> For the complete documentation index, see [llms.txt](https://docs.oxfordinfosec.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.oxfordinfosec.com/virtual-ciso.md). # Virtual CISO ## Introducing the Service A Chief Information Security Officer (CISO) provides strategic leadership for an organisation's security programme: setting direction, advising the board, overseeing risk, and ensuring security investment delivers real value. For most small businesses, a full-time CISO is neither affordable nor necessary, but the need for senior security leadership doesn't go away. Oxford Infosec's vCISO service gives you part-time access to a senior security leader who acts as your organisation's security advisor. They bring the strategic oversight, board-level credibility, and decision-making authority you need, without the cost of a permanent hire. This is a governance-focused service. Your vCISO sets direction, provides oversight, and ensures accountability. They don't replace your IT team or managed service providers; they make sure those people are pointed in the right direction and delivering what the business actually needs. ## What Problem Does This Solve? Growing businesses often reach a point where security decisions are too important to make without experienced guidance, but not frequent enough to justify a full-time security executive. If any of these statements would be difficult for you to make honestly today, a vCISO can help: | Statement you want to make | What typically happens without a vCISO | | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | | **"We know what our biggest security risks are and we're actively managing them"** | Risks are vaguely understood but not documented, prioritised, or tracked. Decisions are reactive. | | **"Our board and senior leaders could explain our security risk position in their own words"** | Founders scramble to put together a credible answer when asked, often underselling or overselling the current position. | | **"We've consciously decided how much security risk we're willing to accept"** | Risk decisions are implicit or inconsistent. No framework for deciding what's acceptable. | | **"When something security-related needs deciding, we know who decides and how"** | Decisions fall through the cracks or get made by whoever happens to be in the room. | | **"If something serious happened tonight, we'd know what to do"** | Reactive firefighting without a plan. Panic, followed by expensive mistakes. | | **"When customers ask about our security, we can answer confidently and accurately"** | Someone spends days on questionnaire responses that may not reflect reality. | | **"Security helps us win deals rather than lose them"** | Security concerns stall or kill deals. Competitors with better security posture win. | A vCISO provides the experienced judgment to make these statements true, meaning fewer reactive scrambles and more proactive governance. ## Fit for Small Businesses This service is designed for organisations that have outgrown ad-hoc security decisions but aren't ready for a full-time security executive. Typically this means: * **20 to 200 employees**: large enough to have real security risks and stakeholder expectations, small enough that a full-time CISO would be underused * **Handling sensitive data**: customer data, financial information, health records, intellectual property, or other information that would cause real harm if compromised * **Facing external scrutiny**: customers asking security questions, investors conducting due diligence, regulators taking an interest, or certifications on the roadmap * **Technical product or service**: SaaS platforms, technology-enabled services, or businesses where IT systems are core to what you do Your vCISO adapts to your pace and priorities. In quieter periods, they provide light-touch oversight and remain available for ad-hoc guidance. When major decisions arise (a new market entry, a significant incident, a board presentation, or a certification push), they step in to provide the leadership you need. If you don't yet have basic security controls in place, Security Foundations is usually a better starting point. A vCISO provides direction and oversight, not hands-on implementation. ## Outcomes: Statements You'll Be Able to Make The value of a vCISO is measured by which statements you can make at the end of the engagement that you couldn't make at the start. Here's what a successful engagement enables: ### Governance and leadership | Statement | What this means for your business | | ---------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | | **"We know what our biggest security risks are and we're actively managing them"** | You have visibility of what could hurt you, and you're doing something about it. No surprises. | | **"We've consciously decided how much security risk we're willing to accept"** | You have a framework for risk decisions, not ad-hoc judgments. Accepted risks are deliberate. | | **"When something security-related needs deciding, we know who decides and how"** | Clear accountability. Decisions don't fall through the cracks. | | **"Our board could explain our security risk position in their own words"** | Leadership is engaged and informed. Directors can demonstrate appropriate oversight. | ### Incident readiness | Statement | What this means for your business | | ---------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | | **"If something serious happened tonight, we'd know what to do"** | You have a plan, people know their roles, and you've thought it through before a crisis hits. | | **"We can contain and investigate a security incident"** | You have capability, not just a document. You can actually respond effectively. | | **"We could tell customers and regulators what happened and what we're doing about it"** | You're not making up your communication plan during a crisis. | | **"Every incident makes us stronger, not just relieved it's over"** | You learn from incidents. Root causes get addressed. The same thing doesn't happen twice. | ### External confidence | Statement | What this means for your business | | ------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | | **"When customers ask about our security, we can answer confidently and accurately"** | Due diligence goes smoothly. You can back up what you claim. | | **"Our documentation reflects how we actually operate"** | No gap between what you say and what you do. Auditors find what they expect. | | **"We hold the certifications our market expects"** | You meet customer requirements. Compliance isn't a blocker. | | **"Security helps us win deals rather than lose them"** | Security is a selling point, not a concern. You're ahead of customer expectations. | ### Expertise and credibility | Statement | What this means for your business | | ------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------- | | **"We