Advisory · Virtual CISO
Executive security leadership, without the full-time hire.
A Virtual CISO (vCISO) gives your organisation the seniority of a Chief Information Security Officer on a retainer: strategy, governance, board reporting, and compliance, scaled to what you actually need.
One accountable leader, an experienced security team behind them, and genuine fluency in the Australian frameworks your board and regulators care about.
The short version
What is a Virtual CISO?
Senior security leadership, retained rather than hired. You get the judgement of a Chief Information Security Officer without a $300k salary on the books.
A Virtual CISO owns the parts of security that tools and helpdesk cannot: the strategy, the governance, the board conversation, and accountability for the whole program. They decide what matters, in what order, against your real risk and budget.
People use "virtual CISO", "fractional CISO", and "CISO as a service" to mean much the same thing. The distinction worth knowing is accountability. A consultant advises and hands you a report. A vCISO leads: they sit accountable to your board and stay with you while the work actually gets done.
vCISO
Leads your security function on a retainer. Accountable, ongoing.
Fractional CISO
The same role, often heavier cadence, framed around owning outcomes.
Consultant
Advises on a scope, then hands over. No ongoing ownership.
Why now
Why organisations bring in a vCISO.
The trigger is rarely tooling. It is a gap in leadership, a compliance demand, or a board that has started asking harder questions.
A full-time CISO is out of reach
You need executive security judgement, but a permanent hire at $250k-plus is hard to justify at your size.
The talent is scarce
Experienced security leaders are in short supply across Australia, and the ones you find are expensive and quickly poached.
Compliance or insurance demands it
A client, regulator, or cyber insurer wants a named security leader and evidence of governance, not just tooling.
The board is asking questions
Directors want cyber risk explained in business terms, with a plan they can sign off and track over time.
You have had a scare
A breach, a near miss, or an incident at a peer has made security a board-level priority overnight.
You are growing or certifying
Rapid growth, a funding round, or an or target needs someone to own the program end to end.
Scope
What your vCISO actually owns.
Four areas of responsibility, scaled to your engagement. Not a menu of upsells: the leadership your security program needs to move forward.
Strategy & governance
- Security strategy and multi-year roadmap
- Security policies, standards, and procedures
- Board and executive reporting in plain language
- Security budget and tooling decisions
Risk & compliance
- Risk assessments and maturity uplift planning
- Essential Eight, ISO 27001, and NIST CSF alignment
- APRA CPS 234, SOCI, and Privacy Act obligations
- Audit, certification, and cyber insurance readiness
Operational readiness
- Incident response planning and tabletop exercises
- Third-party and supply-chain risk management
- Security awareness program ownership
- Oversight and mentoring of your internal IT team
Continuity
- Interim cover during a leadership gap or transition
- Continuity through audits, projects, and vendor reviews
- A single accountable point of contact for security
- A clean handover when you hire a permanent CISO
How it works
A clear path,
from day one.
We start by understanding where you stand, agree the roadmap, then deliver against it on a cadence that suits your business. You always know what is happening and why.
Assess
We baseline your security posture, risks, and obligations, then run a against the frameworks that apply to you.
Roadmap
You get a prioritised, multi-year security roadmap tied to business risk and a budget you can actually plan around.
Deliver
On an ongoing retainer we drive the program: policy, risk assessments, incident readiness, vendor reviews, and team mentoring.
Report
Quarterly board and executive reporting in business language. Progress is measured and evidenced, not promised at signing.
Four ways to engage, mixed to suit you:
Monthly retainer
A set number of days or hours each month. The most common shape, scaled to your needs.
Interim / fractional
Near full-time cover for a defined period, bridging a gap or leading through a crisis.
Project-based
A fixed engagement for a certification, transformation, or compliance milestone.
Block hours
Ad-hoc senior advisory on call when you need a second opinion or a fast decision.
Engagements
Right-sized to what you need.
A full-time CISO in Australia costs $250,000 to $400,000 a year, all in. A vCISO gives you that seniority for a fraction of the cost, scaled to your risk.
A few days each month
Advisory
For organisations that have IT handled but lack senior security governance.
- Security strategy and roadmap
- Board and executive reporting
- Framework and compliance guidance
- On-call advisory for key decisions
Weekly involvement
Managed program
For organisations uplifting toward certification or under real regulatory pressure.
- Everything in Advisory
- Hands-on program delivery
- Risk assessments and vendor reviews
- Incident readiness and awareness training
Near full-time, time-bound
Interim / Enterprise
For organisations bridging a leadership gap, a breach, or a major transformation.
- Acting CISO stepping into the role
- Full ownership of the security function
- Direct board and regulator engagement
- Clean handover to a permanent hire
Every engagement is scoped to your environment and priced as a fixed monthly figure after an initial conversation, so you can budget with certainty.
Who it's for
Built for growing Australian organisations.
Typically 20 to 500 staff, in sectors where a breach carries real commercial and regulatory weight: professional and financial services, healthcare, legal, and technology.
If your obligations are Australian, so is our fluency. We work to the frameworks your board, insurer, and regulators expect.
