What is a virtual CISO (vCISO)?

The short version

A virtual CISO — vCISO — is a fractional Chief Information Security Officer. Security leadership and accountability, delivered part-time or on retainer, without the full-time salary of an in-house executive hire.

The vCISO owns the program: the policies, the annual risk assessment, the incident-response plan, the vendor-risk reviews, the compliance posture, the board-level reporting. The MSP owns the operations: the EDR, the MFA enforcement, the backups, the patching, the help desk.

In a small business, the same firm often provides both. They're still distinct roles.

What a vCISO actually does

1. Owns the written information security program. The policies, the standards, the procedures. Reviewed and signed off annually.
2. Runs the annual risk assessment. Inventory, threats, controls, gaps, plan. See how to do a risk assessment.
3. Approves the technology stack. Reviews and approves the security tools the MSP operates. Makes the buy/upgrade calls on tooling.
4. Owns vendor risk management. Which third parties have access, what data they touch, what their security posture is, what's in their contract.
5. Maintains the incident-response plan. Tabletop exercises annually. Updates after any incident or near-miss.
6. Handles compliance reporting. The HIPAA Security Rule paperwork, the FTC Safeguards Rule documentation, the cyber-insurance application, the customer vendor-security questionnaire.
7. Reports to leadership. Quarterly business review covering the state of the program, the gaps closed, the gaps still open, the budget request for the next quarter.
8. Represents security in big decisions. Cloud migrations, M&A, new product launches, hiring an in-house IT person — the vCISO is in the room.

How a vCISO is different from an MSP

The MSP is the operations team for IT and security. The vCISO is the strategy and accountability layer above it.

An analogy: the MSP is the building contractor; the vCISO is the architect. The contractor builds well, on time, to spec. The architect decides what to build, what materials, what code requirements apply. A small project can have the same person do both. A larger or more regulated project benefits from separation.

When a small business genuinely needs one

Four scenarios most often trigger a vCISO engagement:

1. Regulated workload. Healthcare (HIPAA), financial services (GLBA, NCUA), government / law enforcement (CJIS), or any business processing card data above the lowest PCI tier.
2. Customer-driven security requirements. The largest customer or partner sends a 60-question vendor-security questionnaire that asks for the CISO's name. "We use an MSP" is the wrong answer to that question.
3. Cyber-insurance scope. Carriers writing larger limits ($5M+) start asking about the security program, not just the stack. A vCISO is the program.
4. Post-incident maturity. A business that had a real incident, paid the insurance deductible, and decided this won't happen again. The vCISO is the structural change.

If none of those apply, a capable MSP with strong operational security is probably enough. Adding a vCISO line item to satisfy a "should we have one?" question is rarely the right call for a sub-30-person business.

What a vCISO engagement looks like

Typical structure for a small to mid-sized business:

• Onboarding (month 1): Discovery, current-state assessment, initial risk assessment, policy gap analysis, written 90-day plan.
• Ongoing (months 2–12): Monthly working session with leadership (1–2 hours), monthly working session with the IT/MSP team (1–2 hours), quarterly business review (half-day), policy and risk-assessment refresh on the annual cadence.
• On-demand: Customer security questionnaire support, incident response support, vendor-review support, M&A diligence.
• Annual review: Full program review, risk-assessment refresh, board presentation if applicable.

What a vCISO costs

Pricing varies by hours and engagement model:

• Fractional retainer — $2,500–$8,000 per month for 10–30 hours.
• Per-engagement / project — $5,000–$25,000 for a defined deliverable (initial program build, customer-required SOC 2 readiness work).
• Hourly / as-needed — $500–$1,000 per hour for incident response or specific consulting.

Reference point: an in-house CISO with the experience to do the role properly typically costs $200,000–$300,000 fully-loaded for a small business. The vCISO is usually 10–20% of that, in exchange for less than full-time availability.

Mistakes to avoid

• Hiring a vCISO without an MSP. The vCISO needs operational security to lead. Without it, the strategy doesn't get executed.
• Hiring a vCISO that doubles as the help desk. If the vCISO is also resetting passwords, the role isn't being filled.
• Treating it as a checkbox. A vCISO retainer that produces no documents, no risk assessment, no policy updates, and no quarterly review isn't a vCISO — it's a fee.
• Hiring too early. A 5-person business with a managed-IT relationship doesn't need a vCISO. Save the budget for the operational stack.

How Micro-IT handles the program-level work

For most Micro-IT clients, the program-level security work — written policies, annual risk assessment, incident-response runbook, vendor BAAs, cyber-insurance application support — is included in the standard managed engagement at no separate charge. For regulated clients (HIPAA-aligned healthcare, GLBA-aligned credit unions, CJIS-aware municipalities), we deliver a heavier program-level scope that maps to vCISO functions, again as part of the standard engagement. Clients with explicit customer requirements (an enterprise vendor questionnaire that asks for a CISO) can engage us in a formal vCISO capacity as an add-on. See the security page for the operational stack, or talk to us about a program-level scope.

Frequently asked questions