How Much Does A Virtual CISO Cost?
(Here’s What You Can Expect To Pay)

Learn how PurpleSec’s Virtual CISO services can help you build your security program.

Author: Michael Swanagan, CISSP, CISA, CISM / Last Updated: 3/19/2023

Reviewed By: Rich Selvidge, CISSP

View Our: Editorial Process

You can expect to pay $1,600 to $20,000 per month (retainer), $200 to $250 per hour, or $8,000 to $10,000 for a one-time project for virtual CISO services. Other factors that determine cost include the scope of work, expertise, business size, and experience.

Hiring a Virtual Chief Information Security Officer (vCISO) is an option for an organization that cannot afford a traditional CISO.

Many companies forego hiring a vCISO and continue to rely on their internal teams to oversee the security program.

A research firm reported that 64% of SMB’s were operating without a CISO.

This approach may fall short on meeting long term security objectives.

In this article, we will discuss what your organization can expect to pay for a vCISO.

Let’s start by examining factors that influence the cost of this service.

Factors That Determine The Cost Of A Virtual CISO?

Determining the cost of a vCISO requires research on several key factors.

These factors will provide direction to help you determine the scope of work, and estimate project duration while ensuring the deliverables of the vCISO’s services align with your allocated budget.

Prior to gathering cost details, your organization’s leadership should understand the key benefits of a vCISO role:

• Can fill the role of a CISO short-term
• Lead compliance, risk, or regulatory assessments.
• Train a new CISO.
• Build a threat management program.
• Assist in developing and implementing security initiatives.

Let’s review the first factor in the selection process, the scope of work.

Scope Of Work

The scope of work has a direct bearing on cost. In most cases, a managed security provider has a team of vCISO’s with various capabilities and experience.

You can select the services and define the responsibilities you want the vCISO to implement based on their suite of service offerings.

As you select more services, expect an increase in cost.

The services available will vary from one provider to the next, below is a list of general services the vCISO typically performs, but not limited to the following:

• Conduct risk assessments.
• Develop cybersecurity policies.
• Overseeing incident response plans.
• Develop security awareness training.

Another factor impacting the scope of work is the type of organization.

Note the following examples related to the type and the scope of work:

• Scenario 1: If your organization is an SMB that provides healthcare, this will add complexity to the scope since HIPAA regulations come into play.
• Scenario 2: If an organization process credit card processor, PCI systems must be compliant.
• Scenario 3: If the organization does not have to abide by regulations, or cyber risk is low, the scope of work will be less complex which result in lower cost.

Let’s now look at the next factor your organization should consider when selecting a vCISO.

Experience & Expertise

An experienced vCISO with expertise and experience in federal systems, finance, regulatory and compliance frameworks is typically in high demand.

For MSPs providing this service, expect to pay a higher rate.

In addition to the specializations in regulatory frameworks, a high-quality vCISO should be certified in the area of Information Security.

The CISSP (Certified Information Systems Security Professional) is the most common certification.

In addition, look for the remaining certifications and experience when selecting a vCISO:

• CISM (Certified Information Security Manager)
• CRISC (Certification in Risk and Information Systems Control)
• CCISO (Certified Chief Information Security Officer)
• B.S. degree (Information Security or related field)
• M.S or MBA degree
• 10+ years of proven IT experience with a concentration in Information Security

Learn More: How To Become A Virtual CISO

The type of industry and size impact the cost as well. Let’s note this in the next section.

Industry & Organizational Size

Healthcare, financial, and global organizations with complex cyber security requirements will impact the cost of hiring a vCISO.

Note a few examples of cyber security-related regulations per industry that a vCISO will need specialized experience to succeed:

• Healthcare – HIPAA, SOC2
• Finance – GLBA, PCI
• Global – GDPR
• Federal – FEDRAMP, CMB

An SMB with 1 to 1000 employees compared to a large enterprise organization with 10,000 employees inherently will have more risk and security controls to oversee, impacting the cost.

Another direct impact to cost is the duration of the project.

Length Of Engagement

A short-term duration for the vCISO’s service will typically incur a higher premium.

A long-term contract, such as an annual or multi-year plan will provide the opportunity to negotiate discounts on services, however, there may be upfront fees associated with the contract.

To ensure you properly estimate the length of the engagement, regularly assess and evaluate your security program’s maturity.

This will help your organization meet the budget expectations and select the proper services to achieve the optimum ROI.

Let’s now see how the pricing structure works for your next vCISO hire in the next section.

Types Of Cost Structures For Virtual CISOs

One of the main benefits of hiring a VCISO is the reduced cost compared to a full time CISO.

Let’s discuss and review the cost structure of a managed security provider that offers this service to SMBs.

• Retainer Fees
• Hourly Fees
• Project-Based Fees
• Equity Compensation

Retainer Fees

Estimated cost: The average starts $1,600 to $20,000 per month or $19,200 to $240,000 per year.

A retainer fee allows you to pay upfront to reserve the services for a specific business need.

This allows the client to forecast and budget for x amount of hours for the year.

