Most SMBs know they need senior security leadership — but can't justify a full-time CISO salary. Aursec's vCISO service gives you a CISM-certified security professional embedded in your business on a monthly retainer. Strategy, governance, board reporting, and compliance oversight — all handled.
Most SMBs fall into the same trap — security sits with someone who already has a full-time job. It gets done when there's time. There's never time.
When security is owned by an IT manager, finance director, or operations lead on top of their day job, it gets reactive. Incidents happen. Certifications lapse. Audits get scrambled together at the last minute.
Without a security lead, risk doesn't get reported accurately to the board. Decisions get made without understanding the security implications — until something goes wrong.
A senior CISO commands £100,000–£150,000 per year. For most SMBs that's not viable. But the security challenges don't go away just because the budget doesn't stretch.
Every vCISO engagement covers the full range of security leadership — from day-to-day oversight to board reporting and long-term strategy.
A clear, prioritised security roadmap aligned to your business goals, risk appetite, and compliance obligations. Updated quarterly as your business evolves.
Creation and maintenance of your security policy suite — acceptable use, access control, incident response, data handling, and more. Kept current as regulations and standards change.
Regular security posture reporting presented in plain language for non-technical stakeholders. Your board understands the risks — and the actions being taken to manage them.
A live risk register maintained and reviewed regularly. Risks identified, rated, owned, and tracked to resolution — with escalation to board level where appropriate.
Review of third-party suppliers with access to your systems or data. Due diligence processes, contractual obligations, and ongoing supplier risk monitoring.
Ongoing alignment to the frameworks relevant to your business — ISO 27001, Cyber Essentials, DSPT, GDPR. Your vCISO manages the compliance calendar so nothing lapses.
Your vCISO leads the response when something goes wrong — coordinating containment, investigation, recovery, and reporting. No scrambling to find someone who knows what to do.
Building security awareness across your team — communications, training guidance, and a security culture that reduces human risk across the business.
A vCISO engagement is a genuine working relationship — not a helpline you call when something breaks.
A conversation to understand your business, current security posture, compliance obligations, and what you need from a vCISO. We agree on scope, hours, and priorities before anything starts.
In the first month we conduct a full assessment of your current security position — policies, controls, risks, suppliers, and compliance status. You receive a clear picture of where you are and a prioritised roadmap of what needs to happen.
Monthly retainer hours used across strategy, governance, reporting, and hands-on work as needed. Regular check-ins keep you informed. Board reports delivered on your schedule.
Quarterly review of the security roadmap and retainer scope. As your business grows or your obligations change, the engagement adapts with you.
A full-time CISO makes sense at a certain scale. Below that scale, a vCISO delivers the same quality of leadership at a fraction of the cost.
| Full-Time CISO | Aursec vCISO | |
|---|---|---|
| Cost | £100k–£150k per year | Monthly retainer |
| Availability | Full-time, one business | Dedicated retainer hours |
| Expertise | One person's experience | CISM-certified, multi-sector |
| Flexibility | Fixed headcount | Scale up or down monthly |
| Board Reporting | Included | ✓ Included |
| Compliance Oversight | Included | ✓ Included |
| Onboarding Time | 3–6 months | 2–4 weeks |
| Right For | 100+ person businesses | SMBs and growing businesses |
You're a 10–100 person business with no one whose primary job is security. It's being handled reactively, if at all. A vCISO gives you dedicated ownership without a full-time hire.
You have internal IT capability but no one with the security expertise or seniority to own strategy, governance, and board-level reporting. A vCISO fills that gap.
You're facing ISO 27001, DSPT, Cyber Essentials Plus, or supply chain security requirements and need senior oversight to manage them without building a full internal function.
Ben Wright, Managing Director of Aursec, is a CISM-certified security professional with over a decade of experience building and leading security functions across complex multinational environments.
As Global Security & Compliance Manager at a 600-person technology business, Ben managed security and compliance across 34 legal entities, led the security workstream across 15 acquisitions, and reported directly to the executive team on security posture, risk, and compliance status.
That's the level of experience your business gets on a vCISO retainer — without the full-time salary.
Learn more about Ben →Credentials & Frameworks
Could not be happier with the services provided by Aursec in supporting the IT of my Business. From initial engagement, Aursec worked with me to understand my requirements and ensured an efficient rollout of my Company's IT solution. They took the stress out of achieving CyberEssentials Plus certification and now are fully embedded with my organisation as a partner to deliver long term IT Service Support. Aursec would be a great option for any size business but are particularly valuable for smaller businesses that require that additional hands-on knowledge and experience.
Tell us about your business and what you're trying to achieve. We'll come back to you within one working day.