Consulting · vCISO

Virtual CISO leadership, grounded in operating the controls.

An MSSP watches your logs; a full-time CISO costs €250,000 and up. A vCISO gives you board-level security leadership on a fraction of that, and ours comes from an operator who has run the servers, the detection and the patching rather than advised on them from a framework.

Book a vCISO consult What you get →

◆ Strategy & board reporting ◆ NIS2 / DORA mapping ◆ Operator-led, directs the SOC

A virtual CISO, or vCISO, gives you senior security leadership on a fractional basis: someone to set the security strategy, own the risk program, map your regulatory obligations to real controls, and report to the board, without the cost of a full-time hire. It matters because security is now a board-level and personally liable responsibility, and most mid-sized organisations cannot justify a full-time executive to carry it. Argus Root provides that leadership for organisations in NIS2 or DORA scope, from an operator who has run the systems being governed.

In short

A full-time CISO costs roughly $250,000–$600,000 a year in total compensation; a fractional vCISO delivers the leadership at a slice of that, scoped to your maturity.
Under NIS2, security is a personal liability for management — senior leaders can be held accountable for the organisation's failures, which is why the role has to sit at board level.
A vCISO owns the program — strategy, risk, control mapping and board reporting — where an MSSP only watches logs; the two are different layers, not substitutes.
The deliverables are concrete: a risk register, a mapped control framework (NIS2, DORA, ISO 27001), board-ready reporting, and an incident-response plan that is rehearsed, not shelved.
Recovery is now a security function: a tested restore and a rehearsed plan are part of the program, because ransomware turns an untested backup into a ransom decision.

An MSSP watches the logs. A vCISO owns the program.

The common confusion is with a managed security provider. An MSSP, or a SOC, watches your logs and responds to alerts. A vCISO sets the strategy, builds the program, manages compliance and reports to the board. A full-time CISO does the same and costs €250,000 to €600,000 in total compensation. The two roles work together: the vCISO sets the priorities and the success measures, and the SOC runs the day-to-day controls. We provide both, with one setting the plan the other executes.

vCISO vs the SOC it directs

How a vCISO differs from a managed SOC and how the two relate.
	Managed security (SOC)	vCISO
What it does	Detects and responds to threats	Sets strategy and governs risk
Layer	Operations	Leadership
Board reporting	Feeds the numbers	Owns the report
Under NIS2	Implements the measures	Maps and evidences them
Direction	Executes the plan	Sets the plan

The distinction is not academic. A managed security service, the SOC, is built to watch and to react: it monitors the logs, raises the alerts and responds to incidents against whatever rules it has been given. What it does not do is decide what the organisation should be protecting, what risk is acceptable, or how the program should change as the business does. Left without that leadership, a SOC drifts: it generates activity and dashboards without anyone deciding whether the activity is the right one, and the board has telemetry but no answer to the question of whether the organisation is truly secure.

The vCISO supplies the missing layer. It sets what matters, translates the risk into priorities the SOC and the vulnerability program work against, and carries the result to the board in terms it can act on. The two roles are complementary rather than alternatives, which is why a credible security posture needs both: operations to do the watching, and leadership to decide what is worth watching for and to own the answer when someone asks if the program is sound.

The board's liability is now personal.

NIS2 attached personal liability to management for cybersecurity failures, which turned a security program from an IT concern into a board one. Regulators expect defensible evidence: a documented, continuously maintained program rather than a binder assembled the week before an audit. A vCISO produces exactly that, mapping NIS2, DORA and GDPR to your controls and keeping the evidence current as the systems change.

That governance sits on top of the things that carry it out. The framework detail follows our compliance work, the detection and response run on our managed security, and the proactive risk reduction on our vulnerability management. The vCISO is the role that directs all three toward one strategy.

The liability is specific. NIS2 makes the management body itself accountable for approving and overseeing cybersecurity risk measures, with personal consequences for executives where it is neglected, and the SEC's tightened disclosure rules push the same accountability onto US-listed boards. A vCISO does not remove that accountability, which stays with management, but makes it meaningful: the expert who builds the risk framework, runs the training the directive expects, and gives the board the reporting that lets it discharge a duty it cannot hand away.

The stakes behind the paperwork are real money. The average data breach now runs near $4.88 million, and the average attack on a smaller business costs upwards of $250,000, roughly what a full-time security chief would cost to hire. Cyber insurers have noticed, and increasingly require evidence of a mature program with executive-level leadership before they will write or renew a policy. A documented program led by a named security executive has become a condition of being insurable and of winning contracts, rather than a nicety.

A vCISO who has run the controls.

