Getting clarity on how much does a Virtual CISO cost in 2024 can be difficult due to the various factors at play. The virtual Chief Information Security Officer (vCISO) model is becoming increasingly popular and yet, many CxO’s, founders and established IT professionals struggle to get clarity on the cost of vCISO and the drivers determining different price points.
This article breaks down the complexities and help you get value for your money when investing in cyber security.
Table of Contents
Understanding the Role of a Virtual CISO
Definition of a vCISO
A Virtual CISO (vCISO) is a cyber security expert who provides strategic guidance and oversight on a fractional and outsourced basis. Unlike traditional CISOs, who are full-time employees, vCISOs offer their services on a part-time, retained basis. They bring executive level expertise in managing an organisation’s cyber security posture without the burden of a full-time salary and all the operational overheads that come with a permanent employee.
Differences Between a Traditional CISO and a vCISO
The primary difference between an employed CISO and a vCISO lies in their engagement model. While a traditional CISO is an on-site executive (usually reporting into the board, or at least one tier away), a vCISO operates remotely, providing flexibility and cost savings for those who don’t require a senior resource 5 days per week all year round. Additionally, vCISOs can be more specialised, offering insights and services tailored to specific industries or technologies.
Benefits of Hiring a vCISO
So how much does a virtual CISO cost when comparing full-time employee and a vCISO? A virtual CISO offers several advantages:
- Cost Efficiency: pay only for the services you need.
- Flexibility: scale services up or down based on requirements.
- Expertise: access to top-tier talent without long-term commitments.
Why Do Businesses Need a vCISO?
If you’re asking yourself “How much does a virtual CISO cost?” this needs to be balanced with the needs of your business.
Below is a comparison table that explains the various differences between a full-time CISO employee and a Virtual CISO service.
Full-time CISO (Employee) | vCISO Service | |
Resource Type | A single full-time employee with 10 years’ experience in Cyber Security, will attempt to cover all aspects of security and data privacy. | A blended team of highly experienced security professionals covering strategy, risk management, security operations, incident response, security remediation and raising awareness. |
Cost | A base salary of £80,000, total cost will be £136,000 per year with bonus, benefits and employee overheads (OPEX). | Depending upon service level, it costs circa. £56,000 – £72,000 per annum. Predictable monthly CAPEX fees, no recruitment or retention costs. |
Expertise | Limited to the experience and knowledge of one person. Requires continual training and certification courses. | Access to a team of experts with diverse skill sets, expertise and experiences. Continuously updating knowledge and certifications at no cost to your organisation |
Scalability | Constrained as it requires hiring additional staff as you grow and cannot be scaled back again (without redundancies). | Easily scalable (up or down) with CyPro able to allocate additional resources as required. |
Coverage | Restricted by working hours, vacations and sick leave. | Uninterrupted services with coverage for 52 weeks per year. |
Independence | Easily influenced by internal employees or executives, resulting in conflicts of interest. | Fully independent and will provide a cross-industry perspective on security risks and issues. |
Operational Traction | Driving consistent delivery and traction is heavily dependent on the individual’s current state of mind, motivation levels and personal capability. | Managed service with contractual obligations and SLAs to deliver consistently over time. |
How Much Does a Virtual CISO Cost – Determining Factors
Scope of Services
The cost of vCISO services is driven typically by the range of services on offer:
- Cyber Security Assessment: performing a baseline assessment (risk assessment, cyber maturity assessment, audit, etc.) that understands the current state of cyber security, the various weaknesses and vulnerabilities for the organisation.
- Strategic Planning: developing a cybersecurity remediation plan and roadmap.
- Risk Management: identifying, tracking and managing cyber security risks for the organisation.
- Compliance and Regulatory Support: ensuring adherence to industry standards such as Cyber Essentials, ISO27001, SOC2, Data Protection Act and sector specific regulation such as FCA/PRA.
- Incident Response: preparing for and responding to cyber security incidents.
- Employee Training: educating staff and raising awareness on cyber security best practices.
Some services are more standard than others. Items 1 – 3 above usually come as a standard cost of vCISO services and tend to not vary too much in terms of levels of effort required.