A sample of services you can where a retainer is necessary:

• Oversee Incident Response activities
• Forensics Investigation
• Data Breach recovery

Advantages:

• Estimate cash flows
• Improved customer relationships

Disadvantages:

• Client may potentially lose money if services are not used
• Potential limit on other opportunities if scheduled is locked by the retainer

This model is ideal for an SMB that does not have the in-house expertise or lacks experience in the area of Incident Response and Forensics, where services may be needed immediately.

Hourly Fees

Estimated Cost: $200 to $250 per hour.

The hourly fee model allows the client to pay per hour for the vCISO service. This allows the client to pay per month on a part-time basis.

A sample of services you can expect to pay per hour are services that can be completed during a fixed time period:

• Security Policy Reviews
• Security Risk Assessment
• Security Architecture Review

Advantages:

• Flexible for clients – hour-to-hour or monthly
• Allows customers to scale services, up or down depending on need.

Disadvantages:

• Lack of accountability, since the role is part-time
• Possible higher cost for short-term hours compared to long-term project needs.

This model is ideal for an SMB that has a fixed project requirement that fits within an SLA agreement.

Project-Based Fees

Estimated Cost: A project is typically a per-hour cost. A 40-hour project will cost $8,000 – $10,000.

The Project-Base fee structure is a pricing model that allows the vCISO to charge a flat fee for a particular service regardless of the time.

Advantages:

• Allows the client to pay a set amount, easier to budget and establish project timelines.
• Allows customers to select a specific service and understand the cost structure for each.

Disadvantages:

• The potential of project creep if the cost of service goes beyond what was estimated.
• Unexpected problems may require additional funding.

This model is beneficial for a client that has a fixed annual budget that cannot be exceeded.

Equity Compensation

Estimated Cost: This will vary, based on company share prices or equity available.

Equity compensation allows the client to offer a stake in the organization in exchange for the vCISO service. The vCISO can expect to receive stock options or other forms of equity in lieu of a cash payment.

Advantages:

• Allows the client to manage cash flow and retain for other purposes.
• Attractive for the MSP providing the VCISO service, incentives may increase as the company has increased in shares.

Disadvantages:

• Less attractive if the company’s share price is decreasing
• Adds complexity to MSPs Tax portfolio

This model is ideal for an SMB or startup that needs to hold onto its cash flow for a period of time.

It’s now take a look at the average cost of the vCISO and how it is determined

Additional Costs & Considerations

When calculating the final cost for the vCISO service, it is important to understand the contract in full.

There may be less obvious details that may be missed in the review. Let’s note a few of the fine details.

Hidden Costs

Although the vCISO is typically a part-time remote role, there may be an additional cost to onboard, such as occasional travel to the site or potential conflict resolution fees.

Long-Term Cost Savings

Long-term cost savings is a benefit of contracting a longer-term contract. The performance of the vCISO will help you meet long term compliance objectives.

Risks Of Not Hiring A vCISO

If your organization is on the fence as to whether they should hire a vCISO or not, consider the risk of not having a vCISO.

Relying on existing teams to fulfill this role is not a prudent decision these days.

Not hiring a vCISO can potentially increase the likelihood of data breaches, unpatched systems, poor security awareness, and unresolved gaps in security processes.

How To Choose A Virtual CISO

Let’s now discuss how your organization can go about hiring a virtual CISO in this section.

The first requirement is to understand the weaknesses in your security strategy and what you seek to accomplish.

Identify Your Needs

Gather input from your stakeholders and security leaders.

This will help determine what type of vCISO is needed.

A few needs to consider include, but is not limited to:

• Developing your incident response plan
• Leading SOC2 or PCI assessments
• Leading ISO2700x assessments
• Organizing security policies
• Organizing Disaster Recovery and Business Continuity

Conduct Due Diligence

• Interview multiple service providers.
• Ensure they provide the credentials, areas of expertise, reputation, and experience of their vCISOs.
• Request references regarding the quality of service and referrals as well.

Evaluate The vCISO’s Proposal

Understand the terms of the vCISO’s proposal.

If you have a legal team, request a review of the terms of the contract to ensure the deliverables align with your business objectives.

If you do not have legal counsel, ensure your contract review process is thorough, to ensure your expectations are communicated properly in the terms of the contract.

Bottomline: How Much Should You Pay For A vCISO?

In this article, we have discussed key factors that determine how much you should pay for a vCISO. We examined cost structures your organization can choose from, based upon your specific business requirements.

We learned that the cost of a vCISO is determined by demographics, expertise, business size, and experience.

The cost structure of PurpleSec’s vCISO service was provided as a sample to observe what you can expect to pay for a vCISO:

• Retainer Model: $1,600 to $20,000 per month.
• Hourly Model: $200 to $250 per hour.
• Project-Based Model: 40-hour project = $8,000 – $10,000.
• Equity Model: Varies based on company share prices or equity available.

If your organization is an SMB and does not have a CISO, we urge you to consider the lower-cost alternative of a vCISO. The benefits far outweigh the risk of not having one at all.

Learn more about PurpleSec’s virtual CISO services or schedule a free consultation.