IronSights

Advisory · Virtual CISO

Executive security leadership, without the full-time hire.

A Virtual CISO (vCISO) gives your organisation the seniority of a Chief Information Security Officer on a retainer: strategy, governance, board reporting, and compliance, scaled to what you actually need.

One accountable leader, an experienced security team behind them, and genuine fluency in the Australian frameworks your board and regulators care about.

Australia-based leadership
Essential Eight · ISO 27001 · CPS 234
A full security team behind one leader

The short version

What is a Virtual CISO?

Senior security leadership, retained rather than hired. You get the judgement of a Chief Information Security Officer without a $300k salary on the books.

A Virtual CISO owns the parts of security that tools and helpdesk cannot: the strategy, the governance, the board conversation, and accountability for the whole program. They decide what matters, in what order, against your real risk and budget.

People use "virtual CISO", "fractional CISO", and "CISO as a service" to mean much the same thing. The distinction worth knowing is accountability. A consultant advises and hands you a report. A vCISO leads: they sit accountable to your board and stay with you while the work actually gets done.

vCISO

Leads your security function on a retainer. Accountable, ongoing.

Fractional CISO

The same role, often heavier cadence, framed around owning outcomes.

Consultant

Advises on a scope, then hands over. No ongoing ownership.

Why now

Why organisations bring in a vCISO.

The trigger is rarely tooling. It is a gap in leadership, a compliance demand, or a board that has started asking harder questions.

A full-time CISO is out of reach

You need executive security judgement, but a permanent hire at $250k-plus is hard to justify at your size.

The talent is scarce

Experienced security leaders are in short supply across Australia, and the ones you find are expensive and quickly poached.

Compliance or insurance demands it

A client, regulator, or cyber insurer wants a named security leader and evidence of governance, not just tooling.

The board is asking questions

Directors want cyber risk explained in business terms, with a plan they can sign off and track over time.

You have had a scare

A breach, a near miss, or an incident at a peer has made security a board-level priority overnight.

You are growing or certifying

Rapid growth, a funding round, or an or target needs someone to own the program end to end.

Scope

What your vCISO actually owns.

Four areas of responsibility, scaled to your engagement. Not a menu of upsells: the leadership your security program needs to move forward.

Strategy & governance

  • Security strategy and multi-year roadmap
  • Security policies, standards, and procedures
  • Board and executive reporting in plain language
  • Security budget and tooling decisions

Risk & compliance

  • Risk assessments and maturity uplift planning
  • Essential Eight, ISO 27001, and NIST CSF alignment
  • APRA CPS 234, SOCI, and Privacy Act obligations
  • Audit, certification, and cyber insurance readiness

Operational readiness

  • Incident response planning and tabletop exercises
  • Third-party and supply-chain risk management
  • Security awareness program ownership
  • Oversight and mentoring of your internal IT team

Continuity

  • Interim cover during a leadership gap or transition
  • Continuity through audits, projects, and vendor reviews
  • A single accountable point of contact for security
  • A clean handover when you hire a permanent CISO

How it works

A clear path,
from day one.

We start by understanding where you stand, agree the roadmap, then deliver against it on a cadence that suits your business. You always know what is happening and why.

  1. Assess

    We baseline your security posture, risks, and obligations, then run a against the frameworks that apply to you.

  2. Roadmap

    You get a prioritised, multi-year security roadmap tied to business risk and a budget you can actually plan around.

  3. Deliver

    On an ongoing retainer we drive the program: policy, risk assessments, incident readiness, vendor reviews, and team mentoring.

  4. Report

    Quarterly board and executive reporting in business language. Progress is measured and evidenced, not promised at signing.

Four ways to engage, mixed to suit you:

Monthly retainer

A set number of days or hours each month. The most common shape, scaled to your needs.

Interim / fractional

Near full-time cover for a defined period, bridging a gap or leading through a crisis.

Project-based

A fixed engagement for a certification, transformation, or compliance milestone.

Block hours

Ad-hoc senior advisory on call when you need a second opinion or a fast decision.

Engagements

Right-sized to what you need.

A full-time CISO in Australia costs $250,000 to $400,000 a year, all in. A vCISO gives you that seniority for a fraction of the cost, scaled to your risk.

A few days each month

Advisory

For organisations that have IT handled but lack senior security governance.

  • Security strategy and roadmap
  • Board and executive reporting
  • Framework and compliance guidance
  • On-call advisory for key decisions
Scope this engagement

Weekly involvement

Managed program

For organisations uplifting toward certification or under real regulatory pressure.

  • Everything in Advisory
  • Hands-on program delivery
  • Risk assessments and vendor reviews
  • Incident readiness and awareness training
Scope this engagement

Near full-time, time-bound

Interim / Enterprise

For organisations bridging a leadership gap, a breach, or a major transformation.

  • Acting CISO stepping into the role
  • Full ownership of the security function
  • Direct board and regulator engagement
  • Clean handover to a permanent hire
Scope this engagement

Every engagement is scoped to your environment and priced as a fixed monthly figure after an initial conversation, so you can budget with certainty.

