Virtual CISO: Cybersecurity Leadership Built for Your Company's Scale

A Virtual CISO (Chief Information Security Officer) is an outsourced cybersecurity leadership function that provides organisations with strategic security management, governance, and regulatory compliance oversight without the cost of a full-time executive. In the EU regulatory context, the NIS2 Directive (EU 2022/2555) requires essential and important entities to maintain management-level accountability for cybersecurity governance, with personal liability for senior management failures. Similarly, DORA (Regulation 2022/2554) requires financial entities to ensure ICT risk management is integrated at board level. The Virtual CISO model enables organisations — particularly SMEs that cannot justify a full-time CISO salary — to meet these governance requirements through a fractional engagement, typically structured as a monthly retainer.

Our Virtual CISO service combines executive experience in information security leadership with deep knowledge of the European and Spanish regulatory framework: NIS2, the National Security Framework (ENS), ISO 27001, and GDPR. We act as part of your leadership team, with the continuity and commitment that a critical governance function demands.

When Cybersecurity Becomes a Governance Question

Cybersecurity has moved from the IT department to the boardroom. Directors of essential and important entities under NIS2 bear personal legal responsibility for ensuring adequate controls, managing incidents correctly, and complying with the directive’s governance requirements. Most Spanish SMEs and mid-market companies have no one with the authority and knowledge needed to lead this function internally — and the cost of a full-time CISO at an experienced level is beyond the budget of all but the largest organisations.

The Virtual CISO fills this gap. Not a consultant delivering a report and moving on — an outsourced executive who knows your company, your critical assets, your suppliers, and your specific risk profile. Present in leadership discussions with security implications, reporting to the board on a scheduled cadence, and leading the response when an incident occurs.

From Reactive to Strategic Security

Most organisations we work with begin the engagement managing cybersecurity reactively: responding to incidents, implementing point solutions as they become aware of vulnerabilities, and treating compliance as a documentation exercise. The first output of our Virtual CISO engagement is a structured security roadmap that changes this dynamic — a prioritised set of initiatives, each with a business case, a measurable outcome, and a realistic timeline.

The roadmap feeds directly into the board reporting cycle. Directors receive quarterly updates that translate technical progress into business risk reduction and regulatory compliance status. For companies subject to NIS2, this reporting structure also satisfies the directive’s governance accountability requirements.

Certification and Regulatory Leadership

For companies pursuing ISO 27001 certification, the Virtual CISO acts as project director: coordinating the implementation of the Information Security Management System, leading the mandatory management review, and managing the relationship with the certification body. The combination of strategic leadership and certification experience significantly reduces both the time and cost of the certification process.

Integrated with Data Protection

Security and privacy governance work best as an integrated function. Where clients also engage our Data Protection team for DPO services, the Virtual CISO and DPO operate as a coordinated unit — sharing incident response protocols, aligning security controls with GDPR requirements, and ensuring that the 72-hour breach notification window is met in practice, not just on paper.

Security Policies and the Security Programme Architecture

The Virtual CISO’s first substantive deliverable is typically a gap assessment against the applicable regulatory and commercial standards — ENS, ISO 27001, NIS2, GDPR — and the construction of a security policy architecture that is both compliant and proportionate to the organisation’s actual risk profile. Security policies that are copied from templates and have no relationship to operational reality are worse than no policies: they create documentation that contradicts how the organisation actually operates, which creates problems in audits and incidents. We write policies that describe what the organisation does, not what someone thought it should do.

Incident Response Leadership

When an incident response event occurs, the Virtual CISO is the operational commander: coordinating the technical response, managing communications with the board and with external parties, and leading the regulatory notification process. For organisations subject to NIS2, this means meeting the 24-hour early warning deadline to INCIBE-CERT or CCN-CERT alongside the GDPR 72-hour breach notification timeline — two parallel clocks requiring coordinated responses. For financial entities subject to DORA, the DORA incident classification and notification workflow is managed by the Virtual CISO within the broader incident command structure.

Third-Party and Supply Chain Security

Managing cybersecurity risk from technology suppliers and service providers is one of the most operationally demanding security functions, and one of the areas where NIS2 has most significantly raised standards. The Virtual CISO leads the third-party risk programme: identifying critical suppliers, conducting security assessments, managing contractual security requirements, and maintaining the supplier security register. For organisations undergoing due diligence as part of a transaction, the Virtual CISO coordinates the cybersecurity dimension of the target assessment.

Board Security Reporting: What Directors Need to Know

NIS2 places personal liability on directors of essential and important entities for failures in cybersecurity governance. The Virtual CISO’s board reporting function delivers the information directors need to exercise this oversight responsibility: a current threat landscape summary, the organisation’s security posture and compliance status, significant incidents and their resolution, and progress against the security roadmap. We design these reports to be accessible to a board audience without cybersecurity specialisation — translating technical risk into business risk. The connection with the compliance risk mapping function ensures that security risks are presented in the context of the organisation’s full regulatory risk profile.