Most vCISOs advise from frameworks they have read. Ours leads from systems we have operated: hardened servers, detection we have run, vulnerabilities we have patched under time pressure. The strategy is costed in reality, knowing what a control takes to implement rather than what a standard says it should, which is the difference between a roadmap that lands and one that stalls on contact with your environment. It is a named lead, the operator accountable for the work, rather than a report generated from a questionnaire by an account manager.

Where the vCISO sits: between a board that is now personally liable and the program that runs the controls, mapping both to the frameworks. It owns and directs the SOC, vulnerability management, hardening and recovery rather than performing them — the leadership layer, not another monitoring tool.

risk-register.yaml — a vCISO deliverable, reviewed quarterly with the board

- id: R-014
  asset:      Customer database (production)
  threat:     Ransomware via unpatched edge VPN
  likelihood: high        # EPSS 0.82, listed in CISA KEV
  impact:     critical
  treatment:  mitigate
  controls:   [patch-SLA-48h, network-segmentation, tested-restore]
  owner:      Head of Engineering
  review:     2026-Q3
  maps_to:    NIS2 Art.21(2)(e) — vulnerability handling

The role covers NIS2 / DORA / GDPR mapping Risk register Board reporting Directs the SOC Directs vuln management Operator-led

Why does fractional leadership add up?

A full-time chief information security officer costs between $250,000 and $600,000 a year in total compensation, and at the senior end the people are scarce: of an estimated 3.5 million unfilled cybersecurity roles worldwide, the shortage is sharpest at the leadership level. For an organisation below a few hundred staff, that math rarely works, so many simply go without and hope not to be attacked, which the breach figures make a poor bet to run.

A vCISO resolves the math by sizing the leadership to the need. A mid-market retainer typically runs between €5,000 and €12,000 a month, often 20 to 40% of the cost of the full-time equivalent, for the same strategic output: the strategy, the risk program, the board reporting and the compliance governance. It scales with reality, more hours around an audit, an incident or a funding round, fewer in steady periods, rather than a fixed executive salary that costs the same in a quiet quarter as in a crisis. You buy the judgement you need at the intensity you need it, and stop paying for the hours you do not.

A leader in the room, not a report on a shelf.

A security consultant delivers an assessment and moves on; the report lands on a shelf and the program it described never gets an owner. A vCISO is the opposite kind of engagement: an ongoing role that owns the security program, attends the board, maintains the policies, leads the response when something goes wrong, and is accountable for the program's direction over months and years. Consultants advise; a vCISO leads.

That difference is why the deliverable is governance rather than a document. The management body keeps ultimate accountability, as NIS2 requires, but the vCISO carries the expertise that makes the accountability real, translating risk into terms a board can act on and keeping the program defensible between audits rather than reconstructed before each one. It is the standing presence when a security decision has to be made, rather than a binder consulted after the fact.

What do you get?

Executive security leadership as a retainer, scoped to the maturity you are at.

Strategy & roadmap

Onboarding that delivers a concise risk register, a set of quick wins and a prioritised roadmap, so the program has direction within weeks rather than quarters.

Risk register & ownership

A living view of your risks with an owner against each, kept current as the estate changes rather than filed and forgotten after the first pass.

Framework mapping & audit prep

NIS2, DORA, GDPR, ISO 27001 and SOC 2 obligations translated into concrete controls and the evidence an assessor will ask for. See compliance →

Board reporting

Risk reported in business terms the board can act on, which is the deliverable that satisfies the personal accountability NIS2 now places on them.

Policy & program

The policies, standards and incident plans drafted and maintained, with the security program owned rather than handed over as a template to administer yourself.

Direction of operations

The SOC and the vulnerability program directed toward the strategy, so leadership and execution pull in the same direction. See managed security →

The first 90 days.

An engagement opens with an onboarding that produces something usable quickly rather than a discovery phase that bills for months. In the first weeks we deliver a current-state assessment and a risk register, a set of quick wins that reduce the most pressing exposure straight away, and a prioritised roadmap that gives the program direction. The first board report follows, putting the risk picture in front of the people now accountable for it.

From there the engagement settles into the standing work: maintaining the risk register as the estate changes, preparing for and sitting through audits, running the tabletop exercises that rehearse a real incident, and directing the operational teams against the roadmap. The aim is a program with momentum inside a quarter, rather than a strategy document that takes two quarters to write and is stale by the time anyone reads it.

How the engagement is shaped.

The role flexes to the shape of the need. A monthly retainer suits an ongoing program that wants steady leadership, board reporting and risk oversight. A project engagement suits a bounded goal with a deadline, the accelerators that fill 2026 calendars: SOC 2 or ISO 27001 readiness, a NIS2 compliance build, an AI governance program before the AI Act obligations bite. Around an audit, an incident, an acquisition or a funding round, the intensity scales up and then settles back.

