Virtual CISO (vCISO)

With a UK Virtual CISO (vCISO), you get expert cyber security leadership for a fraction of the cost of a full-time CISO.

Contact Us
YouTube video

On this page

    Magnifying glass detecting vulnerabilities as part of a cyber audit

    Secure your business.

    Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.

    Get in Touch
    24/7/365 security alerting and monitoring of your IT estate

    What is a Virtual CISO?

    A Virtual Chief Information Security Officer (vCISO) is a senior cyber security leader retained on a fractional (i.e. not full time 5 days per week) managed service basis. They are provided by specialist cyber security consultancies, designed to deliver specialist and flexible cyber security expertise and guidance, without the need to invest heavily in a full-time internal resource. This role is particularly valuable for organisations that may not have the resources or need for a full-time CISO but still require high-level security leadership. 

    With internal CISOs being prohibitively costly for many businesses, CyPro’s UK Virtual CISO (vCISO) service provides an alternative option – a highly experienced UK-based vCISO, who is available on demand. 

    A UK Virtual CISO (vCISO) not only ensures regulatory compliance, technical assurance and response to cyber incidents, but through innovative risk management, they also provide a competitive advantage.

    Challenges Addressed by a vCISO

    CyPro Risk Dial Decreasing for a client

    Restricted Budget

    You are dedicated to securing your organisation but don’t have the bottomless pockets that big banks or enterprises do. A virtual Chief Information Security Officer (vCISO) is a senior resource and if recruited on a full time basis, can be very expensive (£170,000 annual salary plus). You need access to the same quality of expertise but at a fractional of the cost of a full-time employee.

    Secure downloading of company data from the cloud to computers and mobiles

    New to Cyber Security

    You are just getting started on your cyber security journey and actually, even if it were gifted to you on a plate, you couldn’t fully utilise an in-house cyber security team using all the latest technology as yet. You know you are immature and need to lay the foundations for a secure future. You recognise the need to protect your organisation from cyber threats but you first need to establish a strategy and some foundational controls first and foremost.

    Lack of In-House Expertise

    You are unlikely to be of a size yet where you have a mature and sizeable internal cyber security team. Small to medium sized businesses often cannot afford or attract a full-time CISO with extensive experience and expertise.

    The Cypro padlock on a plinth

    Independence

    In many SMBs, the people who are initially asked to secure IT assets and digital infrastructure are often those who have themselves built it. This poses quite a critical conflict of interest and lack of segregation of duties which can create significant business risk. When it comes to regulated activity such as preventing data breaches, you don’t want to be ‘marking your own homework’ – you need an honest, objective and unbiased evaluation of your current posture and future requirements.

    Unknown Strategic Direction

    The cyber security requirements of each organisation are different based on how they operate, what data they process, the technology they use and the types of attackers who want to gain access to their systems. Unfortunately, it can be easy to waste a lot of time and resource trying to protect your organisation from cyber threats and when you do start making the investment, you want to ensure you head off in the right strategic direction first time round.

    24/7/365 security alerting and monitoring of your IT estate

    Limiting Business Growth

    You’re a growing company and winning new client contracts is becoming increasingly dependent on being able to demonstrate and evidence your cyber security compliance. As you win bigger and bigger clients, they have greater expectations and standards for your cyber security. You don’t want immature cyber security controls to slow down or hold up your commercial growth.

    What Our Clients Say

    Chris Bayley
    CTO - Audley Travel
    Scott Switzer
    CTO - Ozone
    Mark Perrett
    Accounts Manager - PTS Consulting
    Tom Bennet
    CTO - Freshwave
    Chris Bayley
    CTO - Audley Travel
    Scott Switzer
    CTO - Ozone
    Mark Perrett
    Accounts Manager - PTS Consulting
    Tom Bennet
    CTO - Freshwave

    Benefits of a Virtual CISO

    We pride ourselves on providing the most flexible and capable virtual CISO service on the UK market today. Not only do we have the most extensive vCISO team in the UK where you can select your own vCISO with the expertise that is right for your organisation, but we provide a small team of flexible resources to ensure you get access to all the various skillsets you need to secure your company.

    Attain Cyber Compliance

    We help you achieve cyber security certifications such as ISO27001, SOC2 and Cyber Essentials Plus. We also provide you with the technical support that is needed when engaging with regulators such as the ICO; and ensure that the right actions are taken to meet their stringent information security and data protection requirements.

