A CISO in the room, when you need one.
Boards ask about cyber. Insurers ask about program maturity. Auditors ask who’s accountable. SOC 2, Law 25, and PIPEDA all assume a named security leader — but a senior CISO is a $350K+ hire with a 40-week bench. vCISO gives you the seniority, the judgment, and the named accountability at the cadence the business actually needs: a day a month, a week a month, or embedded through a milestone.
A security leader who shows up and shows work.
Not a consulting deliverable. A named accountable leader in your program, on your calendar, at your board table, answering to your regulators. Measured in outcomes your CFO and your auditor both recognize.
Twelve capabilities, three mandates.
Strategy sets the direction and talks to the board. Compliance & Regulatory clears the auditor and the insurer. Execution handles the work that a program actually stands or falls on.
Strategy & Leadership
Direction & the board tableSecurity Program Strategy & Roadmap
A written security strategy aligned to business objectives, with a 12- to 24-month roadmap, milestones, dependencies, and measurable outcomes your CFO will sign off on.
Board & Executive Reporting
Quarterly board packages, executive risk summaries, and committee briefings. Cyber translated into business risk language, not CVSS scores.
Risk Management Framework
Enterprise risk register, risk acceptance workflow, and quantitative risk analysis where it matters. NIST CSF 2.0 or ISO 27005 aligned.
Security Budget & Investment Planning
Multi-year cyber investment plan, tool rationalization, vendor consolidation, and ROI modeling — so the ask at budget time is defensible, not a wishlist.
Policy, Standards & Governance
Policy library development and maintenance, standards alignment (ISO 27002, CIS Controls v8), and governance-committee operation. The paper trail auditors actually accept.
Compliance & Regulatory
Auditors, regulators, insurersSOC 2 / ISO 27001 / PCI-DSS Advisory
Readiness assessment, control design, evidence program setup, and ongoing operator through certification and surveillance. Shortens first-time audits from 18 months to 6.
Canadian Privacy Program
PIPEDA, Quebec Law 25, Alberta PIPA, BC PIPA, and Ontario PHIPA compliance program design. Privacy Officer advisory, PIAs, and regulator-facing evidence.
Cyber Insurance Readiness
Underwriter questionnaire navigation, control attestations, premium negotiation support, and claim-readiness reviews. Insurers now differentiate on program maturity — evidence matters.
Audit Preparation & Response
Pre-audit gap assessments, evidence packaging, auditor relationship management, and finding remediation. Turn auditor weeks into auditor days.
Execution & Program Delivery
The work behind the strategyVendor & Third-Party Risk
Vendor risk management program, tiering, security questionnaires, contract security addenda, and continuous monitoring. Because your weakest vendor is your weakest link.
M&A Cyber Due Diligence
Buy-side and sell-side cyber due diligence, post-acquisition integration security, and carve-out planning. Material cyber findings surfaced before the PA, not after.
Security Awareness & Culture
Annual training program, phishing simulation strategy, and executive tabletop facilitation. The human-layer controls auditors and insurers both now ask about.
Most vCISOs write roadmaps. Ours runs them.
A vCISO who only advises can tell you to implement MDR, harden Active Directory, get a pen test, and rehearse your IR plan — and then hand you a vendor matchmaking problem. Because AlecTech is a full MSSP, the recommendation and the execution live under one roof. Your vCISO walks into the board meeting having already talked to the team that runs your SOC that morning. No translation layer, no blame shift, no coordination overhead you’re paying for twice.
- Same MSSP runs MDR, IR, pen test, backup, DR, and GRC — your vCISO has the whole bench in the room
- Roadmap items become delivered work, not RFPs to a rotating cast of vendors
- Single contract, single accountable team, single set of metrics tracked end-to-end
- Program maturity reporting is generated from live operational evidence, not self-attestation
One MSSP. Advisory that turns into delivery.
When your vCISO’s roadmap calls for 24/7 detection, hardening validation, or a tested recovery plan, those aren’t three new procurements. They’re the team down the hall. Strategy and execution flow through one chain of accountability — which is exactly what auditors, insurers, and boards have started insisting on.
MDR & SOC
Detection and response operating on a strategy your vCISO wrote, with metrics they report to the board.
Penetration Testing
Annual pen test program scoped, prioritized, and remediated under the vCISO’s roadmap.
Incident Response
IR retainer, tabletops, and playbooks wired into the program — so invocation isn’t a first-time conversation.
GRC Advisory
Control framework, evidence library, and audit operation. The paper behind the board narrative.
From handshake to board-ready in four phases.
Whether the engagement is ongoing program leadership or a fixed-scope milestone, the sequence is the same. No surprises on deliverable, scope, or cadence — and evidence of progress the business and the auditor both recognize.
-
01Weeks 1–4
Assess Stakeholder interviews, maturity assessment against NIST CSF 2.0 or ISO 27001, gap analysis, and a written baseline of where the program actually stands.
-
02Weeks 4–12
Strategize Risk register, prioritized roadmap, multi-year budget, program charter, and the first board report. Strategy signed off before execution begins.
-
03Months 3–12
Execute Quarterly roadmap delivery, monthly operating cadence, ongoing board and committee reporting, audit and insurer engagements handled end-to-end.
-
04Year 2+
Mature Continuous program improvement, annual maturity re-assessment, refreshed roadmap, and the program evolving from compliance floor to competitive advantage.
Every engagement is anchored by a named vCISO — not a rotating pool — and a program coordinator who runs the monthly cadence so the vCISO’s time is spent on judgment calls, not calendar work.
Deliverables across the first 90 days include: maturity assessment report, enterprise risk register, 12–24-month roadmap, security budget, board-ready executive briefing, and a program charter.
Every meeting produces minutes, decisions, and action items tracked in a shared program workspace — so audit evidence accumulates by default, not as a scramble before the review.
Four cadences. Same named leader.
Different organizations need different cadences. Same vCISO, same discipline, same deliverables — scaled to what the business actually needs this year. Tiers can be shifted as the program matures or a milestone demands more intensity.
Advisory
Board and committee attendance, policy oversight, quarterly strategy reviews, and on-call advisory for material decisions. A named leader on the org chart without the program-operator load.
Program
Full program leadership: roadmap execution, monthly operating cadence, audit and insurer engagements, vendor risk, and board reporting. The standard engagement for mid-market organizations without an in-house CISO.
Embedded
Near-full-time CISO coverage for regulated, acquisitive, or heavily audited organizations. Deep program operation, hands-on with major initiatives, on the exec team.
Project-based
Milestone-driven engagements: SOC 2 readiness, M&A cyber due diligence, insurance renewal, post-incident program rebuild, or interim CISO coverage during hiring.
Where cyber is a board-level agenda item.
vCISO leadership for sectors where cyber oversight is explicit — regulated, audit-facing, or acquisition-adjacent — and the rules that apply to the named security leader.
Legal Firms
Law Society cyber obligations, client-panel security questionnaires, and professional liability carrier scrutiny on program maturity.
Financial Services
OSFI cyber-expectations oversight, FINTRAC compliance, and named-leader obligations in registration, audit, and insurance.
Aerospace & Defense
Controlled-goods program governance, CGP designation support, and the cleared named-leader obligations that come with it.
Put a CISO on the org chart. Not on the payroll.
A 30-minute introductory call with a senior vCISO — not a sales rep. We’ll walk through your current program, the milestones this year demands, and which engagement tier actually fits. No deck. A short conversation and a clear proposal.
