How much does a virtual CISO (vCISO) charge?

The vCISO market splits into three pricing models. Hourly billing runs $200-$500 per hour, with low-end rates at boutiques serving sub-50-employee SaaS startups and the top of the band at independents with prior public-company CISO experience. Monthly retainer is the dominant model: small business (under 100 employees) pays $5,000-$8,000 per month, mid-market (100-500 employees) pays $8,000-$15,000, and larger or compliance-heavy clients pay $15,000-$30,000 per month. Project-based pricing (SOC 2 readiness, ISO 27001 implementation, HIPAA risk assessment) runs $20,000-$80,000 per project. Per IANS 2024 vCISO Practice Benchmark, the median active vCISO retainer is $9,200 per month with median client tenure of 19 months.

What clients actually buy. A standard vCISO engagement covers 10-30 hours per month and typically includes monthly security committee meetings or quarterly board updates, security policy authoring and maintenance, vendor risk reviews for new SaaS purchases, incident response playbook ownership, SOC 2 or ISO 27001 or HIPAA readiness oversight, and incident-advisory access during real events. Higher-tier retainers include a named deputy who handles tactical work and a rapid-response SLA for major incidents. The retainer is not a help desk: vCISOs who let scope creep destroy the practice usually leave the business within 18 months.

Demand drivers. SEC 17 CFR 229.106 (the December 2023 cybersecurity disclosure rule for public companies) and EU NIS2 (Directive 2022/2555, enforcement effective October 2024) created formal requirements for named security accountability. Cyber insurance carriers (Coalition, Beazley, Chubb, AIG, Travelers) now routinely require evidence of security-program oversight as a condition of binding coverage; per Marsh's 2024 Global Insurance Market Index, cyber-policy applications request named CISO or vCISO attestation in 78 percent of mid-market renewals. Per CyberSeek (October 2024), CISO and Information Security Manager openings totaled approximately 36,000 over the prior 12 months with a supply-demand ratio below 1.0, meaning fewer qualified candidates than open roles. Smaller organizations that cannot afford full-time CISO compensation (per IANS 2024 CISO Compensation Benchmark, median total comp at 500-2,000 employee companies is $325,000) turn to fractional alternatives.

Independent vCISO economics. A practice with 5 active retainers averaging $9,500 per month produces $570,000 in annual recurring revenue, plus $40,000-$120,000 in one-off projects (assessments, incident retainer activations, policy audits). Expenses are modest for solo practitioners: liability insurance ($1,500-$3,000), CPA and bookkeeping ($3,000-$6,000), continuing education ($5,000-$10,000), travel for in-person meetings ($8,000-$20,000), CRM and practice tools ($2,000-$4,000). Self-employment tax under IRS Publication 334 hits 15.3 percent on the first $168,600 of net earnings, then 2.9 percent above. Net before income tax on a $610,000 practice typically lands $480,000-$520,000. Most practitioners adopt S-Corp structure to control self-employment tax once revenue clears $200,000.

Cost ladder versus alternatives. Full-time CISO at a mid-market company costs $325,000 in total comp plus benefits (KFF Employer Health Benefits 2024 reports family-coverage employer cost of $19,276), executive coaching, and travel: all-in roughly $410,000. A vCISO retainer at $12,000 per month is $144,000 annually with no benefits load. The break-even tilt favors vCISO until the company hits roughly 750-1,000 employees or a regulated industry that demands full-time-equivalent leadership. Cyber insurance carriers now treat vCISO-served companies as equivalent to full-time-CISO companies for underwriting purposes when the retainer documents named-officer accountability.

Skills and credentials clients expect. CISSP is table stakes; most clients filter out applicants without it. CISM signals management depth and is often paired with CISSP. CCSP signals cloud-security currency. Domain-specific credentials matter for vertical practices: HITRUST CSF Practitioner for healthcare clients, PCI-QSA for retail and payments clients, FedRAMP 3PAO certification for federal-adjacent SaaS. Beyond credentials, clients pay for executive communication: the ability to deliver a 12-slide board update without jargon, write a 2-page audit-committee memo, and run a 60-minute tabletop exercise with senior leadership. Most failed vCISO engagements trace to communication mismatch, not technical depth.

Path to building the practice. Year one: 1-2 clients while still W-2 or as a side practice; bill $5,000-$8,000 per month each. Year two: 3-4 retainers totaling $300,000-$400,000 in ARR. Year three: 5-7 retainers totaling $500,000-$700,000 in ARR. Lead generation runs through three durable channels: cyber-insurance broker referrals (Marsh, Aon, Lockton, Woodruff Sawyer maintain referral networks), CPA and audit firm partnerships (PwC, Deloitte, BDO, regional firms refer clients needing SOC 2 readiness), and direct outbound to series A through C SaaS companies whose enterprise customers demand a named CISO in vendor questionnaires. DecipherU's vCISO career guide covers contract templates, retainer-tier pricing structures, the AICPA SOC 2 Trust Services Criteria reading list, and the build-versus-buy decision points clients use to evaluate fractional security leadership.