Most small and medium businesses in New Zealand have thought about cybersecurity at some point. They've bought antivirus. They've turned on MFA. They've had a conversation about backups. Maybe they've even had a security assessment done.
What most of them haven't had is someone sitting at the leadership level who owns the security strategy - who thinks about where the risks are going, how the controls connect to the business, what compliance requirements are coming, and how to explain all of it to the board or the partners or the investors in a way that actually makes sense.
That's the gap a vCISO fills. And for most NZ SMEs, it's a more significant gap than they realise.
This post explains exactly what a vCISO is, what they actually do day-to-day, what it costs, and - most importantly - whether your business actually needs one or whether something simpler will do the job.
A Chief Information Security Officer is a senior executive whose job is to own the security function of an organisation. Not just the technical controls - the whole thing. The strategy, the risk management, the compliance framework, the security culture, the board reporting, the incident response leadership, the vendor relationships, the budget justification.
A good CISO translates technical risk into business language. They sit in the room when major decisions are made and ask: what are the security implications of this? They develop roadmaps that connect where the organisation is now to where it needs to be. They make sure that when something goes wrong and something always eventually does - there's a plan, it's been rehearsed, and someone credible is in charge of the response.
For a large enterprise, this is a full-time executive role. In NZ, total compensation for an experienced CISO ranges from $170,000 to $280,000+ annually and that's before on-costs, benefits, and the cost of the security team they typically need to run effectively.
For a business with 20, 50, or even 150 staff, that's not a practical hire. But the need for the function doesn't disappear just because the budget doesn't stretch to a full-time executive.
That's where the vCISO model comes in.
A vCISO - virtual Chief Information Security Officer - provides the same strategic security leadership function on a fractional or part-time basis. Instead of a full-time employee on your payroll, you engage a senior security professional (or a team through a managed services or cybersecurity provider) for a defined number of hours per month.
The "virtual" doesn't mean they're less real or less qualified. It means they're not embedded full-time. Most vCISO engagements involve a combination of regular advisory sessions, ongoing strategic oversight, specific project work, and availability for escalation when something needs attention.
What they do is essentially identical to what a full-time CISO does - adjusted for the scope of your organisation and the hours genuinely needed:
Security strategy and roadmap - A vCISO assesses your current security posture, understands your business objectives, and develops a practical roadmap that connects where you are to where you need to be. This isn't a generic framework - it's a plan specific to your business, your risks, and your resources.
Risk management - Identifying what your most significant risks actually are, prioritising them based on likelihood and impact, and ensuring controls are in place and working. This is a continuous activity, not a one-off exercise.
Compliance oversight - Whether you're working toward ISO 27001, navigating Privacy Act 2020 obligations, preparing for a cyber insurance audit, or meeting requirements imposed by a major client or partner, a vCISO ensures your security programme maps to what's required and that the evidence exists to demonstrate it.
Board and executive reporting - Translating technical security status into language that boards and senior leadership can act on. Most technical security staff are not naturally equipped to do this well - it's a specific skill that experienced CISOs develop over years of practice.
Incident response leadership - When something goes wrong, having someone who has managed incidents before, knows what decisions need to be made and in what order, and can maintain credibility with both technical staff and executive leadership is worth considerably more than their cost.
Vendor and third-party oversight - Your security is only as strong as the weakest link in your supply chain. A vCISO reviews third-party security, manages vendor relationships from a security perspective, and ensures that partners and suppliers don't create exposure in your environment.
Security culture and awareness - The most sophisticated technical controls can be undermined by one staff member clicking the wrong link. A vCISO ensures security awareness is embedded in the organisation, not bolted on as an annual compliance exercise.
This distinction matters. A vCISO is a strategic leadership function - they don't replace your IT support, your managed services provider, or your security operations team. They direct those functions. They set the strategy those teams execute.
Think of it this way. A vCISO is to security what a CFO is to finance. The CFO doesn't process invoices or reconcile accounts - they own the financial strategy, make sure the right controls are in place, and ensure the business is making sound financial decisions. The bookkeeper and the accountant handle the execution.
A vCISO sets security strategy and owns security risk at the leadership level. Your managed services provider handles the operational execution - monitoring, patching, helpdesk, incident response procedures. The two functions are complementary, not interchangeable.
Businesses sometimes try to fill the vCISO function with their IT manager or an experienced sysadmin. This usually doesn't work, not because those people lack capability, but because the role requires a specific combination of business acumen, regulatory knowledge, communication skills, and security depth that most IT generalists haven't had the opportunity to develop. It's also a significant ask on top of an already demanding operational role.
Let's put actual numbers on it, because this is where the vCISO model becomes compelling for NZ businesses.
