A Virtual CISO (vCISO) is an experienced, part-time Chief Information Security Officer you hire as a service rather than a salaried employee. They set your security strategy, own your risk and governance programme, report to the board, lead compliance work (ISO 27001, Cyber Essentials, SOC 2, UK GDPR) and direct your team during an incident, without doing hands-on firewall or pen-test work. In the UK a vCISO costs roughly £2,000 to £7,000 per month, or £700 to £1,100 per day, which is 40 to 70 per cent cheaper than a full-time CISO on a £120,000 to £250,000 salary. Your business probably needs one if clients send security questionnaires, you handle regulated or sensitive data, you are chasing a certification, or you are scaling past 25 staff with nobody owning security. With 43 per cent of UK businesses breached in the past year, the question is rarely "if" but "who owns the response".
Last updated: June 2026
A Virtual CISO is a senior security leader who carries out the duties of a Chief Information Security Officer on a flexible, retained basis instead of as a full-time member of staff. You buy a fraction of one experienced person's time, typically a few days a month, and in return you get the strategic ownership of security that a salaried CISO would provide. The "virtual" part means the engagement is remote-first and elastic: you scale time up during a certification push or an incident, and down once things stabilise.
The model exists because the maths of a full-time hire rarely works for a small or mid-sized UK business. A capable CISO commands £120,000 to £250,000 before National Insurance, pension, training and recruitment costs, and most firms under a few hundred staff cannot fill that role for forty hours a week with genuine strategic work. A vCISO gives you the seniority without the salary, and the breadth of someone who has run security across dozens of organisations rather than the narrow lens of one career.
Crucially, a vCISO is a leadership role, not a technical delivery role. They are the person who decides what your security programme should be and holds your organisation accountable for it. They are not the person who configures your firewall, patches your servers or runs the penetration test. That distinction trips up a lot of buyers, so it is worth fixing early: you are hiring judgement, governance and board-level credibility, not a pair of hands.
Our honest view: the term "virtual CISO" is over-used by providers who are really selling a glorified audit or a compliance checklist. A real vCISO owns risk over time, sits in front of your board, signs off on decisions and is there at 2am when something goes wrong. If a provider cannot tell you who specifically will be your named CISO and how often they will attend your leadership meetings, you are buying a document, not a leader.
A vCISO owns the strategy, governance and accountability of your information security programme, then directs your internal team and suppliers to deliver it. Think of the role as the difference between a building's architect and its builders: the vCISO designs the structure, sets the standards and signs off the work, while engineers, MSPs and testers lay the bricks. Their week is spent on governance documents, risk decisions, board updates and supplier oversight rather than on a keyboard configuring kit.
In practice the responsibilities cluster into six areas. First, security strategy and roadmap: defining where the organisation needs to get to over twelve to eighteen months and sequencing the work. Second, governance and policy: writing and maintaining the information security policy set, acceptable use, access control, data retention and so on. Third, risk management: maintaining a live risk register, scoring threats, and deciding what to treat, tolerate, transfer or terminate. Fourth, compliance and certification: steering you through ISO 27001, Cyber Essentials, SOC 2 or sector-specific regimes. Fifth, board and stakeholder reporting: turning technical noise into a one-page risk picture directors can act on. Sixth, incident leadership: being the calm, accountable voice that runs the response when something breaks.
The governance gap in UK business is exactly why this role matters. Only 31 per cent of UK businesses have someone at board level taking responsibility for cyber security, down from 38 per cent in 2021, and just 25 per cent have a formal incident response plan. A vCISO closes both gaps directly: they become the board-level owner and they build the plan before you need it.
| What a vCISO does | What a vCISO does NOT do |
|---|---|
| Set security strategy and 18-month roadmap | Configure firewalls or VPNs |
| Own the risk register and treatment decisions | Patch servers or manage endpoints |
| Lead ISO 27001 / Cyber Essentials certification | Run the penetration test themselves |
| Report cyber risk to the board in plain English | Answer the IT helpdesk queue |
| Direct the incident response when a breach hits | Rebuild compromised systems by hand |
| Review and challenge supplier security | Write your application code |
A good vCISO also acts as your security translator with customers. When an enterprise prospect sends a 200-line security questionnaire as a condition of signing, the vCISO owns the response, knows which answers are credible, and where needed will join the call to give the buyer's security team confidence. That single capability often pays for the engagement on its own.
The cleanest way to see the difference is that a vCISO and a full-time CISO do the same job at different scales of time and cost, while an MSP and an IT manager do a fundamentally different job: operations, not governance. Confusing these four roles is the single most common mistake we see UK business owners make, and it leads to firms assuming their MSP "has security covered" when in fact nobody owns the strategy at all.