    High Return on Investment

    Recruiting a Chief Information Security Officer (CISO) internally with an average base salary of £150,000, the total cost to the business including taxes, bonus, benefits and employee overheads will be around £255,000 per year (OPEX). Depending upon your chosen service level, a virtual CISO service costs circa. £32,000 – £86,000 per annum. Not only is this a 7.9 times more affordable, but the vCISO service is predictable monthly CAPEX fees (not OPEX) with no recruitment or retention costs and so your CFO will thank you.

    Rapid Risk Reduction

    Your vCISO help you reduce your cyber security risks quite significantly in a short amount of time. We will develop a cyber security roadmap with a tailored and achievable path to enhance not only build cyber security maturity but also rapidly reduce your risk.

    Flexible & Scalable

    Building a cyber security team internally is limited not only to the experience and knowledge of those individuals, requires continual training but is also constrained as it requires hiring additional staff as you grow and cannot be scaled back again (without redundancies). Our virtual CISO service can be easily scaled (up or down) on a month by month basis as required.

    Target Bigger Clients

    Your vCISO will help you achieve cyber certifications (ISO27001, SOC2, Cyber Essentials, etc.) which will ultimately help you onboard new clients quicker and win bigger and bigger contracts. They will help you respond to third party due diligence requests in record time, speeding up your ability to go to market quickly.

    Reduce Operating Costs

    Beyond the more obvious benefits of avoiding regulatory fines or the direct costs of a data breach, investing in a virtual CISO service can also help reduce other expenses. It can help reduce your business insurance premiums, it saves on operational downtime of systems and clearly helps avoid the cost of a data breach itself which currently stands at an average of £3.4 million, with 70% of SMBs going under in the first 6 months of a cyber attack.

    Secure your business.

    Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.

    Get in Touch
    Contact Us

    Case Study: UK Telecoms Provider

    Client Challenge

    Following a private equity buyout, a UK telecoms provider had grown rapidly, acquiring 5 businesses within 18 months. The amalgamation of technologies, cultures and risk appetites left the client with a complex IT environment and a need to rapidly align the separate businesses to a common security standard.

    Our Approach

    To address these challenges, CyPro deployed our Virtual CISO offering which implemented a blended team including expertise in the telecommunications sector, including:

    • Senior Virtual CISO: Provided strategic cyber security oversight and leadership, helping to reassure senior stakeholders and define a strategy and roadmap that set them off on a path to success.
    • Telco Security Architect: Technical resource who helped design and integrate secure systems across the merged entities.
    • Regulations Expert: Ensuring on-going compliance with relevant certifications and standards.

    Our approach included:

    • Policy & Standards: Defined foundational documentation to evidence security and privacy governance across the organisation.
    • Cyber Maturity Assessment: Conducted across the entire business to evaluate current practices and identify strengths.
    • Incident Response Plans: Should an incident occur, the client needed to be prepared on how to recover and so a cyber incident response plan and runbooks were created.
    • Cyber Roadmap: A cyber maturity assessment identified control weaknesses that formed the creation of a 5 year cyber roadmap.
    CyPro rocket launching off technology

    Value Delivered

    Certifications

    Obtained ISO27001 and Cyber Essentials Plus, enabling public sector procurement success.

    Risk Reduction

    Greatly reduced security risk, giving board members and investors confidence in operational practices.

    Culture Shift

    Staff proactively reported security risks and incidents to a central cyber security team.

    Contact Us

    Who needs a Virtual CISO

    Virtual Chief Information Security Officer (vCISO) services offer businesses the strategic leadership of a seasoned security executive without the cost and commitment of a full-time hire.

    Below, we highlight the types of organisations that stand to gain the most from a vCISO and those for whom this service might be less critical.

