A Senior CISO on Your Team — Without the €200K Salary
Most mid-market companies know they need security leadership but can't justify a full-time hire. We provide hands-on CISO expertise — from a couple of days a month to full-time interim — so you get the strategy, governance, and board reporting you need, on terms that actually work.
Why a Virtual CISO Makes Sense Right Now
There aren't enough qualified CISOs to go around — and the ones available cost more than most mid-market companies can spend. Here's what a vCISO actually solves.
The Talent Problem Is Real
A full-time CISO in Western Europe runs €150K–€200K in total compensation — and good ones are hard to find. A vCISO gets you the same calibre of thinking at a fraction of the cost, and you skip months of recruiting.
Regulators Are Watching
NIS2, DORA, and GDPR all require someone to own security governance at a senior level. Not "IT handles it." Not "we have a policy somewhere." Documented, board-approved oversight. A vCISO makes that happen.
Clients Are Asking Questions
Vendor security questionnaires keep getting longer. "Who is your CISO?" is now a standard question in enterprise procurement. Without a credible answer, deals stall — or go to competitors who have one.
Security Needs a Plan, Not Just Tools
Buying another tool won't fix a lack of direction. A vCISO builds a risk-based strategy, decides where to invest, and gives your IT team clear priorities instead of a never-ending to-do list.
Be Ready Before Something Happens
Incident response isn't something you figure out during a breach. A vCISO puts the playbooks, communication plans, and decision-making structures in place while things are calm — so you're not scrambling when they're not.
Scale Up or Down as You Go
Start with two days a month. Add more when you're going through certification or closing a big deal. Bring in full-time coverage if your CISO leaves. Same person, same context — just adjust the dial.
How We Get Started
We follow a four-step process. You'll see tangible progress within weeks, not months.
Discover
We talk to your key people, review what's in place, and map the gaps · Week 1
Foundation
We deliver a strategy, fix the obvious risks, and set a 90-day plan · Weeks 2–3
Operate
Ongoing cadence — board reporting, risk management, team coaching · Monthly
Evolve
Scale the engagement, hand over to a permanent hire, or renew · When it makes sense
Three Tiers, Built for Different Situations
Not every company needs the same level of involvement. Pick the tier that matches where you are today — you can always move up later. All prices are approximate and subject to change based on your organization's individual circumstances.
Essential Guidance
You're a startup or small SME — maybe 20 to 100 people — and security has been on the back burner. CISOlite gives you a proper strategy, core policies, a risk register, and quarterly board updates. Enough to close the governance gap and satisfy basic regulatory requirements, without overcommitting.
Strategic Partnership
You've moved past the basics — 100 to 500 employees, facing audits, client due diligence, or regulatory scrutiny. CISOplus gives you weekly on-site presence, monthly board dashboards, vendor risk oversight, team mentoring, and a full governance programme run by someone who's done this at scale before.
Full-Time Interim
Your CISO just left, you're dealing with a serious incident, you're prepping for M&A or an IPO — and you need a senior security leader in the building now, not in three months. CISObridge means full executive authority, daily presence, crisis management, and a clean handover when your permanent hire starts.
Side-by-Side Comparison
Here's how the three tiers differ across the dimensions that matter most.
| Dimension | CISOlite | CISOplus | CISObridge |
|---|---|---|---|
| Time commitment | 2–5 days/month | 8–12 days/month | 20+ days/month |
| Response time | 48 hours | 24 hours | 4 hours |
| On-site presence | Monthly (optional) | Weekly | Daily / as needed |
| Board attendance | Quarterly | Monthly | All meetings |
| Team management | Advisory only | Oversight & mentoring | Direct management |
| Incident response | Advisory | Coordination | Full leadership |
| Best fit | 20–100 employees | 100–500 employees | 200+ or in transition |
| Minimum contract | 12 months | 12 months | 3 months |
| Monthly investment | €3K – €5K | €8K – €12K | €18K – €25K |
Packages & Pricing
Each package is a starting point. We'll shape the engagement around your specific situation during the discovery call. All prices are approximate and subject to change based on your organization's individual circumstances.
CISOlite
- 2–5 days of senior CISO time
- Security strategy & roadmap
- Core policy framework
- Annual risk assessment
- Quarterly board presentation
- NIS2 / GDPR compliance mapping
CISOplus
- 8–12 days of senior CISO time
- Everything in CISOlite
- Weekly on-site presence
- Monthly board dashboard
- Team mentoring & hiring support
- Full GRC programme oversight
- Incident response coordination
CISObridge
- 20+ days full-time equivalent
- Full CISO executive authority
- Daily on-site presence
- Direct team management
- Crisis & incident leadership
- Permanent CISO hiring support
- Structured knowledge transfer
Add-Ons
Layer these onto any tier when you need something extra.
Incident Response Retainer
A guaranteed 2-hour response SLA, pre-built playbooks, quarterly tabletop exercises to keep your team sharp, and thorough post-incident reviews when something does happen.
Board Reporting Package
Quarterly in-person presentations to your board, a custom security metrics dashboard they can actually understand, director training sessions, and audit committee liaison.
Compliance Acceleration
Need to reach ISO 27001, NIS2, DORA, or SOC 2 faster? This add-on runs the certification prep alongside your CISOaaS engagement — so the work feeds into your programme instead of duplicating it.
Talent Development
Help hiring your first security person, capability assessments for your existing team, personal development plans, and monthly 1:1 coaching for your security leads.
Why Work with Cubic
We're not a Big Four firm, and that's deliberate. Here's what you get instead.
30+ Years in the Chair
Your vCISO has held the CISO role at Fortune 500 companies, managed serious security incidents, and built programmes from zero. This isn't theoretical — it's pattern recognition from decades of doing the job.
30–40% Less Than Big Four Rates
You work directly with a senior practitioner. No juniors staffed on your account, no layers of management overhead. You're paying for expertise, not a brand name on your invoice.
Native Across the Benelux
Fluent in English, French, German, and Luxembourgish. Your vCISO presents to boards, talks to regulators, and coaches teams in whichever language the room needs.
One Partner for Everything Security
CISOaaS plugs into our NIS2, ISO 27001, DORA, and incident response work. One relationship, one context, no handoffs between firms — which means things actually get done.
Let's Figure Out What You Need
Book a free 30-minute call. We'll talk through your situation, give you an honest assessment, and tell you which tier fits — or whether you need something different entirely.
Book Your Discovery Call