The true cost of an in-house Chief Information Security Officer in the UK is substantially higher than the headline salary figure that appears in a job advert. When all costs are accounted for, a London-based CISO represents a total employment cost that most businesses significantly underestimate before making the hire. Understanding the full picture is essential for any UK business weighing up whether to hire a permanent CISO or engage a virtual CISO (vCISO) service.
Softomate Solutions' virtual CISO service serves London-based businesses across financial services, technology, professional services, and regulated sectors. The most common reason businesses contact us having recently decided against hiring in-house is that the full cost calculation was not done before the recruitment process began. This guide provides that calculation.
UK CISO salaries in London range from £120,000 to £180,000 per year, with senior CISOs at FTSE-listed businesses commanding £200,000 to £250,000. For the purposes of this comparison, use £150,000 as a representative mid-market figure for a competent in-house CISO at a business with 50 to 500 employees.
On a salary of £150,000, employer's National Insurance Contributions (NICs) at 13.8% above the secondary threshold (£9,100 for the 2024/25 tax year) amount to approximately £19,730 per year. This is a cost the employer bears in addition to the gross salary, invisible to the employee but directly affecting the total employment cost.
Under auto-enrolment rules, the minimum employer pension contribution is 3% of qualifying earnings. For a £150,000 salary, total qualifying earnings are capped at the upper earnings limit (£50,270 for 2024/25) for minimum contribution calculations, though in practice most CISO-level hires will negotiate an employer contribution of 5% to 8% of total salary as part of their package. At 6% of £150,000, employer pension contributions add £9,000 per year.
Recruiting a CISO through an executive search firm costs typically 20% to 30% of first-year salary, plus VAT. On a £150,000 salary, recruitment through a specialist cyber security executive search firm costs £30,000 to £45,000 as a one-off placement fee. Internal recruitment (LinkedIn Recruiter, advertising, internal HR time) is cheaper but significantly slower and produces a smaller candidate pool for a specialist role. Assume £30,000 as the minimum realistic recruitment cost.
A senior hire at CISO level will expect a benefits package that typically includes private medical insurance (£1,500 to £3,000 per year for BUPA or equivalent), life assurance (typically 4x salary, paid by the employer), income protection insurance, and an annual discretionary bonus of 10% to 20% of salary. Total benefits cost: approximately £5,000 to £10,000 per year.
An in-house CISO will need a security tooling budget to do their job. This typically covers a security information and event management (SIEM) platform, endpoint detection and response (EDR) software, vulnerability scanning tools, security awareness training platform, and penetration testing (annual minimum, typically £15,000 to £30,000). Total annual tooling and external assessment budget: £40,000 to £80,000 for a business of 100 to 300 employees, depending on the complexity of the environment.
Cyber security is a rapidly evolving field. A CISO who does not continuously update their knowledge rapidly becomes less effective. CISM re-certification, CISSP maintenance, conference attendance (Infosecurity Europe, NCSC CyberUK), and relevant training courses cost £3,000 to £8,000 per year.
Adding these components together: salary £150,000, employer NICs £19,730, employer pension £9,000, amortised recruitment cost (over 3-year average tenure) £13,333, benefits £7,500, tooling (minimum) £40,000, and training £5,000. Total annual cost: approximately £244,563, or roughly £20,000 per month. This figure does not include the cost of the CISO's management overhead, the HR, IT, and facilities resources their employment requires, or the very significant cost of the 3-to-6-month period between deciding to hire a CISO and having one effectively in post.
Virtual CISO services in the UK operate under two primary commercial models: fractional engagement and fully managed. The cost structure and the scope of what is delivered differ significantly between them, and matching the right model to your business's needs is central to getting value from a vCISO arrangement.
A fractional vCISO provides a defined number of days per month of CISO-level input, typically two to five days per month. This model is suited to businesses that need experienced strategic security leadership and board-level reporting capability, but whose current security programme does not require a full-time CISO presence. UK pricing for fractional vCISO services ranges from £3,000 to £8,000 per month, depending on the seniority and breadth of experience of the individual, the number of days included, and whether incident response availability is within scope. At £5,000 per month, an annual fractional vCISO engagement costs £60,000 — less than the National Insurance contribution alone on a full-time CISO salary at the higher end of the market.
