Service deep-dive
Virtual CISO. Senior security leadership without the headcount.
$1,500/mo bundled in Cyber Premium. $2,000/mo standalone for businesses on another IT provider. Monthly strategy session, quarterly policy review, annual security plan, broker and underwriter liaison, board-ready reporting. Built for 15+ seat northern Alberta businesses that have to answer security questions internal IT alone cannot answer.
Who this is for
Most northern Alberta SMBs do not need a vCISO. The ones that do tend to recognize themselves in one of these three situations.
Carrier or broker is asking for a security program
Your cyber-insurance renewal questionnaire now asks who owns information security at the business, when policies were last reviewed, and whether there is a documented risk register. You do not have a CISO. You do not need a $200k/year CISO. You need somebody senior who can answer those questions truthfully and sign their name to the program.
Regulated industry or supply-chain pressure
An oil major prequalification, a federal-government contract, a large customer's vendor-risk team, or a sector regulator is asking for documented security governance — policies, roles, training records, incident response plan, third-party risk. Internal IT can run the controls. They cannot author the program.
15+ seats and outgrowing the IT-only model
The business has crossed the line where a single IT lead juggling helpdesk and projects can no longer also be the person setting security strategy. Hiring a security director is a $180k commitment plus benefits. A fractional senior with monthly board-level engagement is a fraction of that and arguably more effective at this size.
Why this matters in the Peace
A mid-sized Mackenzie County business — a 30-seat trucking operation, a 25-seat sawmill office, a 20-seat ag-services supplier — sits in the gap that most cybersecurity firms either price out of or completely miss. Calgary and Edmonton vCISO firms quote $4,000–$8,000 per month, fly somebody up twice a year, and produce a binder. National MSPs roll vCISO into a six-figure platform contract that nobody local can justify.
Meanwhile, the carrier still wants an answer about who owns security at the business. The oil-major prequalification still wants policy documents. The federal contract still wants a signed program. Saying “our IT guy handles it” used to be enough. In 2026, it is not.
The vCISO model exists to close that gap with senior thinking, regional rates, and an engagement structure that actually fits how a family-owned northern Alberta business runs. Monthly meetings, plain language, real deliverables, and somebody who picks up the phone when the broker calls.
What you get
Seven concrete deliverables that produce documentation a broker, underwriter, auditor, or board member can actually read.
Monthly strategy session
90 minutes with the owner, GM, or IT lead. We review the previous month's security posture, walk through any incidents or near-misses, prioritize the next 30 days of work, and close any open governance items. Minutes documented.
Quarterly policy review
Once per quarter we sit with the leadership team and walk through the policy framework — acceptable use, access control, incident response, vendor management, data handling, BYOD. Edits captured, versions tracked, sign-offs recorded.
Annual security plan
A written 12-month security plan published at the start of each fiscal year. Strategic priorities, capital and operating spend forecasts, dependencies on other business initiatives, KPIs the owner and board actually care about.
Carrier and broker liaison
We talk to your broker and your underwriter directly. We answer the questionnaire honestly. We attend the renewal call. We translate between insurance language and operations language so both sides walk away clear on what is in place.
Board and owner reporting
A monthly dashboard the owner can read in five minutes. A quarterly written report ready for a board package. Plain English, no acronym soup, no marketing wash. Risk posture, open issues, decisions needed.
Risk register ownership
We maintain the risk register and the remediation roadmap. Each item scored, owned, dated, and tracked to closure. The register becomes a real working document, not a screenshot for the audit binder.
Third-party and vendor risk
When the business signs a new vendor — accounting software, agronomy platform, logistics broker — we do a lightweight risk review and a written go/no-go recommendation. When an existing vendor has a breach, we coordinate the response.
How it works
The engagement runs on a predictable cadence. The first 90 days build the foundation; after that the work is steady, monthly, and visible in writing.
- 1
Month 0
Onboarding and baseline
Two-week onboarding. We read the existing documentation, interview the owner and IT lead, walk the environment, and produce a baseline assessment of where governance stands today. No surprises, no gotchas — the honest starting point.
- 2
Month 1
Framework adoption and gap closure plan
We agree on a working framework (typically CIS Controls v8 or NIST CSF 2.0 — whichever fits the regulatory context). The biggest gaps are translated into a 90-day plan with owners and due dates.