Frameworks we lead against
Why IronSights
One leader, real depth behind them.
A vCISO is only as good as the team they can draw on. Ours brings penetration testers, incident responders, and auditors to the table when you need them.
A team behind the leader
Your vCISO fronts our full bench: penetration testers, incident responders, and auditors. One accountable leader, real depth behind them.
Australian regulatory fluency
, APRA CPS 234, the SOCI Act, and Privacy Act reforms are the ground we work on every day, not a framework we read about.
Vendor-independent
We are not reselling a security stack. Our advice serves your risk and your budget, not a product quota, so the roadmap is genuinely yours.
Australia-based and available
Your vCISO is here, works to your context, and joins on-site when it matters. No offshore handoffs, no follow-the-sun queue.
Straight talk
When a vCISO is the right call, and when it isn't.
We would rather tell you plainly than sell you a retainer you do not need. For the longer version, read our honest guide on when a virtual CISO works and when it doesn't.
A vCISO fits when
- You have 20 to 500 staff and no full-time security leader.
- A regulator, insurer, or major client wants named security governance.
- You are heading toward ISO 27001, Essential Eight, or SOC 2.
- Your board wants cyber risk owned, reported, and reduced.
- You have capable IT, but no one steering security strategy.
It is probably not the fit if
- You need day-to-day helpdesk or IT support, not leadership.
- You want a tool deployed, which is a solution, not a strategy.
- You are large enough to justify a full-time CISO already.
- You want a compliance tick only, with no intent to reduce risk.
If that is you, we will say so and point you to the right help, whether that is managed security or a one-off assessment.
Common questions
Asked by boards and owners.
Not in this list? Email hello@ironsights.com.au or book a 30-minute strategy call. No obligation.
What is a Virtual CISO (vCISO) and how does it work?
A Virtual CISO, or vCISO, is an experienced Chief Information Security Officer who leads your security function on a part-time, retained basis instead of as a full-time hire. They set your security strategy, own governance and board reporting, drive compliance, and steer your risk down over time. You get the seniority of a CISO, scaled to how much of one you actually need.
How much does a vCISO cost compared with a full-time CISO?
A full-time CISO in Australia typically costs $250,000 to $400,000 a year once salary, superannuation, and on-costs are included, and the talent is hard to find. A vCISO gives you that same seniority for a fraction of the cost, because you pay for a set cadence of involvement rather than a full-time salary. We scope the engagement to your environment and give you a clear, fixed monthly figure after an initial conversation.
How much time does a vCISO spend with our business?
It depends on the engagement. An advisory retainer might be a few days a month, focused on strategy and board reporting. A managed program is closer to weekly involvement, with hands-on delivery. An interim engagement can be near full-time for a defined period. We right-size the cadence to your risk, your obligations, and your budget.
What is the difference between a vCISO, a fractional CISO, and a security consultant?
The terms overlap, but the distinction that matters is accountability. A consultant advises and hands you a report. A vCISO or fractional CISO owns the outcome: they lead the program, sit accountable to your board, and stay with you as the work gets done. We work as an accountable leader, not a one-off adviser.
Can a vCISO satisfy our compliance and regulatory obligations?
Yes. A vCISO is often the most efficient way to meet a compliance or insurance requirement for named security leadership. We align you to the frameworks that apply, including Essential Eight, ISO 27001, APRA CPS 234, the SOCI Act, and Privacy Act obligations, and produce the evidence auditors, insurers, and clients ask for.
Do we still need a vCISO if we already have an IT manager or MSP?
Usually yes, because they solve different problems. Your IT manager or managed service provider keeps technology running. A vCISO owns security strategy, governance, risk, and board-level accountability, which general IT is not staffed or positioned to cover. We work alongside your existing team rather than replacing anyone. If you want to understand where that boundary sits, read our guide on IT support versus a dedicated cyber security provider.
Is the vCISO Australia-based, and do they work on-site or remotely?
Your vCISO is Australia-based and works to your context and obligations. Most of the work is done remotely for efficiency, and we join on-site for board meetings, workshops, and the moments where being in the room matters. There are no offshore handoffs.
What happens when we are ready to hire a full-time CISO?
That is a good outcome, and we plan for it. A vCISO often bridges the gap until you are ready, then supports the recruitment and hands over cleanly: strategy, roadmap, policies, and context all documented so your new CISO starts with momentum rather than a blank page.
Related services
What a vCISO draws on.
Fortify (Managed Security)
The 24/7 monitoring and response engine your vCISO's strategy directs. Leadership above, operations below.
Learn more→Audit & Assurance
The independent baseline your roadmap is built on: , , , or .
Learn more→Penetration Testing
The evidence behind the board report. Manual testing that shows whether your controls actually hold.
Learn more→Incident Response
When something goes wrong, the responders your vCISO can mobilise, with a plan already in place.
Learn more→First step
Talk to a security leader.
Tell us where your organisation sits. We'll walk you through what a vCISO engagement would cover and put a scoped proposal in front of you. No obligation.
