vCISO Services
Fractional Chief Information Security Officer — strategy, governance, and board reporting at a fraction of full-time cost.
For organizations that need senior security leadership but can't justify a full-time CISO yet.
Book a vCISO scoping call →You're probably here because:
You need senior security leadership — for the board, for customers, for the auditors, for the difficult vendor conversations. But a full-time CISO at market rate would consume budget you'd rather spend on engineering. Your current security function (often one person, sometimes nobody) is operationally overloaded and strategically thin.
A vCISO engagement gives you the senior judgment, the external credibility, and the strategic oversight without the full-time commitment. The right vCISO knows when to lead, when to coach your internal team, and when to stay out of the way of work already being done well.
What's included
A vCISO retainer with Qhalent typically covers:
- · Strategic security roadmap — quarterly review, annual refresh, aligned to your business priorities
- · Board and executive reporting — written reports for board meetings, dashboards for executive review, regular updates on risk posture
- · Governance frameworks — policy ownership, exception management, control review cadence
- · Risk management — risk register maintenance, treatment decisions, escalation paths
- · Vendor and third-party risk — assessment of new vendors, ongoing oversight of critical suppliers
- · Incident response leadership — strategic oversight during significant incidents, postmortem facilitation, lessons-learned integration
- · Audit and assessment readiness — preparation for SOC 2, ISO 27001, customer security questionnaires, due diligence reviews
- · Coaching for internal security staff — career development, technical mentorship, organisational guidance
- · Available for emergencies — defined response time for incidents that need executive-level attention
How we deliver
vCISO engagements are structured as monthly retainers with a defined commitment level — typically two, four, or eight days of senior practitioner time per month, depending on your organisation's complexity and current state.
A typical month looks like:
Scheduled working day
One day on-site or remote with leadership — strategy, key decisions, board prep.
Asynchronous communication
Throughout the month via Slack, email, documents under review, ad-hoc questions.
Governance activities
Pre-scheduled time for quarterly board reports, risk register reviews, control review cadences.
Available capacity
Reserve for the unexpected — incidents, urgent vendor decisions, escalations.
Engagements typically start with a 90-day intensive period where we establish baselines, write the strategic roadmap, and get governance structures in place. Steady-state operation follows from month four onwards.
Minimum engagement: twelve months. Most clients renew.
What we don't do
We don't do hands-on security operations. The vCISO role is strategic and governance-focused; we don't run your SOC, perform penetration tests, or manage your tooling day-to-day. If you need those capabilities, we can recommend specialists or work alongside your operational team.
We don't do "CISO theatre." We won't show up to a quarterly board meeting and read slides. The work happens in the months between meetings; the meeting is where we explain it.
We don't compete with strong existing security leadership. If you have a competent internal security lead who needs senior backup or coaching rather than replacement, we'll design the engagement around augmenting them — not displacing them.
Engagement and pricing
vCISO Services is a monthly retainer engagement, billed at a fixed monthly fee for the term of the agreement.
The fee depends on three factors: your organisation's size and complexity, the commitment level (typically 2, 4, or 8 days per month), and the scope of the role (single domain vs. full security function). We'll give you a defined monthly fee after a 30-minute scoping call.
What's included in the fee
The agreed-upon days of senior practitioner time, all asynchronous availability, all governance deliverables (board reports, risk register, policy reviews), and incident-response availability up to a defined threshold.
What's not included
Hands-on operational work outside the agreed scope, extensive incident response work that exceeds the retainer hours (billed separately at engagement-day rates), and tooling or third-party fees.
Why Qhalent for vCISO
A vCISO engagement is intimate. The right vCISO becomes a trusted advisor to your CEO, your board, and your engineering leadership. The wrong one becomes an external interruption that your team works around rather than with.
We've held senior security roles inside organisations that demanded operational substance: critical infrastructure, OT security, enterprise GRC. We hold CISSP, CCSP, and CISM credentials. More importantly, we've lived inside the governance structures, the board conversations, the audit fatigue, and the vendor-management overhead that vCISO engagements address.
We work with a small number of clients at a time. Each engagement gets partner-level attention from the same person throughout — not a rotating bench. The relationship matters; we treat it accordingly.
Ready to talk?
A vCISO engagement is a serious commitment on both sides. The scoping call is where we figure out if there's a fit — your situation, our capacity, the kind of leadership you actually need. Thirty minutes, no pressure.