At this point in the series, the governance gap should be a familiar concept. You understand why certifications are not enough, why your MSP cannot fill it, why the board needs to own risk rather than just receive technical reports about it.
The next question is the obvious one: so what does a vCISO actually do?
It is worth being precise here — because the term gets used loosely and the confusion that results leads organisations to either overestimate the cost of the function or underestimate its value.
A virtual Chief Information Security Officer provides the governance and leadership function of a CISO on a fractional, embedded basis.
Risk ownership and governance. The vCISO takes accountability for the organisation's cyber risk posture. Not operational security — that remains with your MSP and IT function. Governance: identifying the significant risks, assessing them against the organisation's context and risk appetite, and ensuring they are managed to an acceptable level.
Board-level reporting. The vCISO produces and presents regular risk reports to the board — written in business language, structured around decisions, and clear about what the board needs to know and do.
Strategy and roadmap. The vCISO develops and maintains a security strategy aligned to the organisation's objectives and risk profile. Not a list of tools to buy — a forward-looking plan for how the organisation's risk posture will evolve.
Regulatory and compliance oversight. The vCISO ensures the organisation understands and meets its regulatory obligations — GDPR, sector-specific requirements, certification maintenance — managed as a live programme.
Incident readiness. The vCISO ensures an incident response plan exists, is tested, and is known to the right people. When an incident occurs, the vCISO provides the leadership function.
Vendor and supply chain governance. The vCISO reviews the security posture of significant technology vendors and supply chain partners.
A vCISO does not replace your managed security service. They do not manage your infrastructure, respond to alerts, or perform the operational security work your MSP handles. The vCISO sits above that layer, governing it rather than performing it.
A vCISO is not a consultant who delivers a report and leaves. The function is embedded and ongoing. The value comes from the relationship — with the board, with the security programme, with the business.
A vCISO is not a compliance officer. They will ensure compliance obligations are met, but their scope is broader: the risk posture overall, not just the regulatory minimum.
A vCISO is not cheap CISO cover for organisations that cannot afford the real thing. They are a different model for a genuine need — fractional, flexible, and specifically designed for organisations where a full-time CISO would be disproportionate.
What makes the vCISO model genuinely valuable is not the cost saving relative to a full-time hire — though that is real. It is that it provides the right capability for the need.
Most SMEs and mid-market organisations do not require a full-time CISO. They require the governance function a CISO provides, exercised at a frequency and depth proportionate to their risk environment. The vCISO model delivers exactly that — without the recruitment timeline, the employment overhead, or the risk of a full-time hire whose scope may outgrow the need.
A discovery conversation with ITbuilder's vCISO team takes around 30 minutes. It is not a sales pitch. It is an honest assessment of your current governance posture, what the gaps are, and whether the vCISO model is the right fit for your organisation.
Some organisations are ready for it immediately. Some benefit from starting with a risk assessment that establishes the baseline. Some have specific compliance programmes — ISO 27001, Cyber Essentials Plus — that are the right first step.
The conversation will tell you which.
Book a discovery conversation with our team, or read Article 9 for the commercial comparison: vCISO vs full-time CISO, cost, risk, and value.
How much time does a vCISO spend with the organisation?
This varies by engagement, but a typical arrangement involves a dedicated number of days per month — commonly between two and five — covering board reporting, risk reviews, strategy work, and incident support as needed.
Does the vCISO integrate with our existing IT team and MSP?
Yes. The vCISO is designed to sit above the operational layer, not replace it. In practice that means working with your IT team and MSP to get visibility of the technical environment, reviewing their outputs, and ensuring the governance function and operational function are aligned.
How quickly can a vCISO be operational?
Significantly faster than a full-time hire. A typical engagement can be active within two to four weeks of contract. The initial phase is structured to deliver immediate value rather than requiring months of onboarding.
What deliverables should we expect?
At minimum: a risk register and governance framework, a board-level risk reporting cadence, a security strategy aligned to business objectives, an incident response plan, and ongoing risk reviews.
How do we evaluate whether the vCISO is delivering value?
The clearest measure: can your board describe your risk posture clearly and confidently? Do you have a documented owner for your most significant risks? Has security investment been driven by a risk-based strategy? Is the organisation better prepared to manage an incident? These are governance outcomes, and they are testable.
A vCISO is not another security tool, compliance consultant, or outsourced IT resource. It is a leadership function designed to provide the governance, oversight, and risk ownership that many organisations are currently missing.
By combining board-level reporting, risk management, strategic planning, compliance oversight, and incident readiness, the vCISO helps bridge the gap between operational security activity and business decision-making.
For organisations that need cyber leadership without the cost or complexity of a full-time hire, the vCISO model provides a practical and scalable way to strengthen governance and improve resilience.
In the final article of this series, we'll compare the vCISO model with a full-time CISO and explore the commercial considerations, costs, and value of each approach.