An MSP (managed service provider) keeps your systems running: monitoring, patching, backups, helpdesk, sometimes a managed firewall or endpoint detection. That is essential operational hygiene, but an MSP is a supplier you should be governing, not the body that governs you. There is an obvious conflict of interest in asking the company that sells you security tooling to also independently judge whether your security is adequate. An IT manager, meanwhile, is usually stretched thin on day-to-day delivery and rarely has the seniority, the time or the board mandate to own enterprise risk and compliance.
| Dimension | vCISO | Full-time CISO | MSP | IT Manager |
|---|---|---|---|---|
| Primary focus | Strategy, risk, governance | Strategy, risk, governance | Systems operations | Day-to-day IT delivery |
| Seniority | Board-level | Board-level | Vendor team | Operational |
| Typical UK cost | £2,000-£7,000/month | £120,000-£250,000/year | £800-£4,000/month | £40,000-£65,000/year |
| Time to engage | Days | 3-6 months | Weeks | 1-3 months |
| Breadth of experience | Many organisations | One at a time | Many, but operational | One organisation |
| Owns compliance/certification | Yes | Yes | Rarely | Rarely |
| Independent of your tooling | Yes | Yes | No (sells the tools) | N/A |
The honest rule: you need all of the layers that apply to you, and they are not interchangeable. A healthy mid-sized UK firm often runs an MSP for operations, an internal IT manager or team for delivery, and a vCISO sitting above both to set direction, govern the suppliers and answer to the board. The vCISO is the only one of the four whose job is to challenge the others. Be sceptical if an MSP tries to sell you a "vCISO add-on" that is really their own account manager marking their own homework. Independence is the whole point of the role.
The other difference worth naming is speed and flexibility. A full-time CISO takes three to six months to recruit in a competitive UK market, and if the hire is wrong you are locked into a lengthy and expensive exit. A vCISO can be engaged in days, and if the fit is poor you change provider with thirty days' notice. For a business that needs senior security leadership now, not next quarter, that responsiveness is a decisive advantage.
You probably need a vCISO if at least three of the triggers below apply to you, and you almost certainly need one if any single trigger is "we are losing or risking deals because of it". The decision is not about company size in isolation; it is about the gap between the security expectations placed on you and the security ownership you currently have. A 20-person SaaS firm selling to banks needs a vCISO more urgently than a 200-person business with no regulated data and no enterprise clients.
Run yourself through this scorecard honestly. Each "yes" is a point. The more points, the stronger the case.
| Trigger | Yes / No | Why it matters |
|---|---|---|
| Clients send security questionnaires before signing | You are losing time or deals without credible answers | |
| You handle regulated, personal or sensitive data | UK GDPR Article 32 requires appropriate security measures | |
| You are pursuing ISO 27001, SOC 2 or Cyber Essentials | Certifications need a named owner and ongoing governance | |
| Nobody at board level owns cyber risk | Only 31% of UK firms have board-level cyber ownership | |
| You have no formal incident response plan | Only 25% of UK businesses have one; breaches are likely | |
| You are scaling fast (past ~25 staff) | Informal security stops working at scale | |
| You operate in finance, legal, healthcare or as a supplier to them | Sector regimes (DORA, NIS, contractual clauses) apply | |
| You have suffered a breach or near-miss | You need ownership to prevent the next one | |
| Cyber insurance is asking harder questions at renewal | Insurers increasingly require demonstrable governance |
The data backs up the urgency. The UK government's Cyber Security Breaches Survey reports that 43 per cent of businesses identified a breach or attack in the last twelve months, which scales to roughly 612,000 firms. The figure climbs to 65 per cent for medium-sized businesses and 69 per cent for large ones, against 46 per cent for small and 42 per cent for micro firms. As you grow, you become a bigger and more attractive target precisely as your informal, founder-led security habits stop scaling.
Our stance: the wrong reason to get a vCISO is fear, and the right reason is leverage. If you are buying one only because you read a scary statistic, you will treat it as a grudge purchase and get little value. If you are buying one because security is now a commercial gate on your growth, a sales blocker, a certification you need, an insurance condition, a regulator on the horizon, then a vCISO is one of the highest-leverage hires you can make. Be sceptical of any provider who leads with fear rather than with your actual business objectives.