What does not change is that a named senior lead owns the work, supported where useful by specialists in compliance, cloud or detection rather than handed to a junior with a checklist. We scope it to the goal and the cadence rather than a fixed published tier, because a startup needing a few hours of high-level steer and a regulated mid-market firm building a full program are different engagements that one package would serve badly.

Where does the vCISO end and the SOC begin?

The vCISO leads; on its own it does not watch your logs at three in the morning. That is the security operations function, and keeping the two distinct matters. The vCISO sets the strategy, owns the risk and reports to the board; the SOC runs detection and response against that strategy; vulnerability management reduces the exposure the strategy prioritises. Confusing the leadership role with the operational one is how programs end up with dashboards and no direction, or direction and nothing watching.

Because we run all three, the seam between them closes rather than widens. The vCISO directs our managed security and vulnerability management toward one plan, so the people setting the priorities and the people executing them work from the same picture. Where you already run your own SOC, the vCISO directs that instead; the role is the leadership, rather than a requirement to buy the operations from us as well.

Who needs a vCISO?

The clearest case is an organisation now caught by NIS2 or DORA that has no in-house security executive and cannot justify one, needing designated, documented leadership to satisfy the directive. Close behind are companies whose customers, partners or cyber insurers are asking for evidence of a mature program before they will sign or renew. A business preparing for a SOC 2 or ISO 27001 audit, going through an acquisition, or recovering from an incident reaches for one to lead the work at the level it requires.

What they share is a need for security judgement at executive level without the headcount to match. A team below a few hundred people, with IT keeping the lights on but no one owning security risk as a discipline, is the typical fit. Where an organisation has grown to the point that it genuinely needs a full-time CISO, we will say so; a vCISO engagement is a sound way to build the program to that point rather than a permanent substitute for the role.

Recovery is a security function now, not an IT chore.

A modern security program is judged as much on how fast it recovers as on how well it prevents, because the assumption has shifted from whether an incident will happen to when. The vCISO owns that side too, treating backup and recovery as a security capability rather than a task left to IT, and driving down the recovery time objective so an attack becomes a disruption measured in hours rather than an existential event measured in weeks. Global downtime losses run into the hundreds of billions a year, and the difference between a fast recovery and a slow one is usually a plan rehearsed in advance rather than improvised under pressure.

Rehearsal is the point of the tabletop exercise, which the vCISO runs to put the executive team through the decisions a real incident forces, increasingly including the deepfake-led social engineering that now targets finance and leadership directly. The value is not the document it produces but the muscle memory: when a breach happens, the people who have to make high-pressure calls have made them before in a safe setting. A program that has never rehearsed its response is one discovering its gaps at the worst possible moment.

Compliance is the floor, not the goal.

It is possible to be compliant and insecure, and a vCISO worth the retainer keeps the two from being confused. Passing an audit means meeting a defined set of controls on the day; being secure means the controls reduce the risks that genuinely threaten your business, and keep reducing them as the threats change. A program built only to clear the audit tends to optimise for the checklist and miss the exposure the checklist does not cover, which is how organisations with clean certificates still get breached.

An operator-led vCISO costs the strategy in reality, knowing what a control takes to run and whether it earns its place, rather than adding controls because a framework lists them. The roadmap is ordered by the risk it removes, not by the boxes it ticks, so the program defends the business first and satisfies the auditor as a consequence. Compliance falls out of a sound program; a program built backwards from compliance rarely produces real security.

Questions buyers ask.

What is a vCISO?

A virtual CISO is senior security leadership delivered on a fractional or retainer basis. The role sets your security strategy, owns the risk program, maps regulatory obligations to controls, drafts policy and reports to the board, giving you executive-level governance without a full-time hire.

What is the difference between a vCISO and an MSSP?

An MSSP, which is what a SOC is, runs the technical operations: monitoring, alerting and response. A vCISO leads at the strategic level, owning governance, policy and risk. They work together, with the vCISO setting the priorities and the SOC executing them. We run both, so the plan and its execution stay aligned.

How is a vCISO different from a full-time CISO?

The role is the same; the commitment and cost are not. A full-time CISO carries €250,000 to €600,000 in total compensation, which most mid-sized organisations cannot justify. A vCISO delivers the same leadership on a retainer sized to your needs, scaling up around an audit or incident and down in steady periods.

Why does NIS2 make this urgent?

NIS2 places personal liability on management for cybersecurity failures, so the board now has a direct stake in the quality of the program. Regulators expect defensible evidence of a documented, continuously maintained program. A vCISO builds and maintains exactly that, rather than leaving you to reconstruct it before an assessment.