    1. SMBs with Limited Resources: Smaller businesses often cannot afford a dedicated cyber security team but still face serious threats. A vCISO enables them to access high-quality security services and expertise affordably.
    2. Companies Experiencing Rapid Expansion: Organisations going through fast growth, mergers, or acquisitions need their security capabilities to scale in line with their commercial growth. vCISO helps businesses scale their security solutions as they expand and adopt new technologies and grow their commercial operations.
    3. Industries Prone to Cyber Attacks: Sectors like finance, healthcare, and telecoms face frequent cyber threats and require continuous security measures. vCISO provides robust, ongoing risk management and quick incident response capabilities.
    4. Firms Embracing Digital Innovation: Companies transitioning to cloud services or adopting new technologies can use a vCISO service to ensure secure and compliant integration with existing IT infrastructure. An e-Commerce company who is expanding its suite of software products can establish the secure development processes needed to ensure all these new innovative products are designed and developed with security in mind from the start.
    5. Businesses with Strict Compliance Obligations: Organisations subject to stringent regulatory requirements, such as the UK Data Protection Act, European GDPR or US HIPAA, can meet these standards with a vCISO, freeing internal resources to focus on core operational activities.

    Who doesn’t need a vCISO?

    1. Businesses with Limited IT Infrastructure: Companies with minimal reliance on digital operations or those that do not process personal data may see little benefit in vCISO. For example, a small local butchers that primarily operates offline and doesn’t digitally store customer information might not require such extensive cyber security services.
    2. Large Corporations with Established Security Departments: Organisations that have long invested in a mature in-house cyber security team, with advanced cyber security infrastructure may find vCISO surplus to requirement. For instance, a FTSE100 company with a cyber security team of over 20 people likely has the resources and expertise to manage their security needs independently.
    Contact Us

    Our Approach

    Our Virtual CISO service provides a small team of cyber security experts to ensure you have the right skillsets you need. A blended team of highly experienced security professionals cover strategy, risk management, security operations, incident response, security remediation and improving your security culture. Here’s how we do it:

    Initial Consultation & Strategy Alignment

    We begin with a series of in-depth consultations to gain a clear understanding of your business goals, current security posture and unique technological requirements. This enables us to customise our vCISO service and align our approach with your organisational objectives from the outset.

    Structured Onboarding

    We craft a detailed onboarding plan that outlines key steps, timelines, and responsibilities. This phase involves deploying the necessary tools and introducing the core team members who will collaborate with you. This structured approach ensures a seamless integration into your business operations, setting clear expectations and communicating effectively with key stakeholders.

    Commence vCISO Service

    We will mobilise and commence all sub-services within the vCISO offering, namely; Governance & Cyber Strategy, Security Awareness & Training, Regulatory Compliance & Certification, Incident Response & Recovery and Security Enhancements.

    Comprehensive Cyber Security Assessment

    Once the service is up and running, we conduct a cyber maturity assessment of your current environment against a blended controls framework which includes cyber security standards ISO27001, NIST and CIS18. This evaluates your current state, defines your current state and then crafts a roadmap to transition you from your current state to your defined target state.

    Risk Mitigation and Management

    Our team collaborates closely with your IT and operational staff to establish regular risk management and mitigation controls. We maintain regular tracking and provide monthly and quarterly reports to ensure comprehensive oversight and support, fostering a proactive security culture.

    Implement New Security Measures

    We continuously review and refine your security measures to stay ahead of emerging cyber threats. This includes regular assessments, penetration testing, updates to protocols, and the adoption of new technologies, ensuring your security framework remains robust and adaptive.

    Continuous Improvement

    We regularly review and update your security measures to ensure they remain effective against emerging threats. This includes periodic assessments, penetration tests, updates to security protocols, and implementation of new technologies. This ensures that your security posture evolves with the threat landscape, maintaining high levels of protection at all times.

    Scale

    Our vCISO service is designed to scale with your business. Whether you’re expanding geographically, increasing your workforce, or integrating new technologies, our services scale to meet your changing business requirements, ensuring continuous protection and support.

    Secure your business.

    Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.

    Get in Touch
    Cypro Virtual CISO service

    Your Team

    Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO

    Jonny Pelter

    Jonny is a Founding Partner at CyPro and executive group level CISO who has worked closely with the British intelligence agencies NCSC and GCHQ.

    Originating from KPMG and Deloitte, Jonny has a wealth of experience across numerous sectors including technology, critical national infrastructure, financial services, oil & gas, insurance, betting, pharmaceuticals and utilities.

    Jonny is a leading cyber security expert in the UK, having featured on national media for his professional commentary such as BBC News, iPlayer, Telegraph and Times Radio.