However, 4, 5 and 6 (Compliance and Regulatory Support, Incident Response and Employee Training) can all be done to the n’th degree and so can vary wildly in scope (and therefore cost the virtual CISO service itself).
For example, for incident response you may just want strategic guidance on how to handle major incidents in normal office hours, with your in-house IT team would do the majority of the heavy lifting. Alternatively, you may want more hands-on operational support on all types of cyber incident (not just major incidents) and you need it all round the clock, 24/7/365 due to your regulatory requirements or risk profile. These two different scenarios would vary wildly in the cost of vCISO services.
Level of Expertise and Experience
As with most things in life, you get what you pay for and the cost of a vCISO is no different. What’s more, everyone and their dog in cyber security wants to be a CISO and so you will get a whole variety of people saying they can provide vCISO services.
A vCISO’s industry-specific knowledge, certifications, and qualifications also play a crucial role in determining costs. Higher expertise often translates to higher fees but brings superior value.
What Expertise Should You be Looking For in a vCISO?
- Experience: to be frank, you’ll want to look for a few grey hairs (metaphorically speaking, of course). CISO’s by definition are executive level experts and so tend to be in the latter parts of their career.
- Qualifications: people are always saying “certifications aren’t everything” which is correct but when it comes to high day rate resources making strategically important decisions, you want the cream of the crop. A strong vCISO will have active certifications such as;
1. CISSP (Certified Information Systems Security Professional)
2. CISA (Certified Information Systems Auditor)
3. CISM (Certified Information Security Manager)
4. CCISO (Certified Chief Information Security Officer)
5. MSc or BSc in Information Security (or a related field)
The important word here is ‘active’ certifications. Many professionals get the certification and then let it lapse by not paying their annual subscription fee or maintaining their CPEs (Continued Professional Education) – don’t be afraid to ask for certificates. Anyone who is a serious and well qualified vCISO will have maintained active certifications as described above.
- Competencies: flat out ask them some pointed questions. A true vCISO will have encountered some pretty ‘spicy’ incidents over their long career. Try the following questions to truly gauge the level of experience they have:
- What major cyber incidents have you led a response on and what was the outcome? > You’re looking for specificity and richness of their answer as well as a number of different cases that they can harp back to.
- When building security teams, what security specific challenges did you face building that capability? > everyone can site “hiring was a challenge” or “people management” but here you’re looking to hear how they struggled with establishing an out of hours incident response process, or getting training budget for specialist technical expertise such as threat hunting or incident response…or other anecdotes that are equally as cyber specific.
- Have you ever had to re-organise an information security department? > Again, an experienced vCISO has always gone through this painful process, whether by force or by choice. You’re looking for detail around the different delivery models (i.e. in-house Security Operations Centre vs outsourcing to a cyber security partner like CyPro), how they structured their team (and why), how they calculate target headcount, etc.
Duration and Frequency of Engagement
Clearly, the cost of vCISO services varies based on whether you need full-time, part-time, project-based, or ongoing support. Continuous engagement may offer package deals, reducing overall costs. Most opt for a number of days per week, such as 2 days per week.
Size and Complexity of the Business
So you’re at a larger organisation – how much does a virtual CISO cost for you? Enterprise level companies with more employees and IT assets typically face higher vCISO costs due to the increased complexity and regulatory requirements. If your organisation is trying to meet stringent financial regulation requirements (such as PRA/FCA) or you’re aiming for a certification such as Cyber Essentials Plus or ISO27001), this is likely going to require a more robust approach for the vCISO than somewhere where they are simply charged with ‘keeping the lights on’.
Having better security does not mean the cost of vCISO services will decrease, it could increase. E.g. if you have invested in a security monitoring platform that could generate more work to review security incidents. Its more important to ensure your vCISO is doing the right work – they should focus on the strategic and leave operational tasks to others.
Typical Pricing Models for vCISO Services
There are two main models – day rate vs retained managed service. The most popular model that tends to work for most clients is the retainer model.
Retained Managed Service
How much does a Virtual CISO cost if done on a retained basis?
- How They Work: a fixed monthly fee for a set number of hours or services.
- Typical Fees: £3,000 to £6,000/month.
