you a vCISO who will personally patch servers and triage alerts at 2am, you are buying a senior engineer with a fancy title, not strategic leadership.
The core deliverables of a competent vCISO engagement break down into a recognisable set of activities:
Our honest view: the single biggest value a vCISO delivers is not a document. It is having one accountable person who can sit in front of your board, your cyber insurer and a prospective enterprise customer and credibly answer "are we secure, and how do you know?" Everything else is in service of that.
You need a vCISO when security has become a board-level risk or a commercial blocker but you cannot justify a £170,000 full-time hire. For most UK SMEs that moment arrives well before they have a dedicated security function, and waiting too long is the more expensive mistake. The trigger is rarely a single event; it is usually two or three of the signals below appearing at once.
The clearest signals that the time has come:
The honest rule: if security is currently nobody's actual job, and any of the above applies, you already needed a vCISO three months ago. The cost of the gap is invisible right until it is catastrophic, in lost deals, a regulatory fine, or a breach that a part-time strategist would have prevented for a fraction of the price.
Choose a vCISO provider on demonstrable, sector-relevant experience first, certifications second, and the quality of their roadmap and reporting third. Everything else is noise. The market is full of generalist consultants who rebadged themselves as vCISOs in the last two years, and a polished website tells you nothing about whether they have actually steered a business like yours through an ISO 27001 audit or a live incident.
Here is the scorecard we would use, weighted by what actually predicts a successful engagement:
| Criterion | What "good" looks like | Weight |
|---|---|---|
| Sector and regulatory experience | Has led security for businesses your size, in your sector, under your regulations (UK GDPR, FCA, NHS DSPT, PCI DSS) | High |
| Individual certifications | CISSP, CISM, CCISO, ISO 27001 Lead Implementer or Lead Auditor held by the named person, not just "the firm" | High |
| Framework fluency | Fluent in ISO 27001, Cyber Essentials, SOC 2, NIST CSF and UK GDPR, and can explain when each matters | High |
| Communication range | Can brief a non-technical board and direct a technical team in the same week without losing either audience | High |
| Measurable roadmap | Produces a dated, prioritised plan with milestones and metrics, not a static gap assessment | Medium |
| Named, consistent person | You get a specific senior practitioner, not a rotating cast of junior analysts behind an account manager | Medium |
| References and case studies | Willing to put you on a call with a comparable client and name specific outcomes | Medium |
| Independence from product sales | Advice is not steered by commission on the tools they want to sell you | Medium |
Two criteria deserve special emphasis because buyers consistently underweight them. The first is communication range. A vCISO who can only talk to engineers is useless in a boardroom, and a vCISO who can only talk to the board is dangerous when directing technical remediation. You need someone fluent in both registers, and you can test it directly in the first call.
The second is the named-person trap. Many providers sell you on a celebrated lead consultant, then deliver the actual work through junior staff while the senior name appears only on monthly slides. Insist on knowing exactly who will hold your engagement, how many days a month they personally commit, and what happens when they are on holiday. Our stance: the certifications must belong to the person sitting in your meetings, not to a logo on the proposal. If a provider hides behind "our team holds these credentials" without naming who is assigned to you, treat that as a fail.
A UK virtual CISO costs between £2,000 and £6,000 per month on a retainer, with a well-rounded service for a typical SME landing at £3,500 to £5,000 monthly. Day rates run £750 to £1,500 depending on seniority and scope, hourly rates sit at £100 to £250, and lightweight entry packages start from around £6,000 per year. Set against a full-time CISO salary of £170,000-plus before pension, National Insurance, recruitment fees and the months of vacancy while you search, the fractional model is the obvious commercial choice for any business under a few hundred staff.
