You need a virtual CISO when cyber security has to be owned at the management level and a full time CISO is not yet justified. The usual triggers are a customer or tender asking for ISO 27001, SOC 2 or IRAP, a board asking who owns cyber risk, or growth that has run ahead of your security maturity.
What is the real trigger for a vCISO?
Most organisations call after an incident. The better time is before one, at the point where accountability for cyber security has no clear owner. That is the real trigger, and it is a question rather than an event: who is accountable for cyber risk here, and can they answer a board, an auditor or a customer who asks. If the honest answer is the IT manager handling it between other jobs, you have your signal.
The AICD Cyber Security Governance Principles put this first. Principle 1 is to set clear roles and responsibilities, and to document who is accountable for cyber security at board and management level. The ISM cyber security principles place the same accountability at the executive level under the govern function. A virtual CISO fills that senior management point part time, which is enough for many organisations that cannot justify, or do not yet need, a full time hire.
Which signals mean it is time?
The trigger usually shows up as concrete pressure from outside. When one or more of these lands, the accountability gap stops being theoretical and someone has to own the response.
| Signal | What it usually means |
|---|---|
| Security questionnaires arriving in sales | Buyers are vetting your security and someone has to own the answers and the gaps behind them |
| A tender or contract requires ISO 27001, Essential Eight Maturity Level 2 or IRAP | A compliance programme has to be run and reported, not passed once and forgotten |
| US customers ask for SOC 2 | Deals are gated on an attestation you do not hold yet |
| Raising capital | Investor due diligence will probe how cyber risk is governed |
| The board or an auditor asks who owns cyber risk | The accountability point is missing and now visible |
| Rapid growth in headcount or sensitive data | Your risk has outgrown the informal way it was managed |
| A near miss, or a breach at a competitor or supplier | The cost of having no owner just became real |
A tender that requires Essential Eight Maturity Level 2, a US buyer asking for SOC 2, or a system that needs an IRAP assessment each create work that needs an owner, not just a project team. The project ends. The accountability does not.
When do you not need one yet?
A vCISO governs a security programme. If you hold little sensitive data, face no compliance or customer pressure, and already have a capable person accountable for cyber risk, the role can wait. Buying one to tick a box before there is anything to govern wastes the retainer. Start the work first. A vCISO leads a programme; it cannot lead one that does not exist yet.
A vCISO or a full time CISO?
Part time is enough while the security workload is periodic rather than constant: strategy, a quarterly risk review, board reporting, and oversight of projects other people deliver. Cybernion’s vCISO retainers run 8 to 16 hours per month by tier, delivered by one named person. Once the work becomes daily, hands on and embedded in the business, you have outgrown the model and a full time CISO is the right call. The honest test is the volume and immediacy of the work, not the size of the company.
What happens in the first few months?
A vCISO starts by finding out what you actually have. The early weeks usually produce a risk register, a short list of the controls that matter for your business, and a board level view of where the gaps are. The first real work is normally closing the questionnaire and tender gaps that prompted the call, then standing up the governance that was missing. The hands on build, whether that is ISO 27001 readiness, SOC 2 or Essential Eight, is separate work the vCISO directs and reports on but does not personally execute. That separation is deliberate. The person setting the direction should not also mark their own homework. If that is the model you want, our virtual CISO service is built around a single named point of accountability.
No. Startups and scaleups use one to gain senior security leadership without a full time hire, and larger organisations use one to cover a gap, a leadership transition, or a specialist domain they lack in house.
The vCISO owns the strategy and direction and reports progress to the board. The hands on implementation and audit support is separate ISO 27001 or SOC 2 readiness work. Many organisations run the leadership and the build together.
Cybernion’s vCISO retainers run 8 to 16 hours per month depending on tier, delivered by one named person and billed monthly in advance. Pricing is scoped by need, not published.
Usually not. Some organisations keep one for independent assurance or a specialist area, but once a full time CISO is in place the part time role has normally done its job.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- AICD Cyber Security Governance Principles, Version 2, November 2024
- ASD, The cyber security principles (govern function, executive accountability), 17 March 2026
- ASD and AICD, Cyber security priorities for boards of directors 2025-26, October 2025
Last updated: 21 June, 2026