A UK vCISO typically costs between £2,000 and £7,000 per month on a retainer, with a full-service engagement commonly landing at £3,500 to £5,000 per month, or you can buy time at a day rate of roughly £700 to £1,100 per day. That is 40 to 70 per cent cheaper than a full-time CISO once you load a £120,000 to £250,000 salary with National Insurance, pension, benefits, training, recruitment fees and the cost of the three-to-six-month hiring gap. The exact figure depends on your size, your sector, your certification ambitions and how many days a month you need.
There are three common pricing models, and the right one depends on whether your need is ongoing, intermittent or project-shaped.
| Model | Typical UK price (2026) | Best for | What it includes |
|---|---|---|---|
| Foundation retainer | £2,000-£3,000/month | Small firms starting their programme | ~2 days/month: policy set, risk register, quarterly board report, email/Slack access |
| Full-service retainer | £3,500-£5,000/month | Firms in active certification or growth | ~4-6 days/month: full programme ownership, monthly board meeting, supplier reviews, questionnaire support, incident readiness |
| Enterprise retainer | £5,500-£7,000+/month | Regulated or multi-entity businesses | ~6-8 days/month: DORA/NIS oversight, multiple frameworks, audit liaison, named deputy cover |
| Day rate | £700-£1,100/day | Ad hoc or seasonal needs | Pay-as-you-go advisory, no fixed commitment |
| Fixed-scope project | £6,000-£25,000 one-off | A single certification push | Defined deliverable, e.g. ISO 27001 readiness, with a fixed quote |
It helps to see the full-time comparison laid out as total cost of ownership rather than headline salary, because the salary is only part of the bill.
| Cost line | Full-time CISO (annual) | vCISO (annual) |
|---|---|---|
| Base remuneration | £170,000 | Included in retainer |
| Employer NI and pension | £28,000+ | None |
| Recruitment fee (20-25%) | £34,000+ one-off | None |
| Training and certifications | £3,000-£6,000 | Included |
| Time-to-productivity gap | 3-6 months lost | Days |
| Indicative total year one | £235,000+ | £42,000-£60,000 |
Our honest view on price: the cheapest retainer is rarely the best value, and the most expensive is rarely necessary for an SME. Be wary of two extremes. A £900-a-month "vCISO" is almost always a thin compliance template with no genuine leadership behind it. Conversely, an enterprise-priced engagement is overkill if you are a 30-person firm chasing a single Cyber Essentials certificate. Match the model to the job. And insist on a fixed quote for any defined project: a certification readiness piece should never be billed open-endedly by the hour, because the scope is knowable up front.
A vCISO steers you through every major UK and international security framework, owning the governance work that certification bodies and regulators actually assess. The framework you target should be driven by your customers and your regulator, not by fashion: enterprise buyers usually want ISO 27001 or SOC 2, UK public-sector and supply-chain work often mandates Cyber Essentials, payment handling triggers PCI DSS, and financial services face DORA and the NIS Regulations. A good vCISO maps these to your situation and sequences them so you are not paying for certifications you do not need.
Here is how the main frameworks differ and where each fits a UK business.
| Framework | What it is | Who needs it | vCISO role |
|---|---|---|---|
| Cyber Essentials / Plus | UK government baseline scheme covering five technical controls | Firms wanting public-sector contracts or a credible entry-level mark | Owns the controls, prepares the assessment, fixes gaps |
| ISO 27001 | International standard for an information security management system | Firms selling to enterprise or scaling internationally | Builds and runs the ISMS, leads the certification audit |
| SOC 2 | US-origin attestation on security controls, common in SaaS | SaaS firms selling to US or enterprise buyers | Designs controls, manages the audit window and evidence |
| PCI DSS | Payment Card Industry Data Security Standard | Any business storing or processing card data | Scopes the cardholder environment, oversees compliance |
| UK GDPR (Art. 32) | Legal duty to apply appropriate technical and organisational measures | Every business handling personal data | Ensures measures are proportionate and documented |
| NIS Regulations / NIS2 | Security obligations for essential and digital service operators | Operators of essential services and key digital providers | Maps obligations, evidences compliance |
| DORA | EU Digital Operational Resilience Act for financial entities | Financial firms and their critical ICT suppliers | Owns resilience testing, third-party risk and reporting |
The common thread is that none of these frameworks is a one-off purchase. ISO 27001 requires surveillance audits, Cyber Essentials needs annual recertification, SOC 2 is a continuous evidence exercise, and UK GDPR is a permanent legal duty. This is exactly why a project-only consultant who disappears after the certificate is signed leaves you exposed: certifications lapse, controls drift, and the next audit becomes a crisis. A vCISO keeps the management system alive between audits, which is where most of the real risk reduction happens.