Who it's for

Built for growing Australian organisations.

Typically 20 to 500 staff, in sectors where a breach carries real commercial and regulatory weight: professional and financial services, healthcare, legal, and technology.

If your obligations are Australian, so is our fluency. We work to the frameworks your board, insurer, and regulators expect.

Frameworks we lead against

Essential Eight
ISO 27001
NIST CSF 2.0
APRA CPS 234
SOCI Act
Privacy Act
PCI DSS
SOC 2

Why IronSights

One leader, real depth behind them.

A vCISO is only as good as the team they can draw on. Ours brings penetration testers, incident responders, and auditors to the table when you need them.

A team behind the leader

Your vCISO fronts our full bench: penetration testers, incident responders, and auditors. One accountable leader, real depth behind them.

Australian regulatory fluency

, APRA CPS 234, the SOCI Act, and Privacy Act reforms are the ground we work on every day, not a framework we read about.

Vendor-independent

We are not reselling a security stack. Our advice serves your risk and your budget, not a product quota, so the roadmap is genuinely yours.

Australia-based and available

Your vCISO is here, works to your context, and joins on-site when it matters. No offshore handoffs, no follow-the-sun queue.

Straight talk

When a vCISO is the right call, and when it isn't.

We would rather tell you plainly than sell you a retainer you do not need. For the longer version, read our honest guide on when a virtual CISO works and when it doesn't.

A vCISO fits when

  • You have 20 to 500 staff and no full-time security leader.
  • A regulator, insurer, or major client wants named security governance.
  • You are heading toward ISO 27001, Essential Eight, or SOC 2.
  • Your board wants cyber risk owned, reported, and reduced.
  • You have capable IT, but no one steering security strategy.

It is probably not the fit if

  • You need day-to-day helpdesk or IT support, not leadership.
  • You want a tool deployed, which is a solution, not a strategy.
  • You are large enough to justify a full-time CISO already.
  • You want a compliance tick only, with no intent to reduce risk.

If that is you, we will say so and point you to the right help, whether that is managed security or a one-off assessment.

Common questions

Asked by boards and owners.

Not in this list? Email hello@ironsights.com.au or book a 30-minute strategy call. No obligation.

  1. What is a Virtual CISO (vCISO) and how does it work?

    A Virtual CISO, or vCISO, is an experienced Chief Information Security Officer who leads your security function on a part-time, retained basis instead of as a full-time hire. They set your security strategy, own governance and board reporting, drive compliance, and steer your risk down over time. You get the seniority of a CISO, scaled to how much of one you actually need.

  2. How much does a vCISO cost compared with a full-time CISO?

    A full-time CISO in Australia typically costs $250,000 to $400,000 a year once salary, superannuation, and on-costs are included, and the talent is hard to find. A vCISO gives you that same seniority for a fraction of the cost, because you pay for a set cadence of involvement rather than a full-time salary. We scope the engagement to your environment and give you a clear, fixed monthly figure after an initial conversation.

  3. How much time does a vCISO spend with our business?

    It depends on the engagement. An advisory retainer might be a few days a month, focused on strategy and board reporting. A managed program is closer to weekly involvement, with hands-on delivery. An interim engagement can be near full-time for a defined period. We right-size the cadence to your risk, your obligations, and your budget.

  4. What is the difference between a vCISO, a fractional CISO, and a security consultant?

    The terms overlap, but the distinction that matters is accountability. A consultant advises and hands you a report. A vCISO or fractional CISO owns the outcome: they lead the program, sit accountable to your board, and stay with you as the work gets done. We work as an accountable leader, not a one-off adviser.

  5. Can a vCISO satisfy our compliance and regulatory obligations?

    Yes. A vCISO is often the most efficient way to meet a compliance or insurance requirement for named security leadership. We align you to the frameworks that apply, including Essential Eight, ISO 27001, APRA CPS 234, the SOCI Act, and Privacy Act obligations, and produce the evidence auditors, insurers, and clients ask for.

  6. Do we still need a vCISO if we already have an IT manager or MSP?

    Usually yes, because they solve different problems. Your IT manager or managed service provider keeps technology running. A vCISO owns security strategy, governance, risk, and board-level accountability, which general IT is not staffed or positioned to cover. We work alongside your existing team rather than replacing anyone. If you want to understand where that boundary sits, read our guide on IT support versus a dedicated cyber security provider.

  7. Is the vCISO Australia-based, and do they work on-site or remotely?

    Your vCISO is Australia-based and works to your context and obligations. Most of the work is done remotely for efficiency, and we join on-site for board meetings, workshops, and the moments where being in the room matters. There are no offshore handoffs.

  8. What happens when we are ready to hire a full-time CISO?

    That is a good outcome, and we plan for it. A vCISO often bridges the gap until you are ready, then supports the recruitment and hands over cleanly: strategy, roadmap, policies, and context all documented so your new CISO starts with momentum rather than a blank page.

First step

Talk to a security leader.

Tell us where your organisation sits. We'll walk you through what a vCISO engagement would cover and put a scoped proposal in front of you. No obligation.