A fully managed vCISO service, of the type provided by Softomate Solutions' cyber security consultancy, delivers a broader security programme management capability. This typically includes a named vCISO with CISO-level credentials, supported by a specialist team covering security operations, compliance, risk management, and incident response. UK pricing for fully managed vCISO services ranges from £8,000 to £20,000 per month, depending on the scope of coverage, whether 24/7 SOC-as-a-service is included, and the regulatory complexity of the client's environment. Even at £15,000 per month (£180,000 per year), a fully managed vCISO service costs less than a single in-house CISO engagement when tooling, recruitment, and benefits are included in the comparison — and provides a significantly broader team capability.
The comparison is not simply cost. The capability and risk profile of each model differs materially, and the right choice depends as much on what you need from a security programme as on what you are willing to spend.
An in-house CISO provides dedicated attention: one person who knows your business, your people, your systems, and your history in depth. They can build institutional knowledge over years, develop relationships with your board and executives, and act as a credible internal voice on security matters. For businesses in highly regulated sectors — FCA-regulated financial services, defence contracting, central government — the continuous presence, accountability, and institutional knowledge of an in-house CISO may be essential. The FCA's Senior Managers and Certification Regime (SM&CR) requires that regulated firms appoint an individual who is accountable for certain security-related functions; a vCISO can fulfil this role in many cases, but the detail of the specific firm's regulatory permissions should be reviewed.
A vCISO provides breadth of experience that a single in-house hire rarely can. An experienced vCISO who has served five different clients across financial services, healthcare, SaaS, and professional services brings a diversity of threat intelligence, regulatory knowledge, and implementation experience that a career CISO with deep institutional knowledge at one company may lack. A vCISO engagement can start within weeks rather than months, with no recruitment cost or notice period risk. The service scales up or down as the business's needs change. Incident response capability, which an in-house CISO may struggle to provide alone, is typically a standard feature of a managed vCISO service.
There is a further practical advantage that is rarely discussed. An in-house CISO operates within the political dynamics of a single organisation. They are subject to internal pressure from peers, budget constraints set by a CFO who may not understand security risk, and the reputational consequences of escalating a security concern that makes a colleague look bad. A vCISO, with contractual independence and no long-term career stake in the client organisation, can provide honest, unfiltered security advice and escalate concerns to the board without the same career risk. This independence is particularly valuable when the security recommendation is one that internal culture would otherwise resist, such as recommending a pause on a major product launch until a critical vulnerability is remediated.
The decision between an in-house CISO and a virtual CISO is not purely financial. It is shaped by the size, complexity, and regulatory profile of the business, the current maturity of the security programme, and the strategic direction of the company.
An in-house CISO is the right choice for businesses with more than 500 employees and a complex, highly regulated operating environment; for defence contractors handling classified information above a certain classification level; for large financial institutions with SM&CR accountability requirements that cannot be delegated; and for businesses with a dedicated security operations team of five or more people who need full-time leadership and direction. Below these thresholds, the cost and the hiring risk of an in-house CISO are difficult to justify against the alternatives.
A virtual CISO is the right choice for businesses with revenues of £5 million to £200 million that need mature security leadership but cannot justify or afford a full-time CISO; for growing businesses that have outgrown ad hoc security management but are not yet large enough to warrant a full-time hire; for businesses that need to demonstrate security maturity to enterprise clients or to pass ISO 27001, Cyber Essentials Plus, or IASME certifications; for businesses facing a specific regulatory deadline (UK GDPR ICO investigation, FCA supervisory request) and needing rapid, credible leadership; and for businesses that want to build towards an in-house CISO hire and need a structured security programme in place before that hire is made.
