The full service
What's included in the vCISO service
One engagement, six core areas of security leadership, and a named expert accountable for all of it.
Cyber Maturity Assessment
We start by understanding where you are. Your security posture is reviewed against recognised industry standards, your target state is defined with you, and the gaps that genuinely matter are identified and prioritised. This becomes the baseline every improvement is measured against.
Strategic Cyber Roadmap
Security objectives are aligned with your business goals and sequenced into a clear, costed roadmap. It is written for two audiences at once: precise enough for your technical team to execute, and clear enough for your board to fund.
Compliance Frameworks
Whether customers are demanding ISO 27001 or SOC 2, insurers are asking about Cyber Essentials, or GDPR obligations need evidencing, your vCISO guides you through scoping, implementation, audit and the ongoing work of staying compliant.
Architecture Reviews
A security architect reviews how your technology and products are built, from cloud infrastructure to release processes, and recommends changes that design risk out rather than bolting controls on afterwards.
Cyber Incident Response
Incident response plans are developed, tested through realistic exercises and refined over time. If a significant incident hits, you have seasoned leadership beside you to contain it, preserve evidence and get the business running again quickly.
Training & Awareness
Targeted programmes that measure and genuinely improve how your people respond to threats: phishing simulations, tailored communications, and table-top exercises for your leadership team.
Behind your vCISO
One engagement, a whole security function
Your vCISO owns the strategy layer and draws on the full CyPro capability beneath it as your roadmap demands.
Cyber Strategy
Security strategy, executive reporting, decision making, budget and people management: owned by your vCISO
Security Advisory & Assurance
- Policy, standards and procedures
- Projects and change advisory
- Data privacy, HR security and business resilience advisory
- Risk management and acceptances
- Third party due diligence
- Data classification
- Assurance testing: reviews, audits, pen tests, red teams, table-tops
- Operational and management reporting
Security Operations
- Security Operations Centre (SOC) and SIEM
- Network and security alert monitoring
- AV and intrusion detection/prevention
- Microsoft 365 management and DLP
- Anti-phishing campaigns
- Threat intelligence and threat hunting
- Shadow IT monitoring
- Incident response
- Patch and vulnerability management
Identity & Access Management
- Authentication, SSO and MFA
- Access control audits
- Identity management
- Attack surface assessment and reduction
- Privileged access monitoring and approvals
- Least privilege and separation of duty audits
- Role-based access control
- IAM in the cloud
Secure Architecture
- Security architecture
- Network security, zoning and segmentation
- Secure backups and IT resilience
- Projects and change advisory
- PKI infrastructure
- Firewall rule review and approvals
- Cloud security: connectivity and secure patterns
- Application and API security
Security Engineering
- DevSecOps
- Asset secure build and system image hardening
- Virtual machine security
- Cloud security assessments
- Secure configurations, client and server
- Secure software development lifecycle
- Application and API security
- Attack surface assessment and reduction
Security Culture
- Training needs identification
- Cyber training content
- Integrating threat intelligence into learning
- Cultural change and cyber awareness programmes
- Security communications
- Engagement initiatives: explainer videos, infographics, quizzes
How it's delivered
Built around your business
A dedicated, named vCISO
One person who learns your business inside out and stays accountable, not a rotating cast of consultants.
An extended specialist team
Penetration testers, security architects and incident responders from the wider CyPro team, available when the work demands depth.
On-site presence
Typically one day a month on site, often chairing your security committee or presenting to the board. More if you want it.
Board-level reporting
Regular plain English reporting on risk, progress and spend, designed for executives rather than engineers.
Every engagement is shaped in a scoping conversation, so you pay for the coverage you need and nothing you do not. See pricing for how that translates into a monthly fee.
Take the first step
Speak to a Virtual CISO today
Book a free 30 minute consultation to talk through your security challenges and find out exactly how a vCISO would work in your business. No obligation, no hard sell.