- 3
Months 2–3
Policy authoring
We draft, review, and ratify the policy set the business needs. Not a thick binder of boilerplate — the eight to twelve policies that actually map to how the business runs and what the carrier or regulator will check.
- 4
Quarterly
Business reviews
Quarterly review with leadership. KPIs, incidents, near-misses, control changes, vendor changes, regulatory updates that affect the business. Roadmap for the next quarter agreed at the same meeting.
- 5
Annually
Security plan refresh and audit prep
Annual security plan rewritten with the year's lessons folded in. Audit prep for any third-party assessment the business needs. Tabletop incident response exercise (Tier 3 clients).
What the vCISO is not
The fastest way to disappoint a client is to be unclear about scope. Here is what we explicitly do not do under this engagement.
This is not hands-on engineering
The vCISO sets strategy, writes policy, talks to brokers, and signs the program. The hands-on configuration work — Conditional Access, firewall rules, EDR tuning, backup engineering — is done by the managed-services team or your internal IT. We do not split that role.
This is not a part-time CISO with a title
We are not pretending one person from our team is your full-time CISO. The model is a senior practitioner spending a defined number of hours per month on your business, with clear deliverables. The CFO version of this model has been working for SMBs for forty years.
This is not legal or insurance advice
We write the security program. Your lawyer reviews legal language in contracts. Your broker and underwriter make the insurance decisions. We give them the facts and the documentation; they make the calls in their domain.
This is not a replacement for internal accountability
A vCISO holds the program. The owner still holds the business. We do not absorb residual risk on behalf of the company, and any responsible vCISO is honest about that on day one. What we do is make the residual risk visible, quantified, and decision-ready.
Pricing — said out loud
- $1,500/mo bundled in Cyber Premium. Included in the $275/seat/mo tier alongside BCDR, 90-minute SLA, tabletop exercises, and the full managed-IT engagement.
- $2,000/mo standalone. For businesses staying with their current IT provider. Same scope, same deliverables, same monthly cadence. We do not require you to switch IT to engage us on governance.
- 12-month minimum engagement.Annual security plans, quarterly policy reviews, and broker liaison are not work that completes in 90 days. After year one the engagement is month-to-month with 60 days' written notice.
- No travel charges within the Peace region. In-person sessions in La Crete, High Level, Fort Vermilion, Peace River, and surrounding communities are included. Travel beyond the region is quoted separately.
Frequently asked questions
Why not just hire a full-time CISO?
For a 15–60 seat northern Alberta SMB, the math does not work. A Canadian CISO costs $160k–$220k in base salary plus benefits, plus a budget for the tools and team underneath them. The vCISO model gives you senior-level thinking, broker-ready documentation, and board reporting for a fraction of that, paid monthly, with no severance exposure.
What credentials does the vCISO have?
Dylan H., the founder, is a senior IT and cybersecurity practitioner with two decades of hands-on infrastructure, identity, and security work — including direct breach response, regulated-industry audits, and Microsoft 365 hardening at scale. Specific certifications and engagement history are shared on the scoping call so we can show relevance to your situation, not just letters after a name.
How many hours per month is this?
Standalone vCISO at $2,000/mo budgets roughly 8–10 hours per month of senior time — the monthly strategy session, the broker and underwriter work, policy authoring, board reporting, and reactive consults. Bundled vCISO inside Cyber Premium budgets roughly the same hours; the savings come from sharing onboarding and reporting infrastructure with the rest of the engagement.
Can we use you alongside our existing MSP?
Yes. The standalone vCISO option exists specifically for this case. Your MSP runs IT and the security controls; we run governance, policy, broker liaison, and board reporting. We do not bill the MSP, we do not undermine them, and we do not poach the work. About a third of standalone vCISO engagements look like this.
Is the vCISO available between monthly sessions?
Yes for reactive consults — broker questions, vendor risk decisions, incident triage, policy clarifications. We answer within one business day via email, and same-day on the priority line if it is breach-related. We do not provide 24/7 on-call coverage; that is the SOC's role, and the SOC is included in the managed tiers.
Does the bundled vCISO inside Cyber Premium credit anywhere if we drop a tier later?
If you move from Cyber Premium to Cyber Essentials + Managed IT, you can retain the vCISO as a standalone $2,000/mo add-on. The credit is the published-pricing transparency — you see exactly what each piece costs, so any tier change has predictable math.
Ready to put a senior practitioner on the program?
The scoping call is free, takes 30 minutes, and tells you honestly whether the vCISO model fits the business today.