What a Virtual CISO Actually Costs (And How to Tell If You're Getting Value)

The question I hear most from prospective clients is some version of: “So, what does this actually cost?”

It’s a fair question with an unsatisfying answer: it depends. But “it depends” isn’t useful if you’re trying to build a budget, compare providers, or justify the investment to a board. So let me give you real ranges, the factors that move the price, and the parts of a virtual CISO engagement that providers price differently.

Before I moved into consulting, I spent seven years as Information Security Officer at a national financial services firm, where I led the organization’s full alignment to NIST SP 800-53. That wasn’t a paper exercise. It meant the structural, technological, procedural, and at times cultural work required to actually mature a program, not just document one. I’ve since led virtual CISO engagements for six years and served as the internal CISO of a consulting firm before joining Breach Craft. The practitioner years shape the consultant years: I’ve sat in the chair of the people I now advise, so when I talk about what a vCISO engagement should cost and what it should deliver, it’s from both sides of the table.

The Short Answer

Virtual CISO services typically range from $3,500 to $15,000 per month, depending on engagement depth:

• Light advisory (10-20 hours monthly): $3,500 to $7,500
• Mid-tier engagement (20-30 hours monthly): $7,000 to $11,000
• Heavy engagement (30-45 hours monthly): $10,500 to $15,000

Annual cost for most small and mid-sized organizations lands between $45,000 and $180,000. That’s roughly 20 to 40 percent of the total cost of a full-time CISO once you factor in base salary, bonus, equity, benefits, and hiring costs. The tradeoff is presence: a vCISO isn’t available for daily hands-on operations the way a full-time hire is.

Engagement Models

Three models cover most vCISO work in the market. Each prices differently, and the right one depends more on how your organization operates than on what you want to spend.

1. Retainer With Fixed Hours

The most common model. You buy a set number of hours per month (typically 10, 20, 30, or 40) at an hourly rate. Unused hours may roll over one month or expire, depending on the contract. This model is easy to budget and easy to benchmark across providers.

Downsides: it turns every interaction into a billable event. Teams start hesitating to ask questions because they’re watching the hour counter. That’s the opposite of what you want from a security leader.

2. Fixed Monthly With Flex

A flat monthly fee with expected hour ranges but no strict accounting. The provider front-loads during heavy phases (pre-audit, incident recovery, board prep) and runs lighter during steady state. Contracts typically set annualized averages rather than monthly ceilings.

This is what we run at Breach Craft. It trades precision for practicality: you pay a predictable monthly rate, and neither side is watching the clock. It only works when both parties are operating in good faith, so reputation matters more than in the hourly model.

3. Project-Based

A defined scope for a finite period. Common for SOC 2 readiness, HITRUST push, post-incident program rebuild, or interim CISO coverage during a search. Priced as a fixed-fee project rather than a monthly retainer.

Good for discrete needs. Bad for ongoing leadership, because the engagement ends when the project does.

Pricing by Engagement Depth

Monthly hours	Typical monthly price	Best fit
10-20	$3,500-$7,500	Established security function, advisory layer, mature program
20-30	$7,000-$11,000	Growing programs, compliance-active, quarterly board reporting
30-45	$10,500-$15,000	Heavy compliance, post-incident recovery, M&A, regulated industry
45+	Custom	Interim CISO coverage, full program build-out, complex multi-entity

These are industry ranges, not a rate card. Providers vary significantly based on seniority, team size, and geography. An ex-Fortune-500 CISO will cost more than a first-time consultant. That’s often appropriate, sometimes not. For a similar breakdown on a different service, see how penetration testing gets priced.

What Drives Cost Up

• Regulated industry. Healthcare (HIPAA and HITRUST), financial services (GLBA, NYDFS), defense (CMMC), and federal work (FedRAMP) all require specialized knowledge and documented evidence. The work is the same shape as in unregulated industries, but more of it has to be written down and defensible.
• Active compliance deadlines. A SOC 2 Type II audit starting in six months is a different engagement than a casual “we’d like to get SOC 2 eventually.” Deadlines compress work and increase hour requirements.
• Multi-framework environments. Organizations operating under HIPAA, PCI-DSS, and SOC 2 simultaneously need someone who can map controls across all three. That expertise costs more and takes more time.
• Recent or active incidents. Post-breach programs need reconstruction, not tuning. Expect a heavier engagement for the first 6 to 12 months while the program rebuilds.
• M&A activity. Acquiring or being acquired introduces integration work, due diligence support, and inherited risk that isn’t in a steady-state retainer.
• Board reporting cadence. Quarterly board briefings add 10 to 20 hours per cycle for prep, risk quantification, and the meeting itself. Monthly dashboards add more.
• Multiple stakeholder groups. A parent company, investors, key customers, and regulators each generating their own reporting requirements can double the reporting load.