- Pros: much higher level of service possible leading to more risk reduction, greater return on investment (your budget goes further), more predictable costs, often more affordable for long-term engagements and ultimately much higher value for money over the long term.
- Cons: requires more budget.
If for whatever reason a retainer doesn’t work for you, you can opt for a day rate basis.
Day Rate
How much does a Virtual CISO cost if done via a contractor on a day rate basis?
- How They Work: often offered by individual contractors, working on a set number of days per month (e.g. 2 days per month).
- Typical Fees: £1,200 to £2,000 per day. Be very aware of anyone selling themselves for less than £1,000 per day – they are likely not an experienced virtual CISO (more like an aspiring vCISO).
- Pros: not tied into any long term contracts so if you’re an early stage business going through funding rounds and suddenly need to free up cash to keep the business afloat, this might be a good option.
- Cons: the majority of day rate vCISOs are individual contractors and so you are limited to their single/individual expertise and experience. A vCISO service may draw from a small team of resources and therefore get much more value for money. For example, CyPro’s virtual CISO service provides a small team of technical experts alongside the virtual CISO such as a cyber security architect, data protection expert, cyber security engineer, etc.
If you’re unsure which model might work best for you, we’re happy to help steer and advise on a quick call – get in contact with us here.
Example Cost of vCISO Providers
CyPro Virtual CISO
Services:
- Standard vCISO Package
- Executive Level Advice: you will have on-demand access to senior, independent and expert advice on complex information security and data privacy issues and challenges.
- Governance & Cyber Strategy: your vCISO will take ownership of cyber security at your organisation defining and driving the cyber strategy. This includes holding regular briefings with your executive and developing a strong & collaborative relationship with your IT provider.
- Security Awareness: your vCISO will provide innovative training, impactful communications and engaging cyber security exercises to raise awareness amongst staff and third parties.
- Third-Party Due Diligence: dependencies on third parties can often be overlooked in security terms – we help you assess your own third parties and respond to those pesky questionnaires when your potential clients submit them to you.
- Regulatory Compliance: we will provide you with the technical support that is needed when engaging with regulators such as the ICO and ensure that the right actions are taken to meet their stringent information security and data protection requirements.
- Incident Response & Recovery: we will develop an incident response plan and ransomware run book to prepare you for a major cyber incident. You’ll also have access extended cyber forensics and incident response experts via the CyPro Talent Community, who have invaluable hands-on experience responding to cyber incidents.
- Security Control Enhancements: we will implement critical security controls to help you both identify and monitor for cyber threats as well as protect and respond to potential incidents.
- Cloud Security: continuous security assurance for cloud platforms such as AWS and GCP.
- Cyber Essentials Certification: guaranteed pass and ongoing maintenance.
- CyPro Talent Community: access to an extended network of cyber security subject matter experts for a set number of hours per month.
Cost of vCISO: £3,995 per month
The Ozone Project, a rapidly growing UK AdTech firm, sought to enhance their internal cyber controls to capitalise on commercial opportunities and reassure stakeholders about their security and data privacy. CyPro’s approach included launching a Virtual CISO service to improve security capabilities, developing a five-year remediation plan, establishing disaster recovery plans, creating incident response plans and runbooks, and formulating a cyber roadmap based on a maturity assessment. This reassured Ozone’s board and enhanced marketability to larger clients.
- vCISO Premium Package
Everything included in the Standard CISO package, plus:
- Penetration Testing: one penetration test per year of your core network infrastructure or product.
- Cyber Maturity Assessment: annual strategic measures of progress against your cyber security strategy and roadmap. Evidence to your executive the return of investment you are gaining from the cost of the vCISO service you have purchased.
- Secure Architecture Review: in-depth assessment of your infrastructure and IT architecture by a qualified cyber security architect. We find your weaknesses, vulnerabilities and recommend ways to improve the secure design of your infrastructure.
- Cyber Essentials Plus Certification: expert support and guidance for you on your journey to become Cyber Essentials Plus certified.
Cost of vCISO: £4,595 per month
- vCISO + Cyber-as-a-Service (CaaS):
Everything included in the Premium CISO package, plus the following:
- Small Operational Team: a team of experienced cyber security professionals, led by a dedicated vCISO and including a Cyber Security Manager and Security Operations Manager.