Pricing is driven by five factors. Understanding them lets you read a quote properly and avoid both overpaying and buying too little:
Here is how the tiers typically map to company size and need in 2026:
| Company profile | Typical model | Indicative UK cost | What you get |
|---|---|---|---|
| Micro / start-up (under 25 staff) | Entry package or low retainer | £6,000 to £18,000 per year | Cyber Essentials, core policies, basic roadmap, light board updates |
| SME (25 to 150 staff) | Monthly retainer | £2,500 to £5,000 per month | Full roadmap, ISO 27001 readiness, quarterly board reporting, risk register |
| Mid-market (150 to 500 staff) | Higher retainer or multi-day | £5,000 to £9,000 per month | Multi-framework compliance, supplier risk, incident leadership, monthly board |
| Project-only (any size) | Day rate | £750 to £1,500 per day | Audit prep, gap assessment, due-diligence response, M&A support |
Our honest pricing stance: be sceptical of anyone quoting under £2,000 a month for ongoing strategic leadership, and equally sceptical of premium quotes that cannot articulate what the extra spend buys. The cheapest packages are often a quarterly call and a templated policy pack with the provider's logo swapped onto your letterhead. That is not security leadership; it is a document subscription. Pay for outcomes and accountability, and make sure the contract specifies days committed per month, not a vague "as needed".
You need a vCISO for strategic leadership without the salary, a full-time CISO once security complexity justifies a permanent six-figure executive, and a managed security service provider (MSSP) for the hands-on operational defence the other two direct but do not perform. These are not competing options; in a mature setup a vCISO sets strategy and an MSSP executes the monitoring and response under that strategy. Confusing the three is the most common procurement mistake we see UK SMEs make.
The distinction matters because each solves a different problem. A vCISO answers "what should our security strategy be and are we governed properly?" An MSSP answers "is anyone watching our network right now and responding to threats?" A full-time CISO answers both internally once the business is large enough to keep that executive busy and worth £170,000-plus a year. Here is the comparison:
| Factor | vCISO | Full-time CISO | MSSP |
|---|---|---|---|
| Primary role | Strategy, governance, board reporting | Same as vCISO, full-time and embedded | Operational monitoring and response |
| Typical UK cost | £2,000 to £6,000 per month | £170,000-plus salary plus on-costs | £1,500 to £10,000 per month by coverage |
| Best for | SMEs needing leadership, not headcount | Large or high-risk regulated firms | Any business needing 24/7 defence |
| Time to value | Days to weeks | 3 to 6 months to recruit and onboard | Weeks to deploy |
| Accountability for posture | Yes, owns the strategy | Yes, owns everything | No, owns the service scope only |
| Hands-on technical work | No, directs others | Rarely, leads a team | Yes, this is their job |
The most cost-effective pattern for a growing UK SME is a vCISO plus an MSSP. The vCISO designs the strategy, selects and oversees the MSSP, reports to the board, and steers compliance. The MSSP runs the security operations centre, monitors alerts and contains incidents. You get executive direction and round-the-clock defence for a combined cost that is still a fraction of a full-time CISO plus an in-house team. Our view is blunt: buying an MSSP without a vCISO leaves you with someone watching the alarms but nobody deciding what the building should be protecting, and that gap is where most preventable breaches live.
Ask ten specific questions before signing, and judge the provider as much on how they answer as on what they say. A strong vCISO welcomes scrutiny and gives concrete, named, dated answers. A weak one deflects to brochure language and "it depends" without ever landing on specifics. Treat the sales conversation as the first deliverable; if they cannot be precise while trying to win your business, they will not be precise once they have your retainer.
The ten questions that separate genuine security leaders from rebadged generalists:
Pay particular attention to question four. The ability to describe what your first ninety days will look like, on the spot and tailored to your situation, is the single best live test of whether you are talking to someone who has actually done this. Generic answers about "assessing the current state" are fine for a textbook but tell you nothing. A real vCISO will already be asking you about your sales blockers, your last audit, your insurance renewal date and your riskiest supplier before they have signed anything.
The biggest red flag is a provider who sells tools before strategy, because it means their commercial incentive is product margin rather than your risk reduction. A genuine vCISO assesses your posture, builds a roadmap, and only then recommends tooling where it fills a real gap. If the second meeting is a product demo for a security platform they happen to resell, you are talking to a vendor wearing a consultant's badge. Walk away.
