Call (833) VCISOSV (833-824-7678) to schedule a no cost, no obligation consultation with a virtual CISO cyber security expert.

Virtual CISO as a Service (vCaaS)



Ongoing virtual CISO services plans are offered over several levels:

  • Virtual CISO Bronze: For small businesses requiring minimal but consistent virtual CISO services, including customer and partner questionnaire support, information security program creation and management, annual information security training, annual business continuity table-top exercise, and an annual qualitative information security risk assessment.
  • Virtual CISO Silver: For small and midsized businesses requiring more complex virtual CISO services. Includes all the features of Bronze plus annual SOC2 or similar audit support, compliance with regulations and standards; annual IT security assessment; GRC; and third-party critical vendor reviews.
  • Virtual CISO Gold: For midsized businesses over 300 employees with the complexity to require the features of Silver but at a greater volume of virtual CISO services. Includes an annual quantitative information security risk assessment.
  • Virtual CISO Diamond: For midsized businesses requiring virtual CISO services beyond the Gold level.

Prices vary depending on industry and engagement goals. Call (833) VCISOSV (833-824-7678) to schedule a free consultation to determine which level is right for your organization.

In addition, we offer a variety of specific project-based engagements, including but not limited to:

Governance, Risk, and Compliance (GRC): A GRC system enables tracking and dashboard reporting on information security risks, compliance with various frameworks and regulations, asset management, and tracking of incidents. Clients have visibility into their program's KPIs via a secured website.

Information Security Risk Assessment (Qualitative): Information security is, at its core, risk management. Risks must be identified and prioritized so as to efficiently apply resources for mitigation. An Information Security Risk Assessment (ISRA) is the tool for managing and communicating risks to executive management and the Board of Directors. Without a solid ISRA, executives do not have a clear understanding of the information security risks they are ultimately responsible for, and staff have no direction on the risks to address. A virtual CISO will create and manage a complete and sustainable ISRA process.

Information Security Risk Assessment (Quantitative):  Qualitative risk assessments are great at identifying and prioritizing the highest information security risks but , as a subjective approach, cannot convey true exposure. An Open FAIR™ licensed quantitative risk assessment performed by an  Open FAIR™ qualified virtual CISO provides a cost range of risk exposure. Requires a qualitative risk assessment.

GDPR Readiness Assessment: Concerned how the General Data Protection Regulation?  A virtual CISO can analyze your information flows and provide an assessment of your organization to comply with the GDPR.

ISO 27001/2 Gap Analysis: ISO 27001 is the most widely followed information security framework worldwide, covering all aspects of an information security program. As a rule of thumb, an information security program aligned with and adhering to ISO 27001 will achieve most regulations and standards compliance requirements. Our virtual CISO can get you there.

IT Security Assessments: Does your organization's firewall ruleset make sense? Are your other IT controls maximized for protection? Our experienced virtual CISOs provide an independent review to verify IT controls or recommend changes, all while not impeding business operations.

Information Security Program / Policy Creation and Implementation: The Information Security Program document and associated policies form the foundation of an organization’s information security program. A virtual CISO will design policies and standards (including RACI charts) to match your organization’s need and culture.

Business Continuity: Stuff happens. Your business needs to survive unintended events. Let one of our virtual CISOs work with you to create meaningful BIAs and conduct effective table-top exercises to ensure continuity of operations, whatever the cause for the interruption.

Third-Party (Vendor) Reviews: Migrating to a cloud provider does not absolve an organization of its cyber security responsibilities. Controls must be assessed and confirmed to align with the corporate risk tolerance. Vendor information security reviews, to include thorough SOC1/2 audit reports, are an essential element of proper information security risk management. Our virtual CISOs years of experience reviewing vendors will work for you.

Training: The human is the weakest link. Our virtual CISOs provide and manage online training to further your organization's information security awareness, reducing the risk of an information security incident caused by human error.

Network Vulnerability Assessments and Web Application Scans: Testing is the first step. Knowing what to prioritize in remediation and what compensating controls may work better than rectifying the primary control gap can save time and cost and add efficiency while increasing security posture.

Penetration  Testing: A highly skilled penetration tester will attempt to  discover and exploit vulnerabilities and a virtual CISO will work with your team to understand and address gaps.

Cybersecurity Assessment Tool (Financial Institutions): Navigating and completing the FFIEC’s Cybersecurity Assessment Tool (CAT) is a complicated process. With experience including participation in the development of the FSSCC Automated Cybersecurity Assessment Tool, our virtual CISOs can help navigate all aspects of this de-facto standard cyber security assessment for financial institutions.

Compliance With Regulations and Standards: Whether PCI, HIPAA, SOX, GDPR, FERPA, NYS DFS, or another regulation or standard, our virtual CISOs can help your organization achieve information security compliance.

Data Mapping Exercises: Where is your data? How is it protected? A data mapping exercise led by a virtual CISO skilled in privacy concerns will answer these questions and reveal gaps in controls - and is required for GDPR.

Special Projects: Don't see what you need? Let us know - most likely our virtual CISOs can help!

Call us at (833) VCISOSV (833-824-7678) a free virtual CISO consultation. vCISO services are currently available for United States and United Kingdom businesses.