Advisor
~8 hrs / month
Pre-Series A or lean teams that need senior judgment on demand.
- ›Monthly strategy session
- ›Slack/Teams office hours
- ›Quarterly policy review
- ›On-call for critical decisions
// vCISO Services
Senior security leadership, without the full-time hire.
Our virtual CISO practice gives SMBs and growth-stage companies a named security leader who owns strategy, compliance, board reporting, and incident command. Billed by the month, not the headcount.
// What a Dephiant vCISO owns
The full scope of a Chief Information Security Officer.
Security Strategy & Roadmap
Multi-year security roadmap aligned to business objectives, budget, and risk appetite. Quarterly reprioritization as the threat landscape shifts.
Governance & Policy
Policy library, acceptable-use standards, vendor risk management, and the operating cadence that keeps them living documents instead of shelfware.
Compliance Program Ownership
End-to-end ownership of SOC 2, HIPAA, ISO 27001, PCI, or GDPR programs | from gap analysis through audit liaison and continuous evidence.
Board & Executive Reporting
Quarterly board decks, risk register, KPI dashboards, and the translation layer between technical reality and executive decision-making.
Incident Command
Named incident commander during major events. Tabletop exercises, runbooks, and post-incident reviews that actually change behavior.
Vendor & M&A Due Diligence
Security review of new vendors and acquisition targets. Contract redlines on DPAs, SLAs, and breach notification clauses.
Team Coaching & Hiring
Mentor in-house engineers, structure the security org, and interview-loop support for your first dedicated security hires.
Customer Trust Enablement
Security questionnaires, trust center content, and sales-engineering support to unblock enterprise deals.
// Engagement models
Three ways to plug in.
Fractional
Most chosen~30 hrs / month
Growing companies running a real compliance program or scaling security.
- ›Weekly leadership cadence
- ›Owns compliance roadmap (SOC 2 / HIPAA / ISO)
- ›Board reporting and risk register
- ›Vendor and customer security reviews
- ›Incident command during events
Embedded
~60+ hrs / month
Regulated industries or post-incident rebuilds needing full leadership presence.
- ›Acts as your named CISO
- ›Manages internal security team
- ›Drives audits end-to-end
- ›Customer-facing security spokesperson
- ›Full M&A and vendor due-diligence load
Engagements are month-to-month after an initial 90-day discovery. Scale up, scale down, or pause without penalty.
// FAQ
Common vCISO questions.
When does a vCISO make more sense than a full-time hire?
Until you have a security team of 3 to 5 engineers and a $1M+ security budget, a full-time CISO is usually under-utilized. A vCISO gives you 15+ years of senior leadership at a fraction of the cost, with the flexibility to scale up or down as your needs change.
Can a vCISO sign attestations or be named in our SOC 2 report?
Yes. In Fractional and Embedded engagements we are named as your security leader, sign management assertions, and serve as the auditor's primary point of contact.
How fast can you start?
Typical kickoff is two weeks from signed SOW. Emergency engagements (active incident, failed audit, lost CISO) can start within 48 hours.
Do you replace or augment our existing security tooling?
We are tool-agnostic. Our job is to make your existing stack work harder before recommending new spend. When new tooling is warranted, we run an unbiased selection process.
Which frameworks do your vCISOs operate in?
SOC 2, ISO 27001, HIPAA, HITRUST, PCI DSS, NIST CSF / 800-53, CMMC, and GDPR. Engagements often combine two or three at once.
// vCISO scoping
Get a custom scoping note within one business day.
Tell us about your environment, stage, and any compliance pressure. We'll send back the engagement tier, named lead, and a rough quote. No sales call required to get a number.
Prefer a call?
A free 20-minute discovery call to scope the right engagement model for your stage, stack, and regulatory posture.
Book a vCISO discovery call