When does a business need a virtual CISO?

Common triggers include: clients or insurers asking about your cyber security governance, a security incident with no one formally in charge of the response, Cyber Essentials or ISO 27001 certification requirements, or board conversations about cyber risk with no one qualified to lead them.

What is Cyber Essentials and do I need it?

Cyber Essentials is the UK government-backed cyber security baseline covering five core controls. It is increasingly required for public sector contracts and asked for by larger clients in construction, engineering, and professional services. Cyber Essentials Plus is the independently verified version. ISO 27001 is the full international standard, required for enterprise clients and regulated sectors.

What does a virtual CISO actually do?

A virtual CISO takes formal responsibility for cyber risk, owns the risk register, writes and enforces security policies, provides board-level reporting in plain English, and leads incident response when something goes wrong. They also support Cyber Essentials, Cyber Essentials Plus, and ISO 27001 certification.

Virtual CISO

A named person responsible
for cyber at board level.

Most SMEs do not have a Chief Information Security Officer. Most do not need one full-time. But they do need someone who owns cyber risk at a senior level. That is what a virtual CISO gives you.

Whether you are working towards Cyber Essentials, Cyber Essentials Plus, or ISO 27001, or you simply need someone independent to own cyber risk at board level, this is the starting point.

What is a virtual CISO?

A CISO , Chief Information Security Officer , is the senior person responsible for cyber security strategy. They sit at board level. They own the risk decisions. When something goes wrong, they are the person accountable.

A full-time CISO costs £100,000 to £180,000 a year. For most businesses with under 500 staff, that is not a realistic hire. The result is a gap , cyber risk with no one formally owning it.

A virtual CISO fills that gap. A named, experienced professional who takes responsibility for your cyber security, attends your board meetings, and gives you honest advice , without the full-time cost.

This is not a product or a software tool. It is a person. With accountability.

Clients or insurers asking about your cyber security governance

Larger clients and insurers increasingly require evidence that cyber risk is managed at a senior level.

A security incident with no one formally in charge of the response

If a breach happens and nobody owns the decision-making, the response is slower and more damaging.

Cyber Essentials or ISO 27001 in scope

These frameworks require someone to own security policy and risk decisions. That person needs appropriate seniority.

Board conversations about cyber with no one qualified to lead them

Most MDs are not cyber experts. Neither are most FDs. Someone needs to translate risk into decisions.

If your priority is broader IT strategy and supplier governance rather than cyber specifically, the fractional IT Director service covers that.

Frameworks I work with

Cyber Essentials, Cyber Essentials Plus, and ISO 27001

These frameworks are increasingly required by clients, insurers, and public sector procurement. I help businesses understand what is actually required, close the gaps, and get certified without over-engineering it.

Cyber Essentials

The UK government-backed baseline. Five controls that address the most common cyber attacks. Often required for public sector contracts and increasingly asked for by larger clients.

Certification in weeks, not months

Cyber Essentials Plus

The same five controls, independently verified by an external assessor. Required by some insurers and clients in higher-risk sectors. Construction, engineering, and professional services firms are seeing this more in tenders.

Independently verified certification

ISO 27001

The international standard for information security management. Formal, auditable, and increasingly expected if you work with enterprise clients or operate in regulated sectors. More involved than CE, but the right choice for the right business.

Full certification support

Not sure which framework is right for your business? That is usually the first question. A short conversation is enough to work it out.

What I do as your virtual CISO

Senior-level cyber leadership. Not policies filed in a drawer. Things that actually get done.

Cyber risk ownership

I take formal responsibility for your cyber security. That means assessing your real exposure, not the version your IT support company presented to you, and being the person who signs off on risk decisions.

Risk assessment and gap analysis
Risk register ownership
Cyber Essentials and CE+ guidance
Incident response planning

Getting things done

Most cyber work in SMEs never gets finished. Cyber Essentials stalls. Policies get written and filed away. Staff awareness training gets planned and never runs. I make sure the work actually happens, not just gets documented.

Cyber Essentials and CE+ delivered end to end
Security gaps closed, not just identified
AI and data usage policies that get followed
Staff awareness that actually runs

Board-level reporting

I translate cyber risk into business language for your board and senior leadership. Not technical briefings. A clear picture of what your actual exposure is, what has been done about it, and what decisions still need to be made.

Quarterly board reporting
Plain English risk briefings
Incident and near-miss reporting
KPI and metrics ownership

Incident response

When something goes wrong , and in most businesses, eventually something does , you need a named person making the right decisions quickly. I am available to lead the response, coordinate the right parties, and manage the communication.

Incident response plan ownership
Crisis decision-making support
Regulatory notification guidance
Post-incident review

Dave Lane, Virtual CISO

In IT since 2000. MSc Cyber Security. My own business to run.

I have worked across infrastructure, security, risk management and governance for UK and international businesses for 25 years.

I run a small business. I have sat where you are. Cash flow, margin, pressure from clients and insurers. When something is not worth the money, I say so. When a security recommendation does not serve your business, I say that too.

I work with a small number of clients at any time. That is the only way to stay close enough to each business to be genuinely useful, rather than just available.

That includes real-world cyber incident experience. Hands-on leadership when something has actually gone wrong, not just theory about what should happen. That is the kind of experience your board can rely on.

MSc Cyber Security

Postgraduate qualification in cyber security. Combined with 25 years of hands-on experience protecting real businesses.

Independent

No vendor commissions. No products to sell. Advice that is only ever in your interest.

No contracts

Walk away at any time. You stay because the service is useful, not because you are locked in.

Senior level

Board-ready reporting and decision-making. Not a junior analyst with a checklist.

Let's talk about what you actually need.

Not every business needs a full vCISO engagement. Sometimes the gap is smaller than it looks. Sometimes it is larger. A short conversation usually makes it clear.

30 minutes. No preparation needed.

MSc Cyber Security · 25 Years Experience · Independent

A named person responsiblefor cyber at board level.