- 24/7/365 Security Operations Centre: monitoring of security alerts, incident response, disaster recovery, phishing campaigns, software testing, vulnerability scans, etc.
- ISO 27001 Certification Audit and preparatory internal audit.
- Secure Software Development: we setup, configure and establish ongoing security monitoring of your secure software development processes. This covers your GitHub/AWS/GCP infrastructure all the way through to your application level security testing.
Cost of vCISO: £5,995 per month
Pros:
- The most comprehensive set of services for the best value for money (comparatively).
- The only provider who offers combining a cyber-as-a-service and virtual CISO service together for a holistic (strategic and operational) offering.
- Provides two additional resources in addition to the executive level vCISO (an Information Security Manager and Security Operations Manager).
- The only provider offering ISO27001 accreditation as part of their vCISO service.
- Provide on-site resource – some vendors are remote only.
Cons:
- Transparent pricing for the cost of vCISOs but they are not the cheapest option in the market.
- A true market specialist for small to medium sized businesses, not for enterprises with more than 10,000 employees.
Fees: vCISO Standard £3,995, vCISO Premium £4,595 and vCISO + CaaS £5,995.
Bullet Proof
Services:
- vCISO Essentials package;
- Discovery audit to fully understand your organisation
- Trusted advice on ad hoc information security matters
- Create Information Security Risk Management Framework
- Drive & support the maintenance of the ISMS
- Staff information security awareness training
- Incident response tabletop exercise
- Create & review Information Security Policy
- Establish and chair a security working group
- Create and complete security due diligence questionnaires
- Access review across all systems
- Internal audit (up to 4 days), e.g. ISO or PCI DSS readiness
- Lookahead Kick-off meeting to plan subsequent years
Remember to ask yourselves “How much does a Virtual CISO cost us in time? Its crucial to ask any potential cyber security partner you want to work with what they will need from you in terms of pre-requisites and engagement from your staff.
- vCISO Premium package includes everything in vCISO Essentials, plus:
- Fully managed security tooling for 10 users, including on-demand training, asset tracking, threat management dashboard, vulnerability scanner, cyber healthcheck & more
- Create & review DevOps Security Process
- Information security assurance for cloud platforms & tools
- Cyber Essentials certification
- Penetration test report review & recommendations
- vCISO Ultimate package includes everything in vCISO Essentials & vCISO Premium, plus:
- Fully managed security tooling expands to 20 users
- Cyber Essentials certification is upgraded to Cyber Essentials Plus
- Managed SIEM up to 5 log sources
- PCI DSS consultancy support
- Penetration test
Pros:
- The 3 packages make it easy to understand what is and is not offered.
- With their Ultimate (top tier) package they can help you get Cyber Essentials Plus certified.
Cons:
- A lot of what the vCISO Essentials Package includes are items that can be quickly generated from ‘boiler plate’ templates, e.g. policies, table-top exercises, Cyber Risk Management Framework, ISMS (Information Security Management System), awareness training collateral and due diligence questionnaires.
- Missing some key services such as a Secure Architecture review.
- vCISO Ultimate package lists penetration test which is already included in the Premium package, making the Ultimate package not a significant difference in service but potentially a big difference in cost.
- Cost for vCISO Ultimate are not provided.
Fees: by far the cheapest option at £1,995 per month (Essentials package) and £3,995 (Premium).
Nettitude
Services:
- Governance: attendance at regular security management meetings; provide assistance, guidance, and direction as required.
- Risk Management: risk management is vital to every organisation. Understanding the risks associated with your industry, what you need to protect, and where your threats are will allow for the proper controls to be put in place to mitigate these risks.
- Security Testing: in order to make sure the controls that are put in place to secure an organisation provide the correct level of assurance, security testing is needed. Testing should allow for your risks to be realised, and your vulnerabilities to be mitigated so that your controls ultimately become more effective.
- Incident Response: as the number of breaches and attempted breaches are expected to grow exponentially over time, how we prepare has to change and adapt as well.
