How to Build a High-Value vCISO Business – Lessons from the Frontlines

The Rising Need for VCISOs

Any significant transformation program requires strong and decisive leadership; cybersecurity is no exception. But as the research giant Gartner notes, most small businesses cannot afford a full-time chief information security officer (CISO), whose cash compensation ranges from $208,000 to $337,000.

Consequently, the tightening regulatory screws, rising external stakeholder expectations, and unrelenting pressure on tight budgets continue to drive demand for VCISOs. These part-time cybersecurity executives provide strategic support to technical teams, including strategy design, policy formulation, program oversight, board reporting, contract negotiations and risk management.

Because most VCISOs commit one or two days per week, they provide the required level of cyber leadership at a fraction of the cost. There are ongoing arguments about whether a VCISO replaces a full-time CISO. That argument is absurd at best; no experienced cybersecurity professional would be that naïve.

But when well-structured, a VCISO delivers the best return on investment for mid-sized companies with no justifiable need to hire a full-time executive. So, let me share some simple but powerful strategies to get this right.

Set up the right structures from the Outset.

You are way better off setting up a proprietary company (Pty Ltd) from the start. Unlike a sole trader, a well-structured company separates personal liability, unlocks cheaper professional indemnity insurance, and signals commercial intent to clients. To get this right, engage a suitably qualified accountant to help you navigate the nuances of accounting, business, and corporate structures — decisions that are far easier to get right at the start than to unwind later. I am, however, not qualified to guide you in this regard.

1. Lead with enterprise-wide risk assessments and strategy design. This has been my entry point to all my VCISO engagements, helping me create strong first impressions by guiding client organisations to focus on their highest-risk areas and by presenting clear, business-centred, cost-effective cybersecurity strategies. Leading with extreme value makes it easier to negotiate a long-term VCISO retainer (say 1-2 days per week) to oversee transformation, manage vendor relationships, mentor technical staff, and manage strategic communications.
2. A word of warning on scope. I have seen many aspiring vCISOs make the strategic mistake of jumping into the operational weeds — configuring cloud security tools, chasing SIEM alerts, or other technical work within their comfort zone. This is exactly where vCISO business models fail. Detailed technical work sucks valuable time you could otherwise use to manage strategic relationships, develop thought leadership, or oversee important programmes.

That said, this requires careful balance. There will be moments — a third-party security review, a new-product risk assessment — where you need to roll up your sleeves because a client has a pressing need. But once you have drafted a clear roadmap, negotiate to bring in a suitably qualified senior consultant to deliver detailed project work. It's a win-win: you apply a markup on their daily rate, while relieving the client of the pain of hiring and managing a part-time resource.

1. Don’t reinvent the wheel. When I started my VCISO business, I spent an inordinate amount of time building frameworks from scratch in the background. But now, I leverage the +1000 toolkits we have published via the Cyber Leadership Hub. I get way more done at a fraction of the time and cost. This isn't a sales pitch. I'm suggesting you find a platform with high-quality, editable toolkits you can use, rather than developing policies and frameworks from scratch. Think like an entrepreneur and sell outcomes, not effort.

Focus on Measurable Outcomes, not Effort

Ensure your VCISO services and measurable outcomes are clearly articulated in the retainer contract. That way, you can focus on hard-core, defensible metrics and not waste time arguing about timesheets and invoices. Your client is paying you to prioritise the right projects, cut through noise, get the best out of every dollar sent and deliver tangible transformation, not effort. You are way better off saying “We cleaned up unrequired privileged access across 24 crown jewels” than emailing an invoice for “15 days spent reviewing privileged accounts”.

Generating the right leads

Sadly, none of the multitude of certifications most aspiring vCISOs hold ever taught them what matters most in running a VCISO business, generating leads. No matter how deep your expertise is, it's almost valueless if you can’t sell it. This was the one most important skill I had to learn from scratch after stepping into entrepreneurship: generating leads, nurturing them and converting them into long-term clients. Here are three ways to nail this:

1. Build a clean website that is heavily centred on how the client benefits from engaging you, not a catalogue of services. You’re way better saying “Boost your ability to win new institutional clients through accelerated SOC2 Type 2 compliance”, than saying you “Offer risk and compliance services”. Clients by benefits, not features.
2. Create a surgical lead magnet targeting a specific buyer at a moment of urgency — for example, a CISO Playbook: How Fintechs Can Accelerate SOC 2 Type II Compliance in X Days. The lead magnet must be so good that the client would be willing to pay for it, but you give it out for free.
3. Nurture prospects who download your lead magnet through a fortnightly newsletter that delivers one razor-sharp, actionable insight to your target audience.
4. Seek opportunities to present highly actionable and compelling insights at executive roundtables that feature your target audience. VCISO work is a very high-value ticket item, something you're more likely to sell after building in-person rapport than by cold-calling prospects.
5. Publish consistently on LinkedIn, submit to industry publications, and repurpose top pieces into newsletter editions and speaking proposals — over 12–18 months, this body of work becomes your most powerful sales asset

Sustaining client relationships

By far the best way to sustain VCISO engagements is to deliver way more than the client paid for. When you get a rare opportunity to present to the board, show up prepared and nail the PowerPoint. Deliver high-quality cyber risk governance packs on time and clear up your action items before the next meeting.

Don’t bite more than you can chew. Signing too many engagements at once may pay off in the short term, but it certainly comes back to bite fast. You will end up declining meetings at the last minute to attend to another client, which will dent your credibility. Engage the client on a much deeper, personal level and take them out for lunch or coffee at least once a month. If you both play golf, then organise a game.

The business sinking traps

Let me wrap up by sharing five mistakes you should avoid at all costs.

1. When you take on too many clients too quickly, you spread yourself too thin and deliver mediocre work, risking that all your clients fire you at once.
2. Pricing on hours rather than value, turning yourself into a glorified contractor instead of an entrepreneur.
3. Over-reliance on a single anchor client creates a single point of failure. No matter how great the relationship, every engagement eventually comes to an end.
4. Avoiding hard conversations about scope or commercial terms because you desperately need work.

The Future looks dazzling bright

There has never been a better time to become a business-centred VCISO. Boards, investors, regulators, and business partners are demanding more strategic oversight, and this model is a strong fit for midsized companies with smaller budgets.