The National Cyber Security Centre (NCSC) does not mandate a specific internal structure for security leadership but strongly recommends that organisations have a named individual with board-level accountability for cyber security. The NCSC's Cyber Assessment Framework (CAF), used by organisations in critical national infrastructure and regulated sectors, requires evidence of board-level engagement with cyber risk. A vCISO can fulfil this requirement, provided the engagement model includes regular board reporting and the vCISO has a direct relationship with the board rather than being filtered through an intermediary.
The FCA's SM&CR places accountability for operational resilience and technology risk on specific named senior managers. For FCA-regulated firms, the relevant function is typically the Chief Operations Function (COO) or a designated SMF with technology/cyber responsibility. Whether a vCISO can be an approved person under SM&CR depends on the individual firm's regulatory permissions and the specific accountability being assigned. UK-regulated firms should seek legal advice on this point before relying solely on a vCISO to fulfil a named SM&CR accountability.
The vCISO-to-in-house transition is one of the most valuable applications of the fractional model. A vCISO engagement that is properly structured can build the security programme, policies, and processes that a future in-house CISO will inherit and operate. This dramatically reduces the time-to-effectiveness for the new hire and ensures that the business does not spend the first 12 months of the in-house CISO's tenure rebuilding foundations that should already be in place.
The transition plan should include: a programme handover document covering the current security roadmap, open risks, active supplier relationships, and compliance deadlines; a policies and controls library that is fully documented and version-controlled; a threat intelligence briefing on the current threat landscape relevant to the business; and a warm introduction to the board, the executive team, and the key technical stakeholders. A good vCISO provider will actively facilitate this transition rather than treat the in-house hire as competition.
In many cases, yes. A vCISO can be designated as the individual with board-level accountability for cyber security and technology risk, which satisfies the spirit of the SM&CR requirement for a named senior manager with oversight of these risks. Whether the vCISO must be an FCA-approved person (SMF) depends on the specific regulatory permissions of the firm and the exact accountability being assigned. Some FCA-authorised firms have successfully structured vCISO arrangements that satisfy both the SM&CR and the FCA's operational resilience requirements. UK-regulated firms should take specific legal and compliance advice from a specialist FCA regulatory lawyer before confirming the structure.
A virtual CISO service from a specialist provider such as Softomate Solutions can be operational within two to four weeks of contract signature. The onboarding process typically involves an initial security posture assessment (reviewing existing policies, technical controls, and compliance status), stakeholder interviews with the board and key technical leads, and the production of a 90-day security roadmap that prioritises the highest-risk gaps. Compare this to the three to six months typically required from the decision to hire an in-house CISO to that person being effective in post, and the speed advantage of the vCISO model is significant.
The core certifications to look for in a vCISO candidate or provider are: CISSP (Certified Information Systems Security Professional, the gold standard for senior security practitioners), CISM (Certified Information Security Manager, focused on security management and risk), ISO 27001 Lead Implementer or Lead Auditor (demonstrating practical experience with the most widely used information security management framework in the UK), and sector-specific qualifications where relevant (for example, CBEST certification experience for financial services clients, or SC clearance for government work). Check that certifications are current and not lapsed; CISSP and CISM require continuing education credits to maintain.
A well-structured vCISO engagement includes explicit incident response provisions. This means a defined escalation process, agreed response time SLAs (typically four to eight hours for notification of a P1 incident), and access to the vCISO provider's incident response team for containment, investigation, and recovery. The ICO requires notification of certain personal data breaches within 72 hours of the data controller becoming aware. A vCISO provider should have a documented process for managing this timeline, including breach notification drafting, ICO liaison, and coordination with the business's legal team. Confirm these provisions explicitly before signing an engagement contract.
Yes, virtual CISO service fees are a deductible business expense for UK corporation tax purposes, provided they are incurred wholly and exclusively for the purposes of the business's trade. They are treated as a professional services cost and deducted from taxable profits in the year incurred. Unlike the capital cost of security tooling (which may need to be capitalised and depreciated over its useful life), service fees are revenue expenditure and fully deductible in the year of payment. For businesses subject to the Research and Development (R&D) tax credit regime, security expenditure on qualifying R&D activities may also be eligible for R&D enhancement, though this requires specific tax advice.
More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
