I get this question a lot: "What does a vCISO actually do, week to week?" It's a fair question. The concept of fractional security leadership is still relatively new for many organizations, and the practical mechanics aren't always clear.
This post is an honest look at how vCISO engagements work — the structure, the activities, and what it takes to make them genuinely valuable rather than just a compliance-satisfying line item.
What We're Actually Doing
A vCISO engagement isn't a consulting project with a defined deliverable. It's an ongoing leadership relationship where I function as your security leader on a part-time basis. The activities look different at different stages.
In the first 30–90 days: Most of the work is discovery and assessment. Understanding your current security posture, your risk profile, your regulatory obligations, your existing tools and controls, your team's capabilities, and your business context. This period produces a baseline assessment and a prioritized security roadmap.
Once the roadmap is established: The work shifts to program execution — driving progress on roadmap initiatives, owning vendor relationships for security tools and services, managing compliance programs, developing policies and procedures, and serving as the security voice in business decisions.
Ongoing: Board and executive reporting, security program reviews, risk assessment updates, incident response leadership when needed, and program evolution as the business and threat landscape change.
The specific allocation of time varies by engagement. Some organizations need more hands-on execution support. Others need primarily strategic leadership and decision-making. The engagement structure should match what the organization actually needs.
What Makes vCISO Engagements Work
Clear scope and expectations. The most common reason vCISO engagements underdeliver is misaligned expectations — the organization expected daily availability; the vCISO planned for ten hours a month. Get this explicitly documented in the engagement terms.
Access to the right people. A vCISO who can only talk to IT can't function as a CISO. Access to executive leadership, legal, finance, and HR is necessary for the role to work. If organizational politics prevent this, address it before starting the engagement.
A counterpart who can execute. A vCISO provides leadership, strategy, and oversight. Implementation requires someone who can execute. Whether that's internal IT staff, a managed security services provider, or other vendors, there needs to be execution capability that the vCISO can direct.
Leadership buy-in. Security programs that have CEO and board-level support move differently than those where the vCISO is reporting to an IT manager who doesn't have budget authority or organizational influence. Executive sponsorship is essential.
Honest starting point. The most valuable thing I can do in the first engagement is give an accurate picture of where the organization actually stands — including the things that leadership doesn't want to hear. That requires trust. Organizations that want their vCISO to validate existing decisions rather than provide honest assessment aren't set up for success.
What vCISO Work Isn't
It's not IT support. The vCISO role is leadership, not implementation. If the engagement has devolved into answering helpdesk escalations or configuring tools, the scope has drifted.
It's not a checkbox. Compliance frameworks may require a "CISO-equivalent" but the engagement should be designed to provide genuine security leadership, not just to satisfy an audit requirement.
It's not guaranteed availability. A vCISO working with multiple clients can't provide the same availability as a full-time employee. Incident response availability, escalation procedures, and response time expectations need to be explicitly addressed in the engagement structure.
What the Right Engagement Looks Like
The best vCISO engagements I've been part of share common characteristics: clear goals established upfront, regular communication rhythms (weekly check-ins with the operational team, monthly executive reporting), genuine leadership access, a capable operational counterpart, and a relationship built on honest communication even when the news isn't good.
The outcome, at its best, is a security program that genuinely improves — not just in documentation but in risk posture, response capability, and organizational security culture. That's what makes the model worth investing in.