Virtual CISO
Introducing the Service
A Chief Information Security Officer (CISO) provides strategic leadership for an organisation's security programme - setting direction, advising the board, overseeing risk, and ensuring security investment delivers real value. For most small businesses, a full-time CISO is neither affordable nor necessary, but the need for senior security leadership doesn't go away.
Oxford Infosec's vCISO service provides fractional access to an experienced security leader who acts as your organisation's senior security advisor. They bring the strategic oversight, board-level credibility, and decision-making authority you need - without the cost of a permanent hire.
This is a governance-focused service. Your vCISO sets direction, provides oversight, and ensures accountability. They don't replace your IT team or managed service providers; they make sure those resources are pointed in the right direction and delivering what the business actually needs.
What Problem Does This Solve?
Growing businesses often reach a point where security decisions are too important to make without experienced guidance, but not frequent enough to justify a full-time security executive.
If any of these statements would be difficult for you to make honestly today, a vCISO can help:
"We know what our biggest security risks are and we're actively managing them"
Risks are vaguely understood but not documented, prioritised, or tracked. Decisions are reactive.
"Our board and senior leaders could explain our security risk position in their own words"
Founders scramble to put together a credible answer when asked, often underselling or overselling the current position.
"We've consciously decided how much security risk we're willing to accept"
Risk decisions are implicit or inconsistent. No framework for deciding what's acceptable.
"When something security-related needs deciding, we know who decides and how"
Decisions fall through the cracks or get made by whoever happens to be in the room.
"If something serious happened tonight, we'd know what to do"
Reactive firefighting without a plan. Panic, followed by expensive mistakes.
"When customers ask about our security, we can answer confidently and accurately"
Someone spends days on questionnaire responses that may not reflect reality.
"Security helps us win deals rather than lose them"
Security concerns stall or kill deals. Competitors with better security posture win.
A vCISO provides the experienced judgment to make these statements true, meaning fewer reactive scrambles and more proactive governance.
Fit for Small Businesses
This service is designed for organisations that have outgrown ad-hoc security decisions but aren't ready for a full-time security executive. Typically this means:
20 to 200 employees - large enough to have real security risks and stakeholder expectations, small enough that a full-time CISO would be underutilised
Handling sensitive data - customer data, financial information, health records, intellectual property, or other information that would cause real harm if compromised
Facing external scrutiny - customers asking security questions, investors conducting due diligence, regulators taking an interest, or certifications on the roadmap
Technical product or service - SaaS platforms, technology-enabled services, or businesses where IT systems are core to what you do
Your vCISO adapts to your pace and priorities. In quieter periods, they provide light-touch oversight and remain available for ad-hoc guidance. When major decisions arise - a new market entry, a significant incident, a board presentation, or a certification push - they step in to provide the leadership you need.
Outcomes: Statements You'll Be Able to Make
The value of a vCISO is measured by which statements you can make at the end of the engagement that you couldn't make at the start. Here's what a successful engagement enables:
Governance and leadership
"We know what our biggest security risks are and we're actively managing them"
You have visibility of what could hurt you, and you're doing something about it. No surprises.
"We've consciously decided how much security risk we're willing to accept"
You have a framework for risk decisions, not ad-hoc judgments. Accepted risks are deliberate.
"When something security-related needs deciding, we know who decides and how"
Clear accountability. Decisions don't fall through the cracks.
"Our board could explain our security risk position in their own words"
Leadership is engaged and informed. Directors can demonstrate appropriate oversight.
Incident readiness
"If something serious happened tonight, we'd know what to do"
You have a plan, people know their roles, and you've thought it through before a crisis hits.
"We can contain and investigate a security incident"
You have capability, not just a document. You can actually respond effectively.
"We could tell customers and regulators what happened and what we're doing about it"
You're not making up your communication plan during a crisis.
"Every incident makes us stronger, not just relieved it's over"
You learn from incidents. Root causes get addressed. The same thing doesn't happen twice.
External confidence
"When customers ask about our security, we can answer confidently and accurately"
Due diligence goes smoothly. You can back up what you claim.
"Our documentation reflects how we actually operate"
No gap between what you say and what you do. Auditors find what they expect.
"We hold the certifications our market expects"
You meet customer requirements. Compliance isn't a blocker.
"Security helps us win deals rather than lose them"
Security is a selling point, not a concern. You're ahead of customer expectations.
Expertise and credibility
"We have access to experienced security judgment when we need it"
Major decisions have the right expertise. You're not flying blind.