    Additional Consultants

    Jamie Whitcombe-Smith - Virtual Chief Information Security officer

    Jamie Whitcombe-Jones

    vCISO

    Jamie is a distinguished executive-level CISO with a wealth of experience, having held prominent positions at Thomas Cook, Centrica, Bupa, and Allianz. 

    He is passionate about revolutionising the cyber security industry through innovative approaches that maximise value from limited budgets. 

    Jamie excels at empowering businesses and individuals to thrive while safeguarding their assets, reputation, and customers. His strategic vision and dedication make him a pivotal part of our Cyber Security as a Service team.

    Headshot of James Leaton-Gray - Data Protection Expert and vDPO

    James Leaton Gray

    vDPO

    James is a seasoned virtual DPO (Virtual Data Protection Officer) and renowned UK expert in data protection and privacy, with over three decades of experience at the BBC. As the former Head of Information Policy and Compliance, he was instrumental in shaping the organisation’s data protection strategies and ensuring adherence to privacy regulations.

    James helps organisations navigate complex data protection landscapes, especially where they operate in multiple jurisdictions with overlapping data protection laws. His extensive experience and deep understanding of information governance make him a highly trusted advisor in the field of data privacy.

    vCISO Balazs Iszo at our offices

    Balazs Izso

    vCISO

    Balazs is a seasoned cyber security executive with extensive experience in the financial services sector. He has held pivotal roles at leading financial institutions, including HSBC and Barclays, where he was instrumental in developing and implementing comprehensive security strategies.

    Balazs has a strong background in managing large-scale security operations and has been actively involved in shaping industry standards and best practices. His expertise encompasses risk management, threat intelligence, and regulatory compliance, making him a respected authority in the field of cyber security.

    vCISO vs Cyber Security as a Service

    If deciding between a virtual Chief Information Security Officer (vCISO) and Cyber Security as a Service (CSaaS), it’s important to understand the distinct benefits each option offers.

    While both services provide expert security leadership and support, they cater to different needs.

    Below is a detailed comparison to help you determine which solution is best suited for your organisation’s security requirements.

    Cyber security project managers

    vCISO

    • A dedicated executive-level CISO.
    • Cost-effective since you only purchase the capacity required, which can be used on demand and spread over the month.
    • Easier than Full Time Employees (FTEs) to scale up/down in response to changes in demand & capacity.
    • However, will still leave some gaps in day-to-day operational security, such as security testing, alerting, vulnerability scanning, incident response, etc. which requires a broader technical team (see CaaS – right).
    • Who is this best for? Organisations who are in need of early strategic direction and/or have ample internal resources to implement and operate security controls.
    Continuous security as part of a cyber-as-a-service proposition

    Cyber-As-A-Service (CaaS) 

    • Team of experienced cyber security professionals, led by a dedicated vCISO and including a Cyber Security Manager and Security Operations Manager.
    • Highly scalable – the service level can grow in line with yours without significant jumps in costs.
    • Also covers Security Monitoring & Alerting: monitoring of suspicious events, incident response, disaster recovery, phishing campaigns, software testing, vulnerability scans, etc. This is important in order to identify, contain and limit the impact of a cyber attack and meet your 72hr reporting obligation to the ICO (UK data protection regulator).
    • Who is this best for? Organisations with limited internal capacity/resources that still seek to mature their security controls, reduce operational security risk and achieve security certification such as Cyber Essentials, SOC 2 or ISO 27001.

    Frequently Asked Questions

    Contact Us
    Recent Posts
    View All Posts
    • female cyber security manager happy she is saving money by using free cyber security tools
      Top 10 Free Cyber Security Tools for SMBs in 2024

      Introduction With the frequency and sophistication of cyber attacks continuing to rise, it’s essential for business owners, IT professionals, and…

    • Exploring how much does a Virtual CISO cost today?
      How Much Does a Virtual CISO Cost in 2024?

      Many CxO’s, founders and established IT professionals struggle to get clarity on how much a vCISO service costs and the…

    • A venture capitalist man does technical due diligence on a startup
      Expert Guide to Technical Due Diligence for Startups

      Unlock the secrets of technical due diligence for startups. This guide covers everything from assessing IT infrastructure to ensuring robust…

    Secure. Scale. Succeed.

    We handle your cyber security so you get your time back and focus on growth.

    or
    Book a Call
    Cypro graphic showing hitting the target
    We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

    Schedule a Call