In the first 90 days a good vCISO moves from discovery to a prioritised, board-approved programme, with quick wins delivered along the way so you feel value within weeks rather than months. The aim of the first quarter is not a finished, certified, perfect security posture: it is a clear, honest picture of where you stand, a ranked list of what to fix, and momentum on the highest-risk gaps. Beware any provider who promises full certification in 90 days for anything non-trivial; that is a sales claim, not a security plan.
A realistic roadmap looks like this.
| Phase | Timeframe | Focus | Output |
|---|---|---|---|
| Discovery | Days 1-15 | Asset, data and supplier mapping; current controls review | Baseline assessment and asset inventory |
| Risk picture | Days 15-30 | Risk register, threat scoring, gap analysis against target framework | Prioritised risk register and board summary |
| Quick wins | Days 20-45 | MFA enforcement, backup verification, joiner/leaver process, policy basics | High-impact fixes shipped |
| Roadmap and governance | Days 45-70 | 18-month roadmap, policy set, incident response plan | Approved roadmap and IR plan |
| Embed and report | Days 70-90 | First full board report, supplier review kickoff, training plan | Operating rhythm established |
Some of those quick wins close the exact gaps the national data exposes. Only 47 per cent of UK businesses require multi-factor authentication on critical accounts, so enforcing MFA in week three is often the single biggest risk reduction available for almost no cost. Only 15 per cent of firms review the security risk posed by their immediate suppliers and just 6 per cent look at the wider supply chain, so starting a basic supplier review is another fast, high-value move. And with only a quarter of businesses holding a formal incident response plan, writing yours in the first 90 days takes you from the vulnerable majority to the prepared minority.
Our stance on the first quarter: judge a vCISO on the quality of their questions, not the speed of their answers. A strong CISO spends the early weeks understanding your business model, your data flows and your commercial pressures before prescribing controls. If a provider arrives with a pre-written 80-control plan on day one without learning what you actually do, they are selling you a template, and templates are exactly what attackers and auditors see through.
Choose a vCISO provider on three things above all: who specifically will be your named CISO, their independence from the tools and suppliers they will be judging, and their track record in your sector and with your target framework. Everything else, price, contract length, reporting cadence, is negotiable detail. Get those three right and the engagement tends to work; get them wrong and no amount of polished sales material will save it.
Ask these questions before you sign, and treat evasive answers as a red flag.
| Green flag | Red flag |
|---|---|
| Names a specific, credentialed CISO for your account | Talks only about "the team" and avoids naming anyone |
| Independent of your tooling and MSP | Bundles the vCISO with products they profit from selling |
| Fixed quote for defined projects | Open-ended hourly billing with no scope |
| Leads with your commercial objectives | Leads with fear and breach statistics |
| Shows anonymised sector references | Cannot point to comparable work |
| Clear notice period and documented handover | Lock-in contracts and proprietary, non-portable documents |
One client, R. Kumar, a UK SaaS founder, summed up the lesson well after switching providers: "Our first vCISO sent us a folder of policies and vanished. The second one sat in our board meetings, owned our ISO 27001 audit end to end, and answered the phone the night we had a phishing scare. The difference was leadership versus paperwork." That is the distinction to buy for. Documents are cheap; accountable leadership is not.
Softomate Solutions runs vCISO and security advisory engagements for UK businesses through a five-stage process with a fixed-quote model, a named senior lead and starting prices from £2,400 per month. We are a London-based technology and automation agency in Stanmore (HA7), and our security work is grounded in the same engineering discipline we bring to building software and automating operations: clear scope, measurable outcomes and no jargon-driven upsell. We tell you what you need, what you do not, and what it will cost up front.
Our engagement follows five stages.
| Stage | Timeline | You receive |
|---|---|---|
| Discovery and scoping | Weeks 1-2 | Baseline assessment, fixed quote |
| Risk assessment and roadmap | Weeks 2-4 | Risk register, board-approved roadmap |
| Quick wins and governance | Weeks 3-6 | High-impact fixes, incident response plan |
| Certification and embedding | Months 2-6 | Certification readiness, live ISMS |
| Ongoing leadership | Continuous | Monthly board reporting, on-call incident lead |
Pricing starts at £2,400 per month for a foundation retainer and is always confirmed as a fixed quote after the discovery call, so you never face an open-ended bill. Defined projects such as ISO 27001 readiness are quoted as a single fixed price before any work begins. Beyond the vCISO role, we frequently combine security with the practical engineering that reduces risk in the first place, including business process automation that removes fragile manual handling of sensitive data, custom CRM development with proper access controls built in, and secure software development where security is designed in rather than bolted on. If your risk lives in messy manual processes and ageing systems, fixing the systems is often the most cost-effective security control there is.