"We can say 'our CISO' and mean it"
Visible security leadership that stakeholders can engage with. Credibility with customers and investors.
"We spend money on security where it matters, not where we're scared or sold to"
Security investment follows risk, not vendor marketing. You get value from security spend.
Not every statement will be relevant to every organisation. During scoping, we'll identify which statements matter most to you and focus the engagement accordingly.
How We Start: Scoping the Engagement
Every engagement starts with understanding which outcomes matter most to you.
Before we begin, we'll ask you and key stakeholders to rate a set of statements across two dimensions:
This takes about 15 minutes and tells us:
Where to focus - statements that are important but can't be said today are priority gaps
Where you're already strong - statements you can already make honestly
Where stakeholders disagree - different perspectives that need alignment
What success looks like - the statements you want to be able to make
The scoping survey becomes the foundation for the engagement. Your security strategy, roadmap, and progress reporting all connect back to these statements.
Scope of Activities
Your vCISO provides governance and strategic oversight to help you make the statements that matter to your business. Here's how activities connect to outcomes:
Governance and risk
Define security strategy - articulate what security means for your business, what you're protecting, and what "good enough" looks like
"We know what 'good enough' looks like for our business and we're working towards it"
Set risk appetite and tolerance - work with leadership to define how much risk is acceptable and where the boundaries are
"We've consciously decided how much security risk we're willing to accept"
Establish and maintain risk register - ensure risks are identified, assessed, owned, and treated appropriately
"We know what our biggest security risks are and we're actively managing them"
Develop and maintain security roadmap - prioritise initiatives based on risk, business value, and effort
"We spend money on security where it matters, not where we're scared or sold to"
Define security roles and decision rights - clarify who is accountable for what and how decisions get made
"When something security-related needs deciding, we know who decides and how"
Board and executive engagement
Prepare board reporting - create clear, concise security updates for board meetings
"Our board could explain our security risk position in their own words"
Attend board or leadership meetings - present security updates and participate in relevant discussions
"Security gets appropriate attention at leadership level"
Support investor and due diligence requests - provide credible, accurate responses to security questions
"Investors aren't concerned about security skeletons in the closet"
Incident oversight
Establish incident response procedure - ensure there's a documented, workable plan
"If something serious happened tonight, we'd know what to do"
Act as escalation point for serious incidents - provide strategic guidance when something significant happens
"We can contain and investigate a security incident"
Advise on incident communications - provide input on stakeholder communications during and after incidents
"We could tell customers and regulators what happened and what we're doing about it"
Facilitate post-incident reviews - ensure lessons are learned and improvements are made
"Every incident makes us stronger, not just relieved it's over"
Compliance and assurance oversight
Set compliance strategy - determine which certifications are worth pursuing and in what order
"We hold the certifications our market expects"
Oversee compliance programmes - monitor progress without doing the implementation work
"Compliance requirements don't surprise us"
Review audit findings and remediation - ensure findings are addressed appropriately
"Auditors find what they expect to find"
Ensure documentation accuracy - verify that documentation reflects actual practices
"Our documentation reflects how we actually operate"
Product security oversight
Advise on secure development practices - provide guidance on building security into the development lifecycle
"Security is considered when we design features, not discovered when we test them"
Oversee security testing strategy - ensure appropriate testing is happening
"We find vulnerabilities in our product before attackers do"
Review product security metrics - track and report on security bug trends
"Serious security bugs don't languish in our backlog"
Third-party and people security oversight
Oversee supplier security assessments - ensure supplier risks are identified and managed
"We're not one supplier breach away from our own breach"
Advise on awareness strategy - provide input on security awareness programmes
"People know how to recognise common threats like phishing"
Review access management practices - ensure access controls are appropriate
"People only have access to what they need for their job"
Oversee offboarding process - ensure leavers' access is removed promptly
"When someone leaves, they can't still get into our systems next week"
What's Not Included
This is a governance and advisory service. Your vCISO provides direction and oversight; they don't do the hands-on work. The following are explicitly out of scope:
Day-to-day security operations
Your IT team, managed service provider, or security operations provider
Writing policies and procedures
Your compliance team or a compliance consultant (like our ISO 27001 implementation service)
Implementing technical controls
Your IT team or specialist contractors
Hands-on incident response
Your IT team, managed detection and response provider, or incident response retainer
Conducting audits and assessments
Internal audit, compliance consultants, or specialist assessors
Penetration testing
Specialist penetration testing firms
Security awareness training delivery
Training providers or your HR/L&D team
Filling in security questionnaires
Your sales, compliance, or operations team (though vCISO may review critical responses)
24/7 availability or on-call
This is a fractional advisory role, not a retained incident response service
Where you need support with these activities, your vCISO can advise on what's required and help you procure the right resources - but they won't do the work themselves.
