A virtual CISO owns the direction and accountability of your security programme: strategy, the risk register, board reporting, vendor reviews and policy. It does not run the tools. Building, monitoring, patching and incident response execution sit with your team, an MSSP or a separate retainer. The vCISO makes the risk calls and stands behind them.
Most buyers picture a virtual CISO doing the security work. The value is the opposite. A vCISO owns the decisions and the accountability, and leaves the hands on work to the people and tools built for it. This article sets out exactly what the role covers, what it does not, and what a month actually looks like.
What does a virtual CISO actually do?
A vCISO carries the accountability a chief information security officer carries, bought part time on a retainer. The work splits in two. Direction is the larger half: a security strategy and roadmap, the risk register and the risk calls that come with it, the security policies, and the reporting that puts cyber risk in front of the board and executive in language they can act on. Oversight is the rest: vendor and procurement security reviews, compliance against the frameworks you are held to, and guidance when an incident hits. One named person owns all of it. The Cyber Security Governance Principles, Version 2 from the AICD make this the first thing a board should fix, naming who is accountable for cyber security at management level. If that is what a virtual CISO is, the next question is when you need one.
What does a vCISO not do?
It does not run your security operations. Building and configuring controls, patching, monitoring a SIEM, running vulnerability scans, penetration testing and executing incident response are hands on work. They sit with your internal team, a managed security service provider, or a separate Security Retainer. The line matters more than it looks. A vCISO that also runs the tools is a managed service with a senior title. The person who sets the risk appetite should not also be the person marking their own remediation. Cybernion keeps that execution work in a separate retainer for the same reason, which is also how the retainer is priced.
What is in scope and what is out?
The split is consistent. The vCISO owns the things that set and prove direction; everything that needs a keyboard on a control sits elsewhere. The table below is the Cybernion scope.
| In scope (the vCISO owns it) | Out of scope (your team, an MSSP, or a separate retainer) |
|---|---|
| Security strategy and roadmap | Building and configuring security controls |
| The risk register and quarterly risk review | Monitoring, alerting and SIEM operations |
| Board and executive reporting | Patching and vulnerability remediation |
| Security policy review and development | Penetration testing |
| Vendor and procurement security review | Incident response execution |
| Incident response guidance and oversight | Managed day to day operations |
| Compliance oversight across your frameworks | Hands on implementation |
What does a typical month look like?
Cybernion runs the role at 8 to 16 hours a month by tier, billed monthly in advance, scoped to need rather than sold as a fixed task list. A month usually carries a set of advisory hours, a standing executive or board update, and whatever the current programme needs next: a vendor review before a contract signs, a policy refresh, a roadmap checkpoint. Once a quarter the risk register gets a full review and update. When something breaks, the vCISO gives direction and oversight, not the keyboard work. The cadence flexes with the tier, the compliance load and the reporting rhythm the board expects. The hours are indicative and move with the workload, which is part of the difference between a vCISO versus a full time CISO.
How does a vCISO work with your team and your providers?
The vCISO sits above execution, not beside it. Your engineers, your managed service provider and your tooling do the work. The vCISO decides what gets done, in what order, and against which risks, then holds the providers to it. That keeps one accountable owner over a programme delivered by several hands, which is the point the ISM govern function makes about executive accountability. It also keeps independence intact, because the person who sets the direction is not the person being graded on the fix. The actual control work, whether that is the Essential Eight, ISO 27001 or SOC 2, is the job the vCISO oversees rather than performs.
Frequently asked questions
No. A vCISO sets direction and provides oversight. Building controls, monitoring, patching, testing and incident response execution sit with your team, an MSSP or a separate retainer.
Cybernion runs the role at 8 to 16 hours a month by tier, scoped to need and billed monthly in advance. The figure is indicative and moves with the workload.
Yes. Board and executive reporting is a core part of the role, putting cyber risk in front of decision makers in terms they can act on.
No. An MSSP sells monitoring and tooling. A vCISO owns strategy, risk and accountability, and oversees the MSSP rather than replacing it.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us We aren’t always chasing a transaction.
Sources:
- Cyber Security Governance Principles, Version 2, AICD, November 2024
- The cyber security principles, cyber.gov.au, 17 March 2026
Last updated: 21 June, 2026