The vCISO market has three service tiers. Most buyers think it’s two: MSP or big-firm. There’s a third sitting between them, and it serves the growing SaaS companies that have outgrown ad-hoc security but aren’t ready for a full-time CISO.
When to Bring in a vCISO #
If one of these is happening, you’re probably ready. Here’s how to pick the right kind of help.
- Your first SOC 2 or ISO 27001, usually because an enterprise customer asked
- A cyber-insurance renewal with a security questionnaire you can’t answer
- Rebuilding your security program after an incident
- A 200-plus-question security questionnaire from a big prospect
- A potential acquirer digging into your security during a deal
- Pressure to govern how the company is using AI
At a Glance #
- Platform-MSP vCISO: entry tier, ~$2-3.5K/mo, good for early-stage companies with little on the line yet
- Boutique vCISO: middle tier, ~$5.5-6K/mo, good for growing SaaS companies with customers, auditors, or acquirers asking hard security questions
- Big-firm advisory: enterprise tier, $15-50K+/mo, good for Fortune 500 and regulated multinationals
The Three vCISO Models #
| Platform-MSP |
Where most growing SaaS companies land
Boutique
|
Big-firm advisory | |
|---|---|---|---|
| Who you work with | Junior analyst + vCISO platform | Single principal | Partner + supporting team |
| Pricing | $2,000–3,500 / mo | $5,500–6,000 / mo | $15,000–50,000+ / mo |
| Who writes your deliverables | Platform-generated templates | Written by the principal | Associates, partner-reviewed |
| Technical depth | Light; checklist-driven | Practitioner-grade; advisory scope | Deep; a bench of specialists |
| Best fit | Early-stage; not much regulatory pressure yet | B2B SaaS; cloud-native; enterprise customers; acquirer in pipeline | Fortune 500; regulated multinational; public co |
| Where it falls short | Customer questionnaires get technical; acquirer due diligence digs in | You want staff augmentation; you want a brand-name logo on the contract | SMB pricing reality; you want one accountable person |
(“Platform” here means software that generates a client’s policies and reports from templates.)
The Boutique Tier: The Part Most Buyers Miss #
A boutique vCISO is a single principal, usually a senior practitioner who held in-house security leadership before going independent.
I take on a limited number of clients at a time, on purpose. It’s the only way each one gets a real partner instead of a fraction of someone’s attention. When I’m full, I’ll tell you and point you to someone good.
The person you meet at signing is the person who writes your risk assessment, designs your roadmap, and sits in your board meeting.
8 Questions to Ask Any vCISO Before Signing #
- Who, specifically, will I work with? Name them.
- How many concurrent clients do you have right now?
- Are you using a vCISO platform to generate deliverables? If yes, where does my data go?
- Walk me through your first 90 days on [our IAM / cloud environment / SOC 2 / AI governance].
- What’s explicitly out of scope?
- What happens if my scope expands mid-year?
- Can you send a redacted client deliverable as a writing sample?
- Can I talk to a client you’ve worked with, and would they hire you again?
Holding myself to questions 7 and 8, here are two real examples of my work: a Google Workspace security assessment and an ISO 27001 certification from disarray to a first-try pass.
Want to put these questions to me directly?
Book a Free 30-Min CallWho You’d Be Working With #
I’m Jonathan Thompson. Every engagement is me: not a team, not a platform, not a junior analyst with my name on the invoice.
I spent more than two decades in the trenches before going independent: network engineering, DevOps, then cloud security architecture and security leadership. Most recently I was Director of Information Security at Heartflow, after building out its cloud and product security program. Before that, cloud security architecture at AARP. Full background and certifications →
I’m a practitioner, not a policy wonk. I’m comfortable on the command line and speak fluent engineer, I automate GRC evidence collection, and I ship security policy as code, then translate all of it into risk language an executive team and a board can act on.
Security should help you sell, ship, and make money, not slow it down. I build you a real security program with practical, right-sized controls. Done well, that’s what carries you through the customer questionnaire, the audit, and an acquirer’s diligence, so security becomes a reason you win deals instead of a tax on them. And a good vCISO works to make himself unnecessary. When you’ve outgrown fractional help, I’ll help you hire your first full-time CISO.
What Thompson Infosec Is #
A boutique vCISO practice for growing SaaS companies that have outgrown ad-hoc security but aren’t ready for a full-time CISO: cloud-native, primarily AWS-based, often with AI features.
- A real security program, not a binder: practical, right-sized controls you’ll actually use, not a stack of policy templates
- Independent, no conflicts of interest: I don’t resell tools, software, or managed services, so my recommendations aren’t a sales pitch
- No platform output: every deliverable is written by me, and your data stays in your environment
- You own everything: the policies, the roadmap, the board decks are yours to keep
- Practitioner-grade depth, advisory scope: I assess your actual security controls and help you make smart risk decisions about what to fix. Your team or MSP makes the changes
- Strategy and decisions, not hands-on operations: I don’t run firewalls, staff a 24/7 monitoring desk, or do penetration testing. When you need those, I’ll connect you with people I trust
Who I’m Not For #
- Cheapest-possible-vCISO shoppers
- Staff-augmentation buyers
- Defense, classified work, and high-frequency trading firms (not my expertise)
- Companies treating security as a check-the-box exercise
How to Decide #
| Your situation | Tier |
|---|---|
| Early-stage, low regulatory burden, cost-driven | Platform-MSP |
| Fortune 500 / regulated multinational / public co | Big-firm |
| Growing SaaS with customers, auditors, or acquirers asking hard security questions | Boutique ← that’s me |
Boutique fits but you’re not ready for an ongoing retainer? Start with a one-time security assessment. You get a clear read on where you actually stand, and it’s the natural on-ramp to a retainer later if you want one.
Ready to talk about a boutique vCISO engagement?
Book a free 30-minute call. If I'm not the right fit, I'll tell you and refer you to someone who is.
Book a Free 30-Min Call