Service Levels
The vCISO service is available at different commitment levels depending on your needs:
Advisory
Organisations with basic security needs who want experienced oversight and someone to call on for major decisions
Standard
Organisations with active compliance programmes, regular board reporting needs, or ongoing security initiatives
Enhanced
Organisations in regulated sectors, pursuing multiple certifications, or going through significant change
Time is used flexibly - more in months with board meetings, audits, or incidents; less in quieter periods - we'll work with you to get the pacing right.
Measuring Success
We measure success by movement on the statements that matter to you.
During scoping, we identify your priority statements - the ones that are important to your business but you can't say honestly today. These become your success criteria.
At each quarterly review, we assess progress:
"We know what our biggest security risks are and we're actively managing them"
No
Yes
Risk register created, reviewed quarterly, treatment actions progressing
"If something serious happened tonight, we'd know what to do"
Partially
Yes
Incident response procedure documented, tested via tabletop exercise
"A stolen password alone cannot compromise our critical systems"
No
Partially
MFA deployed to 80% of staff, critical systems covered, rollout continuing
This approach means:
You can see the value - progress is tangible, not abstract
Your board can see the value - statements are meaningful to non-technical stakeholders
We stay focused - effort goes toward outcomes, not activities for their own sake
Success is clear - we know when we've achieved what we set out to achieve
Typical Engagement Rhythm
Scheduled check-in
Monthly - review progress, discuss upcoming priorities, address any issues
Statement progress review
Quarterly - assess which statements have moved from "can't say" to "can say"
Roadmap review
Quarterly - review and update the security roadmap based on progress and changing circumstances
Risk review
Quarterly - review risk register, treatment progress, and any emerging risks
Board reporting
As needed - typically quarterly or aligned with your board meeting schedule
Ad-hoc availability
Ongoing - available for calls, emails, and urgent matters within reasonable response times
Who Delivers the Service
Your vCISO will be a senior consultant with substantial experience in security leadership roles. They will typically hold recognised qualifications such as CISSP, CISM, or equivalent, and have experience across multiple sectors and organisation sizes.
You'll have a named vCISO who gets to know your business and provides continuity. They act as your security leader - not as an anonymous consultant who needs to be briefed from scratch each time.
Assumptions
You have someone to do the work
A vCISO provides direction, not execution. You need an IT team, MSP, or other resources to implement what's agreed
Leadership is engaged and accessible
The vCISO needs access to founders, executives, or board members to be effective. Security decisions often need senior sign-off
You're willing to act on advice
A vCISO adds value when their guidance is followed. If recommendations consistently go unactioned, statements won't move from "can't say" to "can say"
Basic security foundations are in place
This isn't a service for organisations starting from zero. You should have basic IT infrastructure, some security controls, and people responsible for systems
Communication is timely
The vCISO needs to know about significant incidents, changes, and decisions that affect security. Surprises make governance difficult
Term and Review
The vCISO service has a minimum engagement term of six months, renewable quarterly thereafter.
This allows enough time to understand your business, establish the governance rhythm, and demonstrate measurable progress on your priority statements. Shorter engagements rarely provide enough continuity to be effective.
Scope and service level are reviewed quarterly to ensure the engagement remains aligned with your needs. If your priority statements change - because you've achieved them, or because your business has changed - we adjust the focus accordingly.
Combining with Other Services
The vCISO service works well alongside Oxford Infosec's other offerings:
ISO 27001 Implementation and Maintenance - your vCISO provides strategic oversight while the compliance service handles implementation. They ensure the certification programme stays aligned with business priorities rather than becoming a bureaucratic exercise. Together, they help you make statements like "We hold the certifications our market expects" and "Our documentation reflects how we actually operate."
DPO as a Service - your vCISO focuses on information security while the DPO handles data protection compliance. They coordinate to ensure a coherent approach to risk and compliance.
For organisations pursuing certification, a common pattern is to engage both vCISO and ISO 27001 services - the vCISO provides ongoing strategic leadership while the compliance service delivers the implementation work.