What does a vCISO deliver in the first months?

An onboarding that produces a risk register, a set of quick wins to reduce the most pressing exposure, and a prioritised roadmap, followed by the first board report. From there the engagement settles into maintaining the program, preparing for audits and directing the operational teams.

Is this advisory only, or do you implement?

Both, which is the point of an operator-led vCISO. The strategy is set by someone who has run the controls, and the execution runs through our managed security and vulnerability management. You get a named lead accountable for the program, not a document handed over for you to act on alone.

How much does a vCISO cost?

Far less than the full-time alternative. A full-time CISO runs $250,000 to $600,000 a year in total compensation; a mid-market vCISO retainer typically falls between €5,000 and €12,000 a month, around 20 to 40% of that, for the same strategic leadership. We size it to the scope and the hours you genuinely need rather than a fixed tier.

How many hours a month is a vCISO engagement?

It varies with maturity and need, from a few hours of high-level steer for a startup to forty or more for a regulated mid-market firm building a full program. The hours scale up around an audit, an incident or a funding round and settle back in quiet periods, which is the flexibility a full-time hire cannot offer.

What is the difference between a vCISO and a security consultant?

A consultant delivers an assessment and leaves; a vCISO owns the program on an ongoing basis, attends the board, maintains the policies, leads incident response and is accountable over months and years. Consultants advise; a vCISO leads. The deliverable is a governed, maintained program rather than a report.

Does a vCISO satisfy NIS2's requirement for security leadership?

It provides the designated, documented leadership the directive expects. NIS2 keeps ultimate accountability with the management body, so the vCISO serves as the expert who builds the risk framework, delivers the training and reporting, and makes that accountability meaningful rather than nominal. The board still owns the duty; the vCISO equips it to discharge it.

Will cyber insurers and customers accept a vCISO?

Yes, and increasingly they ask for one. Insurers want evidence of a mature program with executive-level leadership before they write or renew a policy, and enterprise customers' procurement teams ask the same in vendor reviews. A vCISO produces the documented program and the named leadership both are looking for.

Does a vCISO handle incident response and recovery?

Yes. The vCISO owns the incident response plan, leads the response when something happens, and treats recovery as a security capability rather than an IT afterthought, working to bring the recovery time objective down. Regular tabletop exercises rehearse the executive decisions a real incident forces, so the team has made them before under no pressure.

Is being compliant the same as being secure?

No, and conflating them is a common and costly mistake. Compliance means meeting a defined set of controls on audit day; security means those controls reduce the risks that truly threaten you, and keep doing so as threats change. Organisations with clean certificates still get breached. A good vCISO builds for security first, and lets compliance fall out of a sound program.

Which sectors do you cover?

The regulated and security-sensitive ones we operate in: financial services under DORA, organisations in NIS2 scope, SaaS and tech firms facing customer security reviews, and businesses preparing for SOC 2 or ISO 27001. Where a sector needs specialist regulatory knowledge we do not hold, we say so rather than improvise it.

Can a vCISO scale into a full-time CISO later?

That is often the healthiest path. A vCISO builds the program, the documentation and the operating rhythm to a point where, if the organisation grows enough to justify a full-time hire, there is a mature foundation to hand over rather than a standing start. We will tell you when you have reached that point instead of holding the engagement past its usefulness.

Do you work with our existing IT team and tools?

Yes. The vCISO leads the security program over whatever you already run, directing your IT team and tooling rather than demanding a rebuild. Where we also run the operations, the integration is closer, but the role is the leadership layer on top of your environment, not a requirement to replace it.

How quickly can a vCISO engagement start?

Quickly, because there is no hire to run. Onboarding can begin within days, with the current-state assessment, the first quick wins and a draft risk register typically taking shape over the first few weeks. That speed is part of the appeal when an audit, an incident or a customer security review has put a deadline on having leadership in place.

What happens if we have a breach during the engagement?

The vCISO leads the response: containing the incident, coordinating the technical teams, and handling the regulatory notifications that NIS2 and GDPR impose on tight timelines, while steering the executive decisions. Because the role already owns the incident plan and has rehearsed it with you, the response is executed rather than improvised, which is the difference between a contained event and a crisis that compounds.

vCISO consult

Tell us where your security program stands. We'll lead it from there.

Bring the trigger, a supplier audit, a NIS2 deadline, a board asking for clearer risk reporting. We give you a read on where the program is, the quick wins and the roadmap, and a clear picture of what a vCISO retainer would cover, before you commit to anything.

Book a vCISO consult Back to Consulting →

Board-level leadership, fractional Led by an operator, not a template One named lead, answerable