“Rob, what does a virtual CISO cost?”
I get some version of this question almost every week. Sometimes multiple times per week!
I wish I could give a clean, satisfying answer. But the answer is… it depends!
And I know that’s annoying. So let me explain what it actually depends on, what you get at each price point, and why some big companies would pay close to a full-time CISO salary for a vCISO agreement.
It’s like buying a car…
You can buy a car for $20,000. You can also buy one for $350,000. Both will get you from Point A to Point B, but you are not buying the same thing. And if you show up to a Ferrari dealership expecting a Corolla price, everyone in the room is going to have a bad time.
Virtual CISO (vCISO) services work the same way. The price range for a vCISO engagement runs from roughly $20,000 per year on the low end to $350,000 or more on the high end. For midmarket companies, a quality vCISO from a reputable firm will likely cost approximately $120,000 per year.
| vCISO Engagement | What you Get | Typical Cost |
| MSP-provided vCISO | Junior leader, technical implementer, and/or salesperson | Approx. $20,000 |
| Interim/Part-time CISO | Fortune 500 CISO, 20-40 hours per week | $350,000+ |
| Midmarket Virtual CISO | Senior cybersecurity leader, cybersecurity program development, weekly execution | Approx. $120,000 |
What You’re Getting at $20,000 Per Year
At $20,000 per year, you’re spending about $1,600 per month. That does not buy you much time from a senior cybersecurity executive.
Here’s what usually happens at that price point: you are either buying a fraction of a real vCISO’s time (and I mean a very small fraction), or you’re buying your “vCISO” from the service menu of a managed service provider (MSP).
A genuine, experienced CISO commands a market rate that makes $1,600 per month essentially a rounding error on their time. You will get roughly three to five hours of vCISO time per month.
At that engagement level, they are not focused on your business. If they are not attending your team meetings, they may generate one high-quality deliverable per month. If they are attending your team meetings, they are probably not doing much else.
This might be fine if all you need is someone to give you direction once per week.
It is not fine if you need them to actually build and manage a security program.
Regarding the MSP “vCISO.” In our experience, an MSP vCISO is often like security tool salesmen for the MSP. You ask them “What’s the best solution for security problem X?” Their answer is invariably “we sell Y tool to solve this problem!”
Your MSP may be excellent at managing your infrastructure. That is a different skill set than strategic security leadership.
Another practical problem with any ultra-low-cost vCISO arrangements is coverage. Your security program is great 47 weeks of the year. What happens week 48, when you’re mid-audit, a vendor security review lands in your inbox, and your $20K vCISO is on vacation in Cabo?
You’re on your own!
What are you getting at $60,000 per year?
Sometimes, you may be able to buy enough time from an experienced CISO to make an impact on your business. If your brother-in-law, next-door neighbor, or best friend is head of security at a large company, and they’re willing to provide enough consulting hours on the side to you to run your program, then you have an amazing deal on your hands! Take it, don’t mess it up!
But for the rest of you who have not landed in cybersecurity leadership heaven, this article is for you.
What Pushes Costs to $350,000 and Beyond?
On the other end of the spectrum, a $350,000-per-year vCISO engagement is usually serving a very different company with very different needs.
At that level, you’re typically looking at a large enterprise dealing with one of a few situations:
- The full-time CISO just departed and they need an experienced interim CISO to provide program continuity.
- They experienced a serious cybersecurity, compliance, or regulatory incident and need a new leader to manage their program.
- The company was recently sold, acquired, or is otherwise going through a significant change. A part-time CISO leads cybersecurity transformation in tandem.
There are two popular models for these engagements:
- Monthly retainer model of $10,000 – $20,000 per month, plus hourly pay for specific tasks.
- Hourly advisory at $300 – $600 per hour.
These costs are quite high because they demand high level talent. There’s no time to train the CISO. They have to be able to join ready to contribute. They are asked to own complex multi-entity companies with a global footprint that often have heavy regulatory scrutiny along with direct board-level reporting.
