Virtual CISO
Strategic security leadership without a full-time CISO – flexible, experienced, immediately available. 3–4 days per month, one dedicated point of contact.
Why a Virtual CISO?
NIS2, ISO 27001, GDPR – information security requirements are growing. But not every organization can or wants to hire a full-time CISO.
No dedicated CISO
Responsibility is spread across IT management, data protection, and executive leadership – without clear direction.
Regulatory pressure
Clients, partners, and regulatory authorities expect a designated security officer.
No escalation path
Without a CISO, there is no central authority for incident response, risk assessment, and management communication.
Full-time CISO: EUR 120–180K/year
Plus benefits – economically not viable for many organizations or simply not available on the market.
Scope of services
As your Virtual CISO, I take over the strategic management of your information security – with a fixed monthly allocation.
Security strategy & roadmap
Development and annual update of your security strategy, aligned with business objectives and risk posture.
Risk management
Conducting and maintaining risk assessments, risk register, and quarterly risk reporting to executive management.
Compliance monitoring
Ongoing monitoring of compliance status (NIS2, ISO 27001, GDPR), gap tracking, and remediation management.
Incident response coordination
Maintaining the incident response plan, escalation support during security incidents, post-incident reviews. Support with NIS2 reporting obligations (24h/72h/1 month).
Audit preparation & support
Support for internal and external audits, documentation reviews, and audit readiness checks.
Monthly management reporting
Structured security status report with KPI dashboard, risk update, compliance status, and actionable recommendations.
Supplier security assessment
Vendor risk assessments, review of security-relevant contract clauses, supplier monitoring.
Service levels
- All advisory services within allocation
- Monthly status meeting (60–90 min)
- Monthly security status report
- Quarterly risk overview
- Response within 24h (business days)
- Everything in Basic, plus:
- Extended audit support allocation
- Incident escalation: 4h response (Sev-1)
- Quarterly on-site security reviews
- Annual security strategy workshop
Additional days as needed: EUR 1,600/day · Minimum term: 6 months · All prices excl. VAT
Virtual CISO vs. full-time hire
| Aspect | Virtual CISO | Full-time hire |
|---|---|---|
| Annual cost | EUR 60–84K | EUR 120–180K + benefits |
| Availability | Immediately | 3–6 months recruiting |
| Flexibility | Scalable, cancelable | Fixed costs, employment protection |
| Breadth of experience | Multi-client experience | Single-company focus |
| Regulatory know-how | KRITIS, NIS2, ISO 27001 | Individual |
How we work
Remote-first
Microsoft Teams, email, phone. On-site meetings by arrangement.
Monthly status meeting
Regular meeting with IT management/executive leadership (60–90 minutes).
Quarterly review
Detailed status report with strategy update and roadmap adjustments.
Availability
Mon–Fri 08:00–18:00 CET. Basic: 24h response. Premium: 4h for Severity-1.
Ideal follow-up to the Compliance Program
The Virtual CISO secures the results of your Compliance Program long-term. You can also engage the retainer independently – e.g., after a NIS2 Assessment.
Principal model: no consultant roulette
Simon Schilling works personally as your Virtual CISO. 19 years of IT experience, with extensive work in critical infrastructure environments (healthcare, statutory health insurance). Certified: AWS Architect, Azure Architect, TOGAF, PRINCE2. Vendor-independent, no product sales.
Security leadership without a full-time hire?
Let's discuss your security posture and define the right service level in an introductory call – confidential and no strings attached.
30 min · Video call · No obligation