A CISO Who Has Actually Held the Title — Without the $300K Salary.
For mid-market companies whose auditors, insurers, or biggest customers are now asking “who owns your security program?” — and the honest answer is no one.
If Two of These Are True, You Need a CISO.
The questionnaires got hard.
A prospect or customer sent a 200-row security questionnaire and your CTO or IT lead can’t credibly answer half of it.
The insurer asked.
Cyber renewal added pages of new attestations — MFA, EDR, incident response plan, vendor risk — and you’re checking boxes you can’t actually defend.
An auditor named a framework.
SOC 2, HIPAA, PCI-DSS, CMMC, ISO 27001, or Texas SB 2610 just stopped being optional. Someone has to own the response.
Fractional. Honest About Hours. Built Around a Quarterly Cadence.
Most vCISO engagements run 8–20 hours per month, anchored by a monthly working session and a quarterly board-ready report. You get a CISO — not a generic security consultant — for the cost of a senior analyst.
Engagements start at $2,500/month. Most clients run $2,500 to $7,500/month depending on framework scope, headcount, and cadence.
No multi-year lock-ins. Quarterly review. Cancel with 30 days’ notice.
You’re hiring an executive. We act like one.
Concrete Deliverables. Not a Deck.
First 30 days
Baseline & Framework
- Current-state assessment
- Framework selection (NIST CSF / ISO 27001 / SOC 2 / HIPAA / CMMC)
- Risk register stood up
- Day-30 board-ready briefing
Days 31–60
Policy & Controls
- Core security policies drafted and ratified
- Incident response plan written and tested
- Top-five control gaps remediated
- Vendor risk program initiated
Days 61–90
Program in Motion
- Compliance roadmap published
- Quarterly cadence locked in
- Compass-backed evidence trail live
- 90-day board report delivered
Named Frameworks. Not “Industry Best Practices.”
NIST CSF & 800-53·ISO 27001 / 27002·SOC 2 Type I & II·HIPAA·PCI-DSS·CMMC L1/L2·Texas SB 2610·CIS Controls v8
Plus 24 more frameworks supported via Total 360 Compass when your sector calls for it.
DFW Professional Services Firm. Post-Incident. Six-Month Engagement.
A 40-person professional services firm in the Dallas–Fort Worth metroplex lost two days of operations to a phishing-driven account takeover. We came in during week three of the recovery, ran a 30-day assessment, ratified core security policies in 45 days, and handed the leadership team a board-ready program by month four. Cyber insurance renewal in month six closed without a premium increase.
When the Gap Isn’t a CISO.
Most engagements start with vCISO. When the Risk Discussion surfaces a different gap, we configure the engagement differently — same model, same quarterly cadence.
vCSO
Chief Security Officer
For converged physical and cyber risk — manufacturing, hospitality, regulated industries with physical assets.
Adds physical security design, executive protection, and full ESRM framework ownership to the standard CISO scope.
vCIO
Chief Information Officer
For organizations with an IT function but no senior leader — where vendor and budget decisions are made reactively.
IT strategy, governance, vendor management, budgeting, team development.
vCTO
Chief Technology Officer
For organizations building product or going through transformation — needing senior technology judgment.
Technology roadmap, build-vs-buy decisions, architecture and vendor selection, emerging technology evaluation.
Same pricing band as vCISO: $2,500–$7,500/month, depending on framework scope, headcount, and cadence.
Not sure which variant fits?
Schedule a Risk Discussion →Schedule a 30-Minute Risk Discussion.
If a vCISO isn’t right for you, we’ll say so on the call.