Regulatory framework: NIS2, DORA, ENS, and ISO 27001

The Virtual CISO function operates within a regulatory landscape that has fundamentally changed since 2023:

NIS2 (Directive 2022/2555, directly effective from October 2024): applies to essential entities (energy, water, transport, banking, healthcare, digital infrastructure) and important entities (postal services, waste management, manufacturing, food, chemicals, digital providers). Requirements include: cybersecurity risk management (Article 21); supply chain security; incident reporting to INCIBE-CERT/CCN-CERT within 24 hours (early warning), 72 hours (incident notification), and 1 month (final report); and personal liability for management bodies that fail to approve, oversee, and implement cybersecurity measures.

DORA (Regulation 2022/2554): applicable to all EU financial entities from 17 January 2025. ICT Risk Management Framework requirements (Chapter II) must be documented and annually reviewed; the ICT Business Continuity Policy and DR plans must be in place; testing includes advanced penetration testing (TLPT) for significant entities; critical ICT third-party providers are directly supervised by EU financial regulators.

ENS (Esquema Nacional de Seguridad, Royal Decree 311/2022): mandatory for Spanish public administrations and their suppliers. ENS certification at the relevant level (LOW, MEDIUM, HIGH) is required for public sector contracts. The Virtual CISO manages ENS gap assessment, implementation, and audit preparation for companies seeking or maintaining ENS certification.

ISO 27001:2022: the international ISMS standard, increasingly required by enterprise clients and financial institutions as a supply chain security assurance mechanism. The Virtual CISO leads the implementation and certification process, including Annex A control implementation, Statement of Applicability, risk treatment plan, and management review.

GDPR Article 32 intersection: information security controls (encryption, pseudonymisation, access control, resilience) are GDPR Article 32 obligations for controllers and processors. The Virtual CISO manages the interface between the security programme and the data protection compliance function — ensuring that security incidents triggering Article 33/34 GDPR notification are identified and reported within the required 72-hour window.

Sectors most affected by Virtual CISO requirements

Financial services: banks, insurance companies, investment firms, and payment institutions face the most demanding cybersecurity governance requirements under DORA. The management body is personally responsible for ICT risk management under DORA Article 5 — creating a specific demand for board-level cybersecurity advisory. Our Virtual CISO for financial entities is specifically structured to support the management body’s DORA governance obligations.

Healthcare: hospitals, diagnostic centres, and telemedicine platforms process health data at scale (Article 9 GDPR special category) and are classified as essential entities under NIS2. Ransomware targeting Spanish hospitals has resulted in extended outages and AEPD investigations. The Virtual CISO function for healthcare clients integrates with the DPO function to manage both cybersecurity and data protection dimensions simultaneously.

Technology and digital service providers: SaaS companies, cloud service providers, and managed service providers are important entities under NIS2 when above relevant thresholds. More practically, enterprise clients increasingly require ISO 27001 certification as a supply chain security assurance condition for contract award. Our Virtual CISO for technology companies focuses on ISO 27001 achievement alongside NIS2 gap management.

Critical infrastructure: energy utilities, water treatment operators, and transport companies are essential entities with the highest NIS2 obligations. Operational Technology (OT) security — protecting SCADA, industrial control systems, and IoT devices — is a specific competence required for Virtual CISO services in this sector.

Professional services (law firms, accounting firms, consulting): targets of business email compromise (BEC), ransomware, and insider data theft due to the sensitive client data they hold. NIS2 may not directly apply (depending on size and sector classification), but GDPR and professional liability create equivalent information security obligations. Client-driven supply chain security requirements make ISO 27001 or equivalent assurance increasingly necessary.

Company size segmentation

Startups and scale-ups (under 50 employees): the most common need is foundational security governance — security policy framework, ISO 27001 readiness (or lightweight security programme equivalent), GDPR Article 32 technical measures, and incident response plan. Virtual CISO engagement typically 1–2 days/month. Fixed retainer from EUR 1,200/month.

SMEs (50–250 employees): NIS2 scope assessment and gap management; security roadmap development; quarterly board reporting; ISO 27001 implementation leadership (if pursuing certification); incident response command. 2–3 days/month. Retainer from EUR 2,500/month.

Mid-size companies (EUR 50M–EUR 200M): full Virtual CISO programme including all of the above plus: supply chain security programme (third-party risk assessment for key vendors); annual penetration testing programme coordination; cyber insurance advisory and coordination with insurers; and CSRD cybersecurity disclosure support (ESRS G1 and the forthcoming ESRS sector-specific standards for digital operations). 3–5 days/month. Retainer from EUR 4,500/month.

Financial entities subject to DORA: DORA-specific programme covering all DORA ICT risk management requirements, testing programme (including TLPT coordination for significant entities), ICT incident management and regulatory notification, and third-party ICT provider risk management. Minimum engagement: 4 days/month plus incident response on-call. Retainer from EUR 6,500/month.