What Drives Cost Down

• Mature existing program. If you need strategy and oversight rather than build-out, 10 to 20 hours per month is often enough.
• Clear, bounded scope. “Own our SOC 2 readiness” is priceable. “Improve our security” is not, and open-ended scopes always grow.
• Strong internal security champion. A dedicated security lead or senior IT manager who can execute on direction cuts vCISO hours significantly. The vCISO sets direction; the internal champion runs the program day to day.
• No active compliance deadline. Advisory work without an audit clock runs lighter.
• Lower-risk industry profile. General commercial, SaaS with no sensitive regulated data, and similar profiles price at the low end of the ranges above.

Virtual CISO vs Full-Time CISO: Total Cost

The comparison that matters isn’t vCISO hourly rate vs CISO base salary. It’s total cost of ownership.

Full-Time CISO, Fully Loaded

• Base salary: $200,000 to $350,000 for mid-market; $350,000 to $500,000+ for enterprise
• Bonus: typically 20 to 40 percent of base
• Equity: varies widely, but real money at growing companies
• Benefits: 25 to 30 percent of base (health, retirement, payroll taxes, etc.)
• Hiring cost: 20 to 30 percent of first-year comp via retained executive search
• Onboarding: 3 to 6 months before meaningful output

All-in, a mid-market CISO hire typically costs $350,000 to $600,000 per year for the first year and $300,000 to $500,000 in steady state. Enterprise CISOs run higher. The 2024 IANS / Artico CISO Compensation Survey showed total cash compensation for CISOs at public companies frequently exceeding $600,000, with equity pushing the number well above $1M at the largest firms. (IANS Research)

Virtual CISO, Fully Loaded

Most vCISO engagements for mid-sized organizations run $7,000 to $12,000 per month, or $85,000 to $145,000 annually. That’s the whole cost. No benefits. No bonus. No recruitment fee. No six-month ramp. You get someone who’s already done the job, often multiple times, with experience across industries.

The Honest Caveat

A vCISO isn’t a full-time CISO. We’re in your business meaningfully but not continuously. We own strategy, governance, board reporting, and key decisions. We don’t sit in daily operations stand-ups or handle every ad-hoc question in real time.

For organizations that need continuous executive presence (a security-critical product, frequent public incidents, a board that wants the CISO on every escalation call), a full-time hire makes sense regardless of cost. For most mid-sized organizations, the vCISO model is a better match for actual needs, not just budget.

What’s Typically Included

A vCISO retainer at any tier should include:

• Security strategy development and roadmap ownership
• Policy framework creation and maintenance
• Board and executive reporting
• Risk register maintenance
• Compliance guidance across your applicable frameworks
• Vendor risk oversight
• Incident advisory and escalation coverage
• Regular check-ins with your security team and IT leadership

If any of those are missing from the proposal, ask why.

What’s Typically Billed Separately

• Penetration testing and vulnerability assessments
• Gap assessments beyond the initial discovery (sometimes)
• Incident response fieldwork (forensics, containment, recovery)
• Tabletop exercises as distinct engagements
• Technical implementation work (tool deployment, configuration)
• SOC 2 audit fees (paid to the auditor, not the vCISO)

A good provider will bundle or discount these through partner relationships when appropriate, and will be transparent about where they have financial incentives. Watch for providers who try to convert every adjacent service into a markup opportunity.

How to Evaluate Value (Not Just Price)

The cheapest vCISO is rarely the best value. The most expensive isn’t always either. Here’s what I’d ask before signing:

• Who is actually on my account? Is this a named individual, a team-backed model, or a rotating bench? Team-backed is often better than solo (continuity, cross-industry pattern recognition), but only if the team is real and not a sales prop.
• What’s their CISO experience? Have they actually held the role, or just consulted to people who have? Both have value; the balance matters.
• How are hours handled? Strict accounting, flex, or something else? Which fits your organization’s style?
• Vendor neutrality. Do they take commissions from security vendors? If yes, recommendations are compromised.
• References. Ask for references from organizations similar to yours in size, industry, and maturity. Call them.

Red Flags in vCISO Pricing

• Under $2,500 per month. Usually means rotating junior consultants, template-driven work, or both.
• No clear deliverables. “Available for advice” is not a deliverable. Real engagements produce artifacts: roadmaps, policies, risk registers, board decks, audit evidence.
• Heavy upsell pressure. Providers tied to specific products or vendors have conflicts that will show up in your recommendations.
• One name on the contract, different names in meetings. You bought the senior; you’re getting the junior. If the named principal isn’t actually engaged, that’s a repricing conversation at best and a breach of trust at worst.
• Pricing that changes materially every quarter. Some flex is normal. Wild swings usually mean scope creep that wasn’t priced.
• Inability to scope hours or outcomes. If the provider can’t tell you roughly what 20 hours per month buys, they don’t know their own service well enough to sell it to you.

The Bottom Line

Virtual CISO pricing isn’t a mystery once you understand the engagement models and what drives cost. For most mid-sized organizations, $7,000 to $12,000 per month buys genuine executive security leadership at roughly a quarter to a third the total cost of a full-time hire, with access to experience that a single person couldn’t match. The question isn’t really “what does it cost” but “what am I buying, and is the value I’m getting worth the price.”

If you’re sizing up a vCISO engagement and want a straight conversation about scope, hours, and pricing, contact Breach Craft. I’m happy to walk through what your program actually needs and what it should reasonably cost.