A security consultant delivers a defined piece of work, an audit or assessment, then leaves. A vCISO is an ongoing leader who owns your security programme over time, sits on your board, makes accountable risk decisions and leads incident response. You hire a consultant for a task and a vCISO for continuous ownership.
Most UK vCISO engagements run between two and eight days per month. A small firm building its first programme might need two to three days, while a business in active certification or facing a regulator often needs four to six. The arrangement should scale up during incidents or audits and down once things stabilise.
Yes, when security has become a commercial gate: clients sending questionnaires, a certification you need, regulated data, or an insurance condition. At £2,000 to £5,000 a month it is 40 to 70 per cent cheaper than a full-time CISO and far more senior than asking an overstretched IT manager to own enterprise risk part-time.
No. A vCISO sets strategy, owns governance and directs delivery, but does not configure firewalls, patch servers or run penetration tests. Those tasks belong to your internal team, your MSP or specialist testers. The vCISO decides what should happen and holds everyone accountable; the technical teams carry it out.
Yes. Leading ISO 27001 certification is one of the most common reasons UK businesses engage a vCISO. They build and run the information security management system, complete the gap analysis, prepare evidence, manage the certification audit and keep the system alive through surveillance audits so the certificate does not lapse.
Days, typically. Unlike a full-time CISO that takes three to six months to recruit, a vCISO can usually start within a week of the discovery call. This speed is one of the model's biggest advantages when security has suddenly become urgent, such as an enterprise deal stalling on a security questionnaire.
Be cautious. An MSP runs your operations and often sells the tools a vCISO is meant to independently assess, which is a clear conflict of interest. The value of a vCISO is impartial governance that challenges your suppliers, including your MSP. Keep the roles separate so nobody is marking their own homework.
Your vCISO becomes the calm, accountable lead who runs the response: invoking the incident plan, coordinating technical teams, advising the board, managing regulatory notifications such as the 72-hour ICO obligation under UK GDPR, and handling communications. Having that leadership pre-agreed before an incident is far better than improvising during one.
Usually yes. Certifications are not one-off events: ISO 27001 needs surveillance audits, Cyber Essentials needs annual renewal, and UK GDPR is a permanent duty. Controls drift and threats evolve between audits. A vCISO keeps the management system alive so your next audit is routine rather than a last-minute scramble.
A UK vCISO costs roughly £2,000 to £7,000 per month, against a full-time CISO salary of £120,000 to £250,000 plus National Insurance, pension, recruitment fees and training. Loaded total cost of ownership for a full-time hire often exceeds £235,000 a year, making a vCISO 40 to 70 per cent cheaper in practice.
A Virtual CISO gives a UK business board-level security leadership for a fraction of the cost and commitment of a full-time hire: £2,000 to £7,000 a month against a £120,000 to £250,000 salary, engaged in days rather than recruited over months. The role is strategy, governance, compliance and incident leadership, not hands-on technical work, and it sits above your MSP and IT team rather than replacing them. You likely need one if clients send security questionnaires, you handle regulated data, you are chasing ISO 27001 or Cyber Essentials, or nobody owns cyber risk at board level, a gap that affects most UK firms. With 43 per cent of businesses breached in the past year and only 25 per cent holding an incident response plan, the prepared minority is a profitable place to be. Choose on the named leader, their independence and their sector track record, and insist on a fixed quote.
If security has become a blocker on your growth, talk to a senior UK security lead about a fixed-quote vCISO engagement through our London-based technology and automation team, or get in touch for a no-obligation discovery call.
Written by Deen Dayal Yadav, Founder of Softomate Solutions, a London-based software development and automation agency in Stanmore (HA7). With over 12 years building software, security and automation systems for UK businesses, Deen has helped organisations close governance gaps, achieve certification and design security into their systems from the start. Softomate Solutions is registered at Companies House and works with UK SMEs and scale-ups across finance, legal, healthcare and SaaS. Learn more about Softomate Solutions.
We protect the real names of all clients featured in examples and case studies. Every testimonial is from a real client.
More from the blog
Work with us
Book a free 30-minute discovery call with DD and get a personalised automation roadmap.
Softomate Solutions Limited
Deen Dayal Yadav
Online
We use essential cookies to keep the site running. With your permission, we also use analytics cookies to understand how visitors use our site so we can improve it. No data is sold. Privacy Policy
