vCISO — virtual Chief Information Security Officer — is one of the more honest acronyms in the industry. It is what it says: part-time, fractional security leadership for a business that needs strategic security oversight but does not have the budget or workload to justify a full-time CISO at $150,000 to $250,000 per year plus benefits.
It is also one of the most over-sold services in the SMB market. Every MSP and MSSP now offers a vCISO line item. Many of those engagements end with the business paying for monthly retainers and a glossy quarterly report nobody reads. The output goes in a drawer. Nothing actually changes.
This article is the honest version of the conversation. What a vCISO actually does month-to-month for a 30-person business, when it pays off, when it doesn't, and what to do if you are not there yet.
When you almost certainly don't need a vCISO yet
If your business has fewer than 20 staff, no formal compliance obligations, no significant regulatory exposure, and your cyber-insurance carrier is not pressing you on governance maturity, you probably do not need a vCISO. You need the foundational security controls — MFA, EDR, backup, patching, training — deployed and operated by a competent managed services provider. That is a $5,000 to $15,000 per month engagement. A vCISO on top of that adds another $2,000 to $5,000 monthly and produces work that mostly will not be actionable until the underlying program is more mature.
Paying for a vCISO at this stage is like hiring a CFO for a coffee shop. The role exists. The work is real. You just do not need it yet.
When a vCISO actually pays off
The threshold where vCISO services start to make sense is usually one of the following.
- The business has grown past 20 seats and is heading toward 50 or 100.
- Cyber-insurance underwriters are asking governance questions — written policies, board reporting, risk register, third-party risk management — that the operational MSP cannot answer.
- A regulator, customer, or contractual obligation requires a defined security program (PIPEDA, SOC 2, CIS Controls maturity targets, oil-and-gas operator security riders, healthcare or municipal contracts).
- The business is preparing for an acquisition, capital raise, or major contract that will trigger security due diligence.
- An incident happened in the past 12 months and the board or owners want documented improvement.
If two or more of those describe your business, a vCISO probably pays for itself. If none of them describe your business, the money is better spent on operational security.
What a vCISO meeting actually looks like, month to month
Strip away the marketing. For a 30-seat northern Alberta SMB, a vCISO engagement in steady state usually looks like this.
Month 1. Discovery and baseline. The vCISO interviews the owner, IT lead, and operations lead. Reviews existing policies (usually a few outdated Word documents). Walks through current tooling (M365 admin centre, EDR console, RMM, backup platform). Reviews the most recent cyber-insurance application and the last incident, if any. Produces a written current-state assessment.
Month 2. Roadmap. Based on month one, the vCISO drafts a 12 to 18 month security roadmap. Not 50 items. Usually 8 to 15 prioritized initiatives, costed, sequenced, and tied to either insurance, regulatory, or risk-reduction objectives. The roadmap is presented to the owner or board and approved as the program-of-record.
Month 3 onward. Recurring rhythm:
- Monthly 60 to 90 minute call with the owner or steering committee. Status against the roadmap. New risks. Decisions needed.
- Quarterly written report. Two to four pages. What happened, what is on track, what needs ownership attention, what the year-over-year posture looks like.
- Insurance liaison work. Reviewing renewal questionnaires, drafting attestation language, attending the broker call.
- Policy and procedure authoring or refresh. Acceptable use, incident response plan, vendor risk, data classification, access review cadence.
- Tabletop exercises. Typically one per year, sometimes two.
- Vendor and tool selection support when material decisions come up (new EDR, new backup platform, M365 license tier change).
That is the work. It is not glamorous. It is not "next-generation" anything. It is the quiet discipline of running a security program rather than just running security tools.
The four things a vCISO actually produces
Cutting through the marketing, the deliverables that matter are four.
A security roadmap. Written, prioritized, costed, dated. The single most important artifact, because it answers the question every owner asks: what do I work on next, and what does it cost?
A policy framework. Six to ten written documents that cover the security program — acceptable use, incident response, access management, vendor risk, data classification, backup and retention, security awareness, business continuity. Carrier-ready and audit-ready. Reviewed annually.
Board or owner reporting. Quarterly, two to four pages, plain language. Translates security posture into terms an owner or board cares about — insurance impact, regulatory standing, incident readiness, residual risk. This is the artifact that turns security from a cost centre into a managed business function.
Insurance and carrier liaison. Attending the renewal call, drafting attestation language, defending the questionnaire answers, and translating between the carrier's underwriting language and the business's operational reality. For mid-sized SMBs, this single function usually justifies the engagement on its own at renewal time.
The cost-benefit math
A reasonably-priced vCISO engagement for a 30-person northern Alberta SMB runs $2,500 to $4,500 per month. Call it $36,000 to $54,000 annually. Compare that with the alternatives.
- Full-time security manager or CISO: $150,000 to $250,000 fully loaded. Possible at 100-plus seats. Almost never the right answer below 75.
- Do nothing: zero out-of-pocket cost. Unbounded downside. Insurance premium increases of 25 to 50 percent at renewal are common when governance questions cannot be answered. Incident response cost in an uncovered event ranges from $50,000 to $1,000,000-plus.
- Lean on the MSP: the MSP runs the tools. The MSP is not your strategic security leader. Asking the MSP's operations team to author policy or attend a board meeting usually produces work that is technically competent but strategically thin.
For SMBs in the 20 to 100 seat range with active carrier or regulatory pressure, the vCISO option is usually the lowest-total-cost path.
The trap
The most common failure mode for a vCISO engagement is paying for it and not using the output. The owner does not read the roadmap. The board does not act on the quarterly report. The policies sit in a SharePoint folder unread. The vCISO continues to produce. The business continues to pay. Nothing changes.
The fix is to treat the vCISO engagement as a working relationship, not a deliverable subscription. Show up to the monthly call. Make decisions on the roadmap. Assign internal owners. Otherwise the money is wasted regardless of how good the work is.
The northern Alberta angle
Historically, vCISO-level thinking required flying someone in from Edmonton or Calgary at city-shop rates, or stitching together half-hour calls with security consultants who did not know the region. The local-and-remote model — a vCISO who lives in the area, knows the carriers, knows the auditors, knows the regulators, and can be on a Teams call within an hour — changes the math for businesses in Mackenzie County and the broader Peace River region.
If your business is in the 20 to 100 seat range, has insurance or regulatory pressure, and you are tired of explaining security to people who do not understand your operation, this is the conversation to start.
Peace Country Cyber offers vCISO services as part of the Cyber Premium tier. Local, remote, monthly. Start a conversation →