When a Donegal-based engineering firm with 35 employees won a contract with a major Irish public sector body in 2025, the procurement process included a security questionnaire with a question the firm had never encountered before: "Who holds the role of CISO or equivalent security accountable person in your organisation, and what are their qualifications?" The firm's IT provider was excellent at managing infrastructure, but they were not a CISO. The managing director spent two days trying to draft an answer before calling us. They engaged a vCISO, answered the question accurately within a week, and secured the contract. The vCISO retainer cost €2,200 per month. The contract was worth €380,000.
What a vCISO Is
A Virtual Chief Information Security Officer — vCISO — is an experienced cybersecurity professional who provides strategic security leadership to a business on a part-time or fractional basis. They are not an IT support provider, a managed security service, or a compliance consultant. They are a senior security executive who works with your business for a defined number of hours each month to develop and maintain your security programme, manage your risk posture, and represent security interests at leadership and board level.
The role encompasses developing a cybersecurity strategy aligned to your business risk, conducting and maintaining a risk register, ensuring compliance with GDPR, NIS2, and any sector-specific obligations, developing and testing your incident response plan, briefing management and the board on your security posture, managing security awareness training for staff, and liaising with the NCSC Ireland and Data Protection Commission when incidents require notification.[^3]
A vCISO does not replace your IT provider — they work alongside them. The distinction is the level of engagement: your IT provider manages the operational technology layer, the vCISO manages the strategic security governance layer. Both are necessary. Neither does the other's job.
Does your business have a named, credentialled security lead who can represent your security posture to a client, regulator, or insurer? Book a free 20-minute strategy call — we can explain what a vCISO engagement would look like for your specific business, with transparent pricing.
Why Irish SMEs Need One Now
The security leadership gap in Irish SMEs is not a new problem, but it has become more consequential. Three forces are converging to make named security accountability a commercial and regulatory necessity rather than a nice-to-have.
NIS2 places direct personal accountability on management bodies for cybersecurity governance. The directive requires management to approve and oversee security risk management measures — which means there must be a named security person producing those measures for management to approve. The NCSC Ireland has published guidance specifically addressing how Irish organisations should establish security governance structures, and the expectations for in-scope businesses are clear.[^1]
GDPR accountability requirements, enforced by the Data Protection Commission, mean that businesses must demonstrate their security decisions were made by someone with appropriate knowledge and authority. When a breach occurs and the DPC investigates, the absence of a named security lead is consistently noted as a governance failure.
Enterprise client expectations have also shifted. Large organisations in Ireland's private and public sectors increasingly require their suppliers to demonstrate security governance as a condition of doing business. Security questionnaires now routinely ask for the name and qualifications of the security lead. "Our IT provider handles it" is no longer an acceptable answer in many procurement processes.
An Garda Síochána's National Cyber Crime Bureau notes that a lack of security governance — not technical controls — is the most common factor in why Irish SME cyber incidents escalate beyond initial containment.[^2] A vCISO addresses that governance gap directly.
What a vCISO Delivers in Practice
In the first 90 days of a vCISO engagement, a business typically receives a current-state security assessment, a prioritised risk register, a policy suite covering the core requirements of NIS2 and GDPR, and a security roadmap with clear milestones. Management receives a briefing on their regulatory obligations and current risk posture. If there are critical gaps — missing MFA, untested backups, no incident response plan — the vCISO works with the IT provider to close them in a structured sequence.
On an ongoing basis, the vCISO reviews and updates the risk register as the threat landscape and business evolve, attends quarterly leadership briefings, oversees the security awareness programme, manages the annual incident response tabletop exercise, and handles supplier security questionnaires and due diligence responses. For businesses with cyber insurance, the vCISO ensures the declared security controls are accurate and maintained.
Who Needs a vCISO
The vCISO model is appropriate for Irish SMEs from approximately 10 to 150 employees. Below ten employees, a lighter advisory arrangement is often more proportionate. Above 150 employees, with complex regulatory obligations or security engineering requirements, a full-time CISO may be warranted. Between those poles, the vCISO model delivers the outcomes of senior security leadership at a cost — typically €1,500 to €4,000 per month — that is proportionate for most Irish businesses.
Specific situations that commonly trigger a vCISO engagement include winning or pursuing a large contract with security requirements, receiving a supplier security questionnaire you cannot answer, approaching NIS2 scope and needing governance established, experiencing or nearly experiencing a significant cyber incident, and applying for or renewing cyber insurance where the application requires security governance evidence.
A vCISO is not a luxury for large businesses — it is a proportionate solution to a governance gap that affects the majority of growing Irish SMEs.
What to Do Next
Three steps help you determine whether a vCISO is the right model for your business:
Identify your security accountability gap. Ask yourself: who in your business would answer a security questionnaire from a major client? Who would brief your board on your current cyber risk? Who would manage the DPC notification process if you suffered a breach? If the honest answer is "nobody is well-positioned to do that," the gap is real.
Review your regulatory obligations. Understand whether your business is in scope for NIS2 — the NCSC Ireland's sector guidance covers this — and whether you have documented evidence of the GDPR accountability measures your DPC expects. If the answer to either is unclear, that is valuable information.
Request a scoped proposal. Ask one or two vCISO providers for a written proposal that specifies exactly what the engagement includes, how many hours per month, and what deliverables you can expect in the first 90 days. Compare those proposals to understand what you are actually buying.
Related Reading
- vCISO Cost Ireland: Pricing Guide for Irish SMEs
- vCISO vs Full-Time CISO: Cost Comparison for Irish SMEs
- vCISO Transform Cybersecurity in 90 Days
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.