Cyber Trust
Cyber Trust brand background

Flexible virtual CISO leadership

Total security management, designed around you.

Our vCISO service gives you a named security leader who owns your cyber programme month to month – built from a framework of controls and services that match your risk, regulators and internal capacity.

With vCISO you get:

  • A named vCISO on your side, every month.
  • Clear 90-day priorities and a 12-month roadmap – agreed with you, then driven by us.
  • Governance, monitoring, reviews and incident support – in one joined-up programme.
  • A flexible framework – Cyber Essentials, monitoring, testing and training picked from a menu, not forced into bronze/silver/gold tiers.

If you're not sure where you currently stand, we usually recommend starting with a first – then shaping the vCISO programme from there.

Security leader working with a client

Real person, clear ownership

You get a named vCISO who learns your business, builds the programme around your priorities and stays with you as things change.

What a vCISO actually does.

A vCISO is not a one-off consultant or an occasional advice call. It's an ongoing security leader who owns your cyber programme – setting direction, tracking progress and keeping risk under control month after month.

You get decisions, dashboards and one person accountable for moving things forward. We make sure your 90-day plan is realistic, your 12-month roadmap is aligned to the business and nothing important quietly drifts.

Our job is to translate security into business language – so boards, insurers and big customers see a coherent story, not a pile of technical tickets.

  • Fewer surprises – drift and gaps are caught early.
  • Faster approvals – clearer answers for insurers, auditors and key customers.
  • Less internal effort – we do the heavy lifting; you review options and sign off.
Decisions, dashboards, ownership

Expect regular governance calls, clear action lists and a single view of risk – not a scattered mix of tools and one-off reports.

We plug into your existing IT team, MSP or suppliers and lead the overall programme – so everyone is working to the same plan.

Flexible, not one-size-fits-all

A framework for total security management.

Instead of predefined bronze/silver/gold tiers, we build a vCISO programme from a simple framework – leadership, day-to-day hygiene and deeper assurance. You get the pieces you actually need, at a level that matches your business.

Leadership & governance

Your security lead and decision-maker

  • Named vCISO owning your programme and roadmap.
  • Risk register, 90-day priorities and 12-month plan kept alive.
  • Governance rhythm – recurring reviews and board-ready reporting.
Controls & hygiene

Getting the basics consistently right

  • Cyber Essentials / Cyber Essentials Plus built into the plan.
  • Policy review and support, plus awareness / training where it's needed.
  • Patch management and internal reviews so known issues don't linger.
Assurance & resilience
Testing, monitoring & recovery

Proving and improving your security

  • Penetration testing and internal technical reviews.
  • SIEM / logging and alert monitoring where required.
  • Backup and recovery testing, incident response support and lessons-learned.

We dial these up or down depending on your risk profile, contracts and regulators – not because a tier forces it.

We assemble your programme from this framework and a wider menu of services, so the scope fits your organisation – and evolves as your risk and regulators change.

Building blocks we can include.

Every vCISO engagement is different. We start with core leadership, then add the blocks that make sense for your environment, regulators and internal teams.

Cyber Essentials / CE Plus

We plan and run your CE / CE+ journey and keep it aligned with the wider programme.

Support days & projects

Hands-on time each month to actually move changes, not just talk about them.

Policy review & support

Create, update and embed policies so they match reality – not just a template pack.

Alert monitoring & tuning

Make sure important alerts surface, noisy ones are tuned and someone owns follow-up.

Patch & vulnerability reviews

Regular checks that patching, configuration and remediation are under control.

Internal security reviews

Structured internal reviews of controls, high-risk systems and suppliers.

Awareness & training

Targeted staff awareness, campaigns and refreshers where behaviour matters most.

Risk management

A living risk register, linked to actions, owners and your wider governance rhythm.

Reporting & board packs

Board-ready summaries, KPIs and trend reporting – not 200-page technical outputs.

Pen testing

Scoping, managing and interpreting penetration tests as part of the plan.

SIEM / logging

Designing and governing SIEM or logging so it actually supports detection and response.

Backup & recovery testing

Proving that backups, DR and business continuity actually work when needed.

How vCISO pricing works.

We don't publish a one-size-fits-all price for vCISO. The right programme for a 60-person professional services firm is very different to what an NHS Trust or regulated utility needs.

Every engagement is scoped from your Cyber Security Audit and a short scoping call. From there we agree how much we own vs advise, how often we meet and which building blocks are in scope.

Pricing is billed every four weeks, with clear inclusions and a governance rhythm that suits your organisation.

What shapes the investment.

  • Inputs: number of users, sites and key systems; regulatory or customer demands; how much we own vs support.
  • Output: a simple fixed four-weekly fee with clear responsibilities and service levels.
  • No surprises: we walk through scope line-by-line before you commit.

What vCISO looks like in practice.

Whatever the exact shape of your programme, you're not buying a report – you're buying ongoing security leadership. In day-to-day terms, that looks like:

A named vCISO who knows your business, not a rotating cast of consultants.

Regular governance calls and check-ins, with clear actions and owners.

Ownership of your 90-day Fix-First Plan and a living 12-month roadmap.

Oversight of Cyber Essentials, Cyber Baseline and similar hygiene schemes.

Vulnerability and patching reviews so known issues don’t linger.

Incident response support – from on-call advice through to full incident handling, depending on scope.

Plain-English updates for boards and exec teams, not technical noise.

Planned security awareness activity where behaviour change matters most.

Why we don't guess your programme from a web form.

A vCISO programme only works if it's built on a clear picture of where you are today. That's what the Cyber Security Audit delivers – a simple, board-ready view of risk plus a Fix-First Plan.

Once we know what's in place, what's missing and where the real exposure sits, we can design a programme that matches your risk, regulators and internal capacity – choosing the right mix of leadership, reviews and technical services.

If you already understand your posture, we can move straight into vCISO scoping. If you don't, we strongly recommend running the Security Audit first.

Cyber Security Audit first

Typical flow: Security Audit → agree Fix-First Plan → design your vCISO programme → start the governance rhythm. No surprises, no rushed commitments.

Is vCISO the right fit?

This is for you if…

  • You have roughly 50–5,000 staff and cyber is now a regular board topic.
  • You've outgrown ad-hoc advice and need ongoing leadership and ownership.
  • You're under pressure from regulators, insurers or big customers to show progress.
  • You want one accountable owner for the security programme, not a collection of vendors.

This is not for you if…

  • You only want a one-off certificate or penetration test.
  • You're primarily looking for the cheapest possible "tickbox".
  • You don't have executive backing to act on findings or allocate time to improvements.
  • You're not ready for an ongoing relationship – in that case, we can still help with one-off work instead.

What clients say about working with us as vCISO.

We finally have one place where risk, incidents and actions live – and someone whose job it is to keep it moving.

Chief Operating Officer

UK healthcare charity (~500 staff)

Our board conversations on cyber are calmer and clearer. We talk about trends and decisions, not tools.

CFO

Professional services firm (~250 staff)

Insurer renewals and customer due-diligence are much easier. We can point to a programme, not just paperwork.

Head of IT & InfoSec

Regulated services organisation (~1,200 staff)

Ready to have someone own your cyber programme?

Talk to us about vCISO, or start with a Cyber Security Audit if you're not sure where you stand. Either way, you leave with a clear next step.

Both paths begin with understanding your current posture – then agreeing a level of support that matches your risk, regulators and resources.