Ongoing virtual CISO services plans start at $2,400 per month and are offered over several levels, based on estimated resource hours:
Note, these are examples. Each level is customizable depending on industry and engagement goals.
Examples of specific services include (each are available as a standalone managed package, prices quoted are minimum and depend on scope and complexity):
Managed Governance, Risk, and Compliance (GRC) Services: Our managed eramba GRC service enables tracking and dashboard reporting on information security risks, compliance with various frameworks and regulations, asset management, incidents, and more. Requires one year commitment. $5,000/yr
Training: The human is the weakest link. As a KnowBe4 partner, our virtual CISOs provide and manage online training to further your organization's information security awareness, reducing the risk of an information security incident caused by human error. Requires one year commitment. $3,000/yr
Information Security Risk Assessment (Qualitative): Information security is, at its core, risk management. Risks must be identified and prioritized so as to efficiently apply resources for mitigation. An Information Security Risk Assessment (ISRA) is the tool for managing and communicating risks to executive management and the Board of Directors. Without a solid ISRA, executives do not have a clear understanding of the information security risks they are ultimately responsible for, and staff have no direction on the risks to address. A virtual CISO will create and manage a complete and sustainable ISRA process. $9,000
CMMC, NIST-CSF, PCI-DSS, HITRUST, FFIEC CAT/ACET, SOC2, ISO 27001/2, and Other Framework Gap Analysis: Compliance does not equal security, but is necessary to demonstrate the viability and effectiveness of the security program. We have a documented, solid history of building security programs aligned with many frameworks, including the ones above. Whatever the regulation or standard your organization needs to comply with, our virtual CISOs and information security risk analysts can get you there. $9,000
Quarterly Governance Committee: A fundamental but often overlooked aspect of information security programs is a quarterly governance committee, led by our vCISO and involving business unit leaders and executives organization-wide. The C-suite and the Board of Directors can only make risk-informed decisions if they understand information security risks, and a quarterly committee facilitates that communication. Our vCISO can present once annually or every quarter. $3,000
IT Security Assessments: Does your firewall ruleset make sense? Are your other IT controls maximized for protection? Our experienced virtual CISOs and risk management analysts provide an independent review to verify IT controls or recommend changes, all while not impeding business operations. $9,000
Information Security Program / Policy Creation and Implementation: The Information Security Program document and associated policies form the foundation of an organization’s information security program. However, a policy downloaded from the internet that does not take into account the unique operating environment of your organization is not only useless, it can become a liability. A virtual CISO or risk analyst will design policies and standards (including RACI charts if desired) to match your organization’s need and culture. $5,000
Business Continuity Plans and Table Top Exercises: Stuff happens. Your business needs to survive unintended events. We script different scenarios for clients each year. In 2019, the exercise focused on a pandemic, which prepared our clients for the improbable COVID-19 pandemic in 2020. Let one of our virtual CISOs work with you to create meaningful BIAs and conduct effective table-top exercises to ensure continuity of operations, whatever the cause for the interruption. $7,000 (table top only)
Third-Party (Vendor) Reviews: Migrating to a cloud provider does not absolve an organization of its cyber security responsibilities. Controls must be assessed and confirmed to align with the corporate risk tolerance. Our virtual CISOs' and risk analysts' years of experience reviewing vendors make vendor information security reviews simple and complete for your business and are an essential element of proper information security risk management. $5,000
Network Vulnerability Assessments (External) and Basic Web Application Scans: Testing is the first step. Knowing what to prioritize in remediation and what compensating controls may work better than rectifying the primary control gap can save time and cost and add efficiency while increasing security posture. $200/month
Penetration Testing: Testing exposes vulnerabilities; penetration testing attempts to exploit those vulnerabilities. May be added to any package for an additional fee, based on scope of services desired and environment. Call for pricing.
On-Demand Incident Response Services: When an incident occurs, timely response is critical. Call for pricing.
Data Mapping Exercises: Where is your data? How is it protected? A data mapping exercise led by a virtual CISO skilled in privacy concerns will answer these questions and reveal gaps in controls - and is required for GDPR. $10,000
Other Items: Don't see what you need? Let us know, we may be able to assist.
Call us at (833) VCISOSV (833-824-7678) a free virtual CISO consultation. Virtual CISO services are available within the United States and beyond; inquire for details.