Enterprises with these needs require a security leader in the top 10% of global CISOs. CISOs with that experience, at that engagement depth, are expensive. Sometimes, the vCISO will need to put in 20-25 hour work weeks to accomplish the necessary goals. Sometimes, the company will also request additional team support to go with the vCISO, such as a cybersecurity analyst. All of these things drive the costs up.
But it still makes sense for enterprises to use a vCISO because, as stated in the scenarios above, they have an urgent need for highly-experienced cybersecurity leadership. Yes, they will want to get a full-time CISO at some point later, but executive searches take a long time. They need someone working in that role right now, to maintain continuity and implement changes while they look for their next full-time hire.
Why can’t I just pay someone hourly occasionally?
Understanding the high hourly cost, you may have an instinct to just hire a vCISO as you need them for plus or minus 10 hours per month.
While you might be able to find a practitioner willing to do this, the agreement is less likely to be successful.
There are 160 working hours in the month. If a vCISO provides only 10 hours of work per month, that is 1/16th of their working time. That is often not enough time for them to produce meaningful progress on your program.
Plus, there is a reasonable limit on how many client organizations a single person can manage. A good CISO needs to know and internalize key details about your organization, its infrastructure, product, and business goals. It’s challenging for someone to do that when they manage up to 15 other clients!
Enterprise CISOs will often have somewhere between two and four clients at a time, depending what a contract demands.
Where Does Fractional CISO Actually Land?
Fractional CISO’s average contracts are around $120,000 per year.
Our specific pricing depends on your company’s structure and specific governance, risk, and compliance needs. (You can use our calculator to get a budgetary estimate here.)
How large is your company? How complex is your environment? Are we meeting with seven departments per week, or one? Is your security program starting from scratch, or are we stepping into something reasonably mature? Is this a steady-state advisory relationship or an active compliance push with a hard deadline?
All of those variables move the number significantly.
A 35-person SaaS company with one cloud environment and a clean vendor list is a very different engagement from a 400-person healthtech company that sells software-enabled medical devices connected to hybrid infrastructure.
What I can tell you is that our engagements are priced to reflect a real senior practitioner: someone who knows your business, shows up to your meetings, and delivers real, strategic guidance that is unique to YOUR company. We make great use of your vCISO time by supporting them with a Cybersecurity Analyst. This allows the hours that they spend with you to be focused on moving the needle for the business instead of issuing reports and writing policy revisions.
Your two-person security team is backstopped by the Fractional CISO team, so you have availability for all 52 weeks of the year.
After our program with you is well-established, it is possible to reduce the cost. It is less labor-intensive to operate an existing program than it is to build a new one.
How do you know if the program is established? Here are some common signs:
- You perform quarterly internal audits and follow up on their findings.
- You just performed your third annual incident response tabletop exercise.
- Your vendor management program is executing well for both on- and offboarding.
- Vulnerability scanning and patch management are running well.
- You run a regular (once or twice annual) penetration test, and actually implement fixes.
- Someone owns these actions and is executing them on a weekly basis.
Even with reduced costs to run a steady-state program, we are never a $20,000/year vCISO.
Sometimes, we are the $350,000/year vCISO (we do provide interim and part-time CISO services to large enterprises).
Most often, for midmarket clients, we are somewhere around $120,000 per year.
The Question Underneath the Question
When someone asks me about vCISO costs, what they’re usually really asking is: “Is this worth it, and can I afford it?”
On affordability: the cost of a quality vCISO engagement, spread across a year, is often less than the cost of a single serious security incident. The average ransomware recovery cost for a small business now runs well into six figures. A good vCISO engagement is not cheap. Neither is the alternative.
On whether it’s worth it: that depends on what you’re trying to accomplish. If you need a checkbox for a procurement questionnaire, there are cheaper ways to get there. If you want someone who will actually build your cybersecurity program to manage risk and support compliance, it probably is.
We’re happy to have that conversation! Start with the pricing form and we’ll take it from there.
—
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click!