Worked example: Virtual CISO engagement for a 120-employee SaaS company

A B2B SaaS company (120 employees, EUR 11M ARR) serving financial services clients was required by a major bank client to demonstrate ISO 27001 certification within 12 months as a condition of contract renewal. The company had no security function — IT was managed by a 4-person team with no dedicated security role.

Virtual CISO engagement scope (12 months):

• Initial gap assessment (month 1): comparison against ISO 27001:2022 Annex A — 73 controls assessed, 41 requiring partial or full implementation.
• ISMS documentation framework: 22 security policies drafted, reviewed with management, and approved (Information Security Policy, Asset Management, Access Control, Cryptography, Physical Security, Supplier Relationships, Incident Management, Business Continuity — all aligned to ISO 27001 Annex A).
• Risk assessment: 38 information security risks identified and assessed; risk treatment plan with 19 controls to implement, 12 to accept (with documented rationale), and 7 to transfer (cyber insurance).
• Control implementation (months 2–9): coordinated implementation of technical controls with the IT team — MFA enforced across all systems, endpoint protection upgraded, vulnerability scanning deployed, access reviews formalised, backup and recovery tested. Non-technical controls: security awareness training (100% completion), secure development policy for the engineering team, and supplier security assessments for 8 critical SaaS providers.
• Internal audit (month 10): gap-to-standard assessment confirming readiness. 3 minor non-conformities resolved before certification audit.
• Certification audit (months 11–12): BSI certification body audit. Certification achieved with 2 minor observations (resolved within agreed timeframe).

Outcome: ISO 27001:2022 certification achieved within the 12-month contractual requirement. Bank client contract renewed. Two additional enterprise prospects converted to clients citing security certification as a selection factor. NIS2 scope assessment conducted in parallel — company classified as important entity; roadmap for NIS2 compliance developed as phase 2.

Five common Virtual CISO / cybersecurity governance mistakes

1. Treating cybersecurity as an IT responsibility rather than a governance issue. The most persistent cybersecurity governance failure is the assumption that the IT team manages security. Security governance requires management body involvement — approving the security policy, reviewing the risk register, ensuring adequate budget, and accepting residual risk. Under NIS2, management body members are personally liable for this oversight failure. The Virtual CISO’s primary function is ensuring this governance structure is operational.

2. Compliance-driven security that ignores actual threats. A security programme built entirely around checklist compliance (ISO 27001, NIS2, ENS) without reference to the actual threat landscape facing the organisation produces bureaucratic compliance without meaningful risk reduction. Real attackers do not respect compliance frameworks. The Virtual CISO’s threat intelligence function ensures that the security programme addresses the actual attack methods being used against organisations in the same sector, of the same size, and with the same technology stack.

3. Security policies that are not implemented. Many organisations have elaborate security policy documents that are not reflected in operational practice — access control policies that describe controls no system enforces, incident response plans that have never been tested, and supplier security requirements that have never been sent to a supplier. The Virtual CISO’s ongoing function ensures that policy and practice converge rather than diverge over time.

4. No tested incident response plan. A plan that exists only as a document is a governance artefact, not a response capability. Incident response under time pressure, in front of a ransomware attack, is not the time to discover that the plan assumed a communication channel (corporate email) that the attack has taken offline, or that the backup restoration procedure is undocumented. Tabletop exercises and technical simulations build the muscle memory that makes the difference when incidents occur.

5. Ignoring the supply chain. Most significant breaches in Spanish companies in the last three years originated in third-party suppliers — SaaS platforms, managed service providers, IT suppliers. The Virtual CISO’s supply chain security programme is not optional under NIS2 or DORA — it is an explicit regulatory requirement. Without a structured approach to supplier security assessment and contractual security requirements, the organisation’s own security programme is undercut by its weakest supplier.

How we work: Virtual CISO engagement model

Onboarding (month 1): current security posture assessment, regulatory scope determination (NIS2 entity classification, DORA applicability, ENS level), stakeholder mapping (IT team, management, board), and 90-day priority action plan.

Ongoing Virtual CISO function (monthly):

• Security operations liaison: review of security monitoring alerts, vulnerability scan results, and IT team security activities
• Security programme management: progress tracking against roadmap, initiative coordination, vendor management
• Incident management on-call: 24/7 availability for major incident leadership (additional charges for incidents beyond agreed monthly volume)
• Management reporting: monthly security status brief; quarterly board security report

Annual programme:

• Annual security risk assessment refresh
• Annual security awareness training programme design and delivery oversight
• ISO 27001 surveillance audit preparation (for certified clients)
• NIS2/DORA annual compliance review

Fixed monthly retainer covers all programme management activities. Incident response beyond 8 hours/month at day-rate supplement. Contact our cybersecurity governance team for an initial security posture discussion.