The full list of warning signs we tell UK businesses to watch for:
Run basic due diligence before you sign. Check independent review platforms such as Clutch and Google Business reviews, confirm the named individual's certifications are real and current, verify the company on Companies House, and actually make the reference call rather than treating it as a formality. Our stance: a provider that resists any of this transparency is telling you exactly how the engagement will go. Security leadership is built on trust and evidence, and a provider who is cagey at the sales stage will be cagey when an auditor or insurer asks you hard questions later.
The first 90 days should move from discovery to a prioritised roadmap to early, visible wins, in that order. By day 90 you should have a documented current-state assessment, a risk register the board has seen, a dated roadmap tied to your commercial goals, and at least two or three quick wins already delivered. If a provider is still "getting up to speed" at the three-month mark, the engagement is failing and you should say so.
A well-run onboarding follows a recognisable rhythm. Use this as your own checklist to hold the provider to account:
| Phase | Timeframe | What should happen | Your deliverable |
|---|---|---|---|
| Discovery | Weeks 1 to 3 | Stakeholder interviews, asset and data mapping, review of existing controls, contracts and insurance | Current-state assessment |
| Risk assessment | Weeks 3 to 6 | Gap analysis against relevant frameworks, threat and impact rating, supplier risk review | Risk register with owners |
| Roadmap | Weeks 6 to 9 | Prioritised, dated plan tying remediation to business risk and commercial goals, with budget | Security roadmap and board briefing |
| Quick wins | Weeks 4 to 12 | MFA enforcement, backup verification, policy approval, Cyber Essentials submission started | Demonstrable risk reduction |
| Governance rhythm | From week 9 | Establish recurring board reporting, risk reviews and remediation tracking | Reporting cadence agreed |
The quick-wins phase is the one that builds internal confidence and justifies the spend early. Enforcing multi-factor authentication across your stack, confirming that backups actually restore, getting core policies approved, and starting a Cyber Essentials submission are all achievable inside the first three months and all materially reduce risk. Cyber Essentials in particular is frequently mandatory to bid for UK government and public-sector contracts, so getting it underway can directly unblock revenue.
Our view on onboarding: the discovery phase is where you learn whether you hired well. A strong vCISO spends those first three weeks asking about your business, your customers, your contracts and your fears, not just your firewalls. Security strategy that is not anchored to what the business is trying to achieve is just a compliance exercise, and compliance for its own sake is the most expensive way to feel safe while remaining exposed.
Softomate Solutions delivers fractional security leadership for UK SMEs through a five-stage process built around fixed-quote engagements, a named senior practitioner, and a roadmap tied to your commercial goals rather than a generic checklist. We are a London-based technology and automation agency in Stanmore (HA7), and our vCISO work sits alongside the software, automation and infrastructure engineering we already deliver, which means our security strategy is grounded in how systems are actually built and run, not just how they are audited.
Our five stages:
Indicative timeline and pricing:
| Stage | Typical timeline | Indicative starting price |
|---|---|---|
| Discovery and scoping | Weeks 1 to 2 | From £2,500 fixed |
| Risk assessment and gap analysis | Weeks 2 to 5 | From £3,500 fixed |
| Roadmap and board sign-off | Weeks 5 to 8 | Included in assessment scope |
| Implementation oversight | Ongoing | Scoped per roadmap |
| Ongoing governance retainer | Monthly | From £2,500 per month |
Where we differ from pure-play consultancies is that we can both advise and build. If your roadmap calls for hardening a custom application, securing a CRM, locking down an integration, or automating a control, our engineering teams can deliver it under the same roof. Many security gaps in UK SMEs sit inside bespoke systems, and our work in custom CRM development, business process automation and software development means we secure the systems we understand from the inside, not just the perimeter around them. Engagements start from a fixed-quote discovery so you know the cost before you commit, and you can talk to our team to scope yours.
A UK virtual CISO typically costs £2,000 to £6,000 per month on a retainer, with a well-rounded service landing around £3,500 to £5,000. Day rates run £750 to £1,500 and lightweight entry packages start near £6,000 per year. The price depends on scope, seniority, your size and the engagement model.
No. ISO 27001 does not require you to appoint a CISO or vCISO to achieve certification. The standard requires defined responsibilities, leadership commitment and an information security management system, but a vCISO is one practical way to deliver that, not a mandatory tick-box. Many small organisations certify with fractional leadership rather than a full-time hire.