- Third-party assurance/supplier audits: Dependencies on third parties can often be overlooked in security terms. However, the access, privileges and responsibilities of these parties can often provide the weakest link in an organisation’s security posture. LRQA Nettitude can advise, review and conduct Supplier Audits on behalf of the client.
Pros:
- Security testing holds a key role in their services which will provide a good level of assurance.
- They appear well qualified on PCI DSS (Payment Card Industry Data Security Standard).
Cons:
- They state that “LRQA Nettitude’s Security Consultants can advise on each of the following…” which suggests you might get more junior resources.
- Due to the language used on their website, how they approach cyber security may be a little outdated.
- Appears to offer only a single set of services, might not be overly flexible for individual client needs.
- Set of services seem to be missing some key areas such as cloud security.
Fees: cost of vCISO not disclosed – you would have to enquire, speak to a sales rep and get a quote to find out.
Be Aware of Hidden Costs for vCISOs!
Onboarding Costs
Some vendors will offer a lower monthly fee or day rate to win the work but then whack you with a fixed fee “Initial setup and transitioning to a new vCISO” cost. These are just a way for the vendor to make more margin and generally aren’t needed for most businesses.
Integration & Training Costs
Similarly, some will try to justify that in order for the new vCISO to align well with your current IT setup, this will require additional training and coordination efforts. Again, generally not needed for majority of businesses.
Additional Tools and Software Requirements
The vCISO cannot determine what types of cyber security tools are needed from the outside in – they need to embed themselves and make an informed judgement once they have operated as the vCISO for a little while. That said – their recommendations for a new security incident and event monitoring tool like LogRhythm or Microsoft Sentinel, for example, will ultimately need to be funded by your business, and not the vCISO themselves!
Ensure you ask the vendor before signing a contract, what extra tooling you might need as you might be able to build that into your vCISO business case, to save you going back to your executive twice in quick succession to ask for more money!
Tips for Getting the Best Value from a vCISO
- Clearly Define Your Goals – establishing clear objectives helps your vCISO deliver targeted and effective solutions. Do you want executive buy-in or 24/7 security monitoring? Do you need regulatory compliance? Not sure where to start? Speak to one of our practice partners today.
- Qualify Out the Cowboys – use the section titled ‘Level of Expertise and Experience‘ above to assess the different qualifications, competencies and experience levels of the various providers.
- Client Testimonials – ensure the vCISO has a proven track record of success in your industry, like CyPro’s client testimonials.
- Negotiate Terms and Understand the Contract – make sure you understand all aspects of the engagement, including cost of different vCISO services, their scope and deliverables.
- Regularly Review and Assess the vCISO’s Performance – continuous evaluation ensures you’re getting the desired value against the cost of vCISO services being consumed and allows for adjustments as needed.
Conclusion on the Cost of vCISO Services
You can spend as little as £1,995 per month but this comes with some significant risk in experience and expertise. If you’re budget only extends to this level, it might be better off waiting or using an individual contractor.
A more normal level of investment is within the £3,000 – £6,000 per month range and will provide much more business value over the medium and long term.
Be aware there are a number of variables which can affect the cost of vCISO services (see section ‘Factors Affecting How Much a vCISO Costs’), so ensure these are discussed with your provider.
For more information on how much does a virtual CISO cost for your specific business or for a bespoke quote, contact one of our practice partners today.
FAQs
What’s the minimum cost of vCISO services?
You can spend as little as £1,995 per month but the services for these are generally highly restricted or caveated, or the individual fulfilling the vCISO role is much more junior than what is required. If your budget only extends to this level, it might be better off waiting as they may do more harm than good.
A more normal level of investment is within the £3,000 – £6,000 per month range and will provide much more business value over the medium and long term.
How much is the average cost of vCISOs?
The cost of vCISOs typically range between £2,000 – £6,000 per month range and will provide much more business value over the medium and long term.
On average, a well rounded set of services under a Virtual CISO offering typically costs £3,500 – £5,000 per month.
Cost of vCISOs – what determines different price points?
Generally, there are 5 factors that affect the price point for a vCISO service:
– Scope
– Expertise & Experience
– Duration of Engagement
– Model of Engagement (day rate vs retained basis)
– Size and Complexity of Your Business