have access to experienced security judgment when we need it"** | Major decisions have the right expertise. You're not flying blind. | | **"We can say 'our CISO' and mean it"** | Visible security leadership that stakeholders can engage with. Credibility with customers and investors. | | **"We spend money on security where it matters, not where we're scared or sold to"** | Security investment follows risk, not vendor marketing. You get value from security spend. | Not every statement will be relevant to every organisation. During scoping, we'll identify which statements matter most to you and focus the engagement accordingly. ## How We Start: Scoping the Engagement Every engagement starts with understanding which outcomes matter most to you. Before we begin, we'll ask you and key stakeholders to rate a set of statements across two dimensions: | Dimension | Options | | ------------------------------------------- | ---------------------------------------- | | **How important is this to your business?** | Must have, nice to have, or not relevant | | **Can you say this today?** | Yes, partially, or no | This takes about 15 minutes and tells us: * **Where to focus**: statements that are important but can't be said today are priority gaps * **Where you're already strong**: statements you can already make honestly * **Where stakeholders disagree**: different perspectives that need alignment * **What success looks like**: the statements you want to be able to make The scoping survey becomes the foundation for the engagement. Your security strategy, roadmap, and progress reporting all connect back to these statements. ## Scope of Activities Your vCISO provides governance and strategic oversight to help you make the statements that matter to your business. Here's how activities connect to outcomes: ### Governance and risk | Activity | Statements this enables | | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | | **Define security strategy**: articulate what security means for your business, what you're protecting, and what "good enough" looks like | "We know what 'good enough' looks like for our business and we're working towards it" | | **Set risk appetite and tolerance**: work with leadership to define how much risk is acceptable and where the boundaries are | "We've consciously decided how much security risk we're willing to accept" | | **Establish and maintain risk register**: ensure risks are identified, assessed, owned, and treated appropriately | "We know what our biggest security risks are and we're actively managing them" | | **Develop and maintain security roadmap**: prioritise initiatives based on risk, business value, and effort | "We spend money on security where it matters, not where we're scared or sold to" | | **Define security roles and decision rights**: clarify who is accountable for what and how decisions get made | "When something security-related needs deciding, we know who decides and how" | ### Board and executive engagement | Activity | Statements this enables | | ----------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- | | **Prepare board reporting**: create clear, concise security updates for board meetings | "Our board could explain our security risk position in their own words" | | **Attend board or leadership meetings**: present security updates and participate in relevant discussions | "Security gets appropriate attention at leadership level" | | **Support investor and due diligence requests**: provide credible, accurate responses to security questions | "Investors aren't concerned about security skeletons in the closet" | ### Incident oversight | Activity | Statements this enables | | ---------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ | | **Establish incident response procedure**: ensure there's a documented, workable plan | "If something serious happened tonight, we'd know what to do" | | **Act as escalation point for serious incidents**: provide strategic guidance when something significant happens | "We can contain and investigate a security incident" | | **Advise on incident communications**: provide input on stakeholder communications during and after incidents | "We could tell customers and regulators what happened and what we're doing about it" | | **Facilitate post-incident reviews**: ensure lessons are learned and improvements are made | "Every incident makes us stronger, not just relieved it's over" | ### Compliance and assurance oversight | Activity | Statements this enables | | ------------------------------------------------------------------------------------------------ | ---------------------------------------------------- | | **Set compliance strategy**: determine which certifications are worth pursuing and in what order | "We hold the certifications our market expects" | | **Oversee compliance programmes**: monitor progress without doing the implementation work | "Compliance requirements don't surprise us" | | **Review audit findings and remediation**: ensure findings are addressed appropriately | "Auditors find what they expect to find" | | **Ensure documentation accuracy**: verify that documentation reflects actual practices | "Our documentation reflects how we actually operate" | ### Product security oversight | Activity | Statements this enables | | ---------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | | **Advise on secure development practices**: provide guidance on building security into the development lifecycle | "Security is considered when we design features, not discovered when we test them" | | **Oversee security testing strategy**: ensure appropriate testing is happening | "We find vulnerabilities in our product before attackers do" | | **Review product security metrics**: track and report on security bug trends | "Serious security bugs don't languish in our backlog" | ### Third-party and people security oversight | Activity | Statements this enables | | ------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | | **Oversee supplier security assessments**: ensure supplier risks are identified and managed | "We're not one supplier breach away from our own breach" | | **Advise on awareness strategy**: provide input on security awareness programmes | "People know how to recognise common threats like phishing" | | **Review access management practices**: ensure access controls are appropriate | "People only have access to what they need for their job" | | **Oversee offboarding process**: ensure leavers' access is removed promptly | "When someone leaves, they can't still get into our systems next week" | ## What's Not Included This is a governance and advisory service. Your vCISO provides direction and oversight; they don't do the hands-on work. The following are explicitly out of scope: | Out of scope | Who typically does this | | ---------------------------------------- | ------------------------------------------------------------------------------------------- | | **Day-to-day security operations** | Your IT team, managed service provider, or security operations provider | | **Writing policies and procedures** | Your compliance team or a compliance consultant (like our ISO 27001 implementation service) | | **Implementing technical controls** | Your IT team or specialist contractors | | **Hands-on incident response** | Your IT team, managed detection and response provider, or incident response retainer | | **Conducting audits and assessments** | Internal audit, compliance consultants, or specialist assessors | | **Penetration testing** | Specialist penetration testing firms | | **Security awareness training delivery** | Training providers or your HR/L\&D team | | **Filling in security questionnaires** | Your sales, compliance, or operations team (though vCISO may review critical responses) | | **24/7 availability or on-call** | This is a part-time advisory role, not a retained incident response service | Where you need support with these activities, your vCISO can advise on what's required and help you procure the right resources, but they won't do the work themselves. ## Measuring Success We measure success by movement on the statements that matter to you. During scoping, we identify your priority statements: the ones that are important to your business but you can't say honestly today. These become your success criteria. At each quarterly review, we assess progress: | Statement | Start | Now | Evidence | | ------------------------------------------------------------------------------ | --------- | --------- | -------------------------------------------------------------------------- | | "We know what our biggest security risks are and we're actively managing them" | No | Yes | Risk register created, reviewed quarterly, treatment actions progressing | | "If something serious happened tonight, we'd know what to do" | Partially | Yes | Incident response procedure documented, tested via tabletop exercise | | "A stolen password alone cannot compromise our critical systems" | No | Partially | MFA deployed to 80% of staff, critical systems covered, rollout continuing | This approach means: * **You can see the value**: progress is tangible, not abstract * **Your board can see the value**: statements are meaningful to non-technical stakeholders * **We stay focused**: effort goes toward outcomes, not activities for their own sake * **Success is clear**: we know when we've achieved what we set out to achieve ## Typical Engagement Rhythm | Activity | Frequency | | ----------------------------- | ---------------------------------------------------------------------------------------------- | | **Scheduled check-in** | Monthly. Review progress, discuss upcoming priorities, address any issues | | **Statement progress review** | Quarterly. Assess which statements have moved from "can't say" to "can say" | | **Roadmap review** | Quarterly. Review and update the security roadmap based on progress and changing circumstances | | **Risk review** | Quarterly. Review risk register, treatment progress, and any emerging risks | | **Board reporting** | As needed. Typically quarterly or aligned with your board meeting schedule | | **Ad-hoc availability** | Ongoing. Available for calls, emails, and urgent matters within reasonable response times | ## Who Delivers the Service Your vCISO will be a senior consultant with substantial experience in security leadership roles. They will typically hold recognised qualifications such as CISSP, CISM, or equivalent, and have experience across multiple sectors and organisation sizes. You'll work with the same named vCISO throughout. They learn your business once, so you don't have to explain it each time. ## Assumptions | Assumption | Why this matters | | ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **You have someone to do the work** | A vCISO provides direction, not execution. You need an IT team, MSP, or other resources to implement what's agreed | | **Leadership is engaged and accessible** | The vCISO needs access to founders, executives, or board members to be effective. Security decisions often need senior sign-off | | **You're willing to act on advice** | A vCISO adds value when their guidance is followed. If recommendations consistently go unactioned, statements won't move from "can't say" to "can say" | | **Basic security foundations are in place** | This isn't a service for organisations starting from zero. You should have basic IT infrastructure, some security controls, and people responsible for systems | | **Communication is timely** | The vCISO needs to know about significant incidents, changes, and decisions that affect security. Surprises make governance difficult | ## Term and Review The vCISO service has a minimum engagement term of six months, renewable quarterly thereafter. This allows enough time to understand your business, establish the governance rhythm, and demonstrate measurable progress on your priority statements. Shorter engagements rarely provide enough continuity to be effective. Scope and service level are reviewed quarterly to ensure the engagement remains aligned with your needs. If your priority statements change (because you've achieved them, or because your business has changed), we adjust the focus accordingly. ## Combining with Other Services The vCISO service works well alongside Oxford Infosec's other services: * **ISO 27001 Implementation and Maintenance**: your vCISO provides strategic oversight while the compliance service handles implementation. They ensure the certification programme stays aligned with business priorities rather than becoming a bureaucratic exercise. Together, they help you make statements like "We hold the certifications our market expects" and "Our documentation reflects how we actually operate." * **SOC 2 Type I and II**: for organisations selling into the US market, the SOC 2 service handles implementation and audit readiness while the vCISO keeps the programme aligned with business priorities. * **DPO as a Service**: your vCISO focuses on information security while the DPO handles data protection compliance. They coordinate to ensure a coherent approach to risk and compliance. * **Security Foundations**: if the baseline controls aren't yet in place, Security Foundations gets them right first. A vCISO is most effective once the fundamentals are solid. For organisations pursuing certification, a common pattern is to engage both vCISO and ISO 27001 (or SOC 2) services. The vCISO provides ongoing strategic leadership while the compliance service delivers the implementation work. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.oxfordinfosec.com/virtual-ciso.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.