A vCISO provides strategic security leadership: strategy, governance, risk management and board reporting. A managed security service provider (MSSP) provides operational defence: monitoring, alerting and incident response. The vCISO decides what should be protected and how; the MSSP executes the day-to-day technical defence. Most growing SMEs benefit from having both, with the vCISO overseeing the MSSP.
A vCISO does the same strategic job as a full-time CISO but part-time and fractional, at £2,000 to £6,000 a month rather than a £170,000-plus salary. You get senior leadership without the headcount, recruitment delay or on-costs. A full-time CISO makes sense once security complexity is high enough to keep a permanent executive fully occupied.
You need a vCISO when security has become a board-level risk or a commercial blocker, but a full-time hire is not justified. Common triggers include losing contracts over security questionnaires, scaling fast, rising regulatory pressure, a breach or near-miss, harder cyber insurance renewals, or investor and acquirer due diligence.
Look for CISSP, CISM, CCISO, or ISO 27001 Lead Implementer or Lead Auditor held by the specific person assigned to you, not just claimed at firm level. These credentials evidence strategic and governance competence. Combined with sector-relevant experience and verifiable case studies, they are a reliable filter for genuine security leadership.
Cyber Essentials is frequently mandatory to bid for UK government and public-sector contracts and is a strong baseline for any business. A vCISO can scope, prepare and steer your certification, often as an early quick win within the first 90 days, directly unblocking tenders that require it before they will let you compete.
It varies. Project-based engagements such as ISO 27001 readiness may run three to six months, while ongoing strategic leadership is typically a rolling monthly retainer with a defined notice period. Many businesses start with a fixed-scope assessment, then move to a retainer once the roadmap is set. Insist on a clear exit and data handover.
Watch for providers who sell tools before strategy, refuse references, claim certifications at firm level without naming the assigned person, use fear-based selling, offer one-size-fits-all packages, give vague day commitments, or cannot demonstrate board reporting. Verify the company on Companies House and check independent reviews before signing anything.
Yes. A vCISO can complete or strengthen the security questionnaires underwriters now demand, evidence controls such as MFA, backups and incident response, and present your posture credibly. Better governance frequently lowers premiums and prevents the policy gaps that lead to declined claims after an incident. This is one of the clearest near-term returns on a vCISO retainer.
Choosing a virtual CISO comes down to a disciplined comparison, not a leap of faith. Weight sector and regulatory experience and the named person's certifications above everything, expect to pay £2,000 to £6,000 a month against a £170,000-plus full-time salary, and insist on a measurable, dated roadmap with board-level reporting. Use the ten questions to test for specifics, and treat tool-led selling, missing references and firm-level-only credentials as disqualifying red flags. Remember a vCISO sets strategy while an MSSP runs operations, and most growing UK SMEs benefit from both. Hold the first 90 days to a clear standard: discovery, risk register, roadmap and early wins by day ninety. Get this decision right and your vCISO will win contracts, satisfy auditors, calm insurers and prevent the breach that a part-time strategist costs a fraction of. Get it wrong and you have bought an expensive document subscription. Start with a scoped assessment, not an open-ended retainer.
If you are weighing up fractional security leadership for your UK business, Softomate Solutions offers fixed-quote vCISO engagements alongside our wider engineering work, including business process automation and custom software development. Get in touch to scope a discovery assessment.
Written by Deen Dayal Yadav, Founder of Softomate Solutions, a London-based software, automation and security agency in Stanmore (HA7). With over 12 years building software and automation systems for UK businesses, Deen leads engagements that combine strategic security leadership with hands-on engineering, securing the bespoke systems most consultancies only audit from the outside. Softomate Solutions is registered at Companies House. Read more about our team and approach.
We protect the real names of all clients featured in examples and case studies. Every testimonial is from a real client.
More from the blog
Work with us
Book a free 30-minute discovery call with DD and get a personalised automation roadmap.
Softomate Solutions Limited
Deen Dayal Yadav
Online
We use essential cookies to keep the site running. With your permission, we also use analytics cookies to understand how visitors use our site so we can improve it. No data is sold. Privacy Policy