A full-time CISO in New Zealand costs between $170,000 and $280,000 in base salary. Add employer on-costs (KiwiSaver, ACC levies, leave provisions) and the fully loaded cost sits between $200,000 and $330,000 annually. That's before the security team, tools, and training budget they typically need to function effectively.
For most NZ SMEs, that number is simply not on the table. And even for businesses that could stretch to it, a full-time CISO only makes sense when the security function genuinely requires 40 hours of dedicated leadership per week - which most businesses under 500 staff don't.
A vCISO engagement in NZ typically costs between $3,000 and $12,000 per month, depending on scope, hours, and the depth of support required. That's $36,000 to $144,000 annually - delivering the same strategic leadership at 30 to 70 percent of the cost of a full-time hire, with no recruitment risk, no severance liability, and no gap in coverage if a staff member moves on.
For a business paying $5,000 to $8,000 per month, you're getting senior security leadership, compliance oversight, risk management, board reporting capability, and incident response expertise - a full security function at the leadership level, for less than the cost of a mid-level employee.
NSP's vCISO strategy services are built specifically for NZ SMEs - scoped to what you actually need, not what a large enterprise security programme would require.
This is the question worth answering honestly, because not every business does and a good provider will tell you that.
Here are the scenarios where a vCISO genuinely makes sense:
Fast growth tends to outpace security. New staff, new systems, new data, new clients - each one adds to the attack surface and the compliance complexity. Without someone owning the security strategy, you end up with a patchwork of controls that nobody has reviewed as a whole, gaps that aren't visible until an incident reveals them, and a security posture that doesn't reflect the size of business you've become.
A vCISO brings structure to what's currently ad hoc.
Privacy Act 2020 obligations. Cyber insurance requirements. ISO 27001 certification that a major client is asking for. Government contract security requirements. Industry-specific obligations in healthcare, finance, or legal.
Compliance isn't just a matter of ticking boxes - it requires understanding what the requirement actually means, what controls satisfy it, how to evidence them, and how to maintain compliance over time. A vCISO who has navigated these requirements before cuts through that complexity significantly faster than someone learning on the job.
A phishing attack that almost worked. Ransomware that was stopped but revealed how close it came. A data breach that triggered Privacy Act obligations. These events are signals that the current security approach has gaps and they typically precede larger, more damaging incidents if the gaps aren't addressed.
A vCISO's role after an incident isn't just to fix the immediate problem. It's to understand the root cause, assess what else might be exposed, and build a programme that reduces the likelihood of the next one.
Investors, acquirers, and large enterprise clients increasingly conduct security due diligence. Having a credible security programme - documented, evidenced, with a named person accountable for it - changes how those conversations go. A business that can demonstrate mature security governance is more investable, more acquirable, and more likely to win contracts that require it.
A vCISO builds and maintains the security posture that makes those conversations work.
This is the most common situation in NZ SMEs. One IT person, or a small team, managing everything from the help desk to network infrastructure to backups to security and trying to stay current on a threat environment that's changing faster than anyone can keep up with single-handedly.
A vCISO doesn't replace that team. They lift the strategic burden off it. The IT team focuses on what they're good at - operational delivery. The vCISO owns the strategic direction, the compliance requirements, and the security risk framework.
If you're genuinely uncertain, that uncertainty is itself informative. It usually means nobody is currently accountable for asking and answering the question: are we actually managing our security risk effectively? A vCISO engagement typically starts with exactly that assessment and gives you an honest answer regardless of what it means for the ongoing engagement.
To be straightforward about it: if your business is very small, operationally simple, and hasn't reached a point where security strategy is a real consideration - a vCISO may not be the right investment right now.
For a 5-person professional services firm with no regulatory obligations and no complex infrastructure, the priority is the fundamentals: MFA, tested backups, EDR, basic security awareness training, a security assessment to understand where the gaps are. A cybersecurity assessment and managed IT support may address most of what's needed without the overhead of a dedicated strategic engagement.
The honest question is: do you need someone to execute better security, or do you need someone to lead a security function? If it's execution, managed services and point solutions may be sufficient. If it's leadership - if you need a security strategy, someone accountable at the leadership level, and the capability to navigate compliance and risk at scale that's the vCISO function.
If you've never worked with a vCISO before, it's worth demystifying what the engagement looks like in practice.
Onboarding and assessment - A vCISO engagement typically starts with a thorough review of your current environment - not just the technical controls, but the organisational context. What does the business do? What data does it hold? What are the regulatory obligations? What controls are currently in place? Where are the most significant gaps? This assessment becomes the baseline for everything that follows.
Security roadmap development - Based on the assessment, the vCISO develops a prioritised roadmap - a practical plan for addressing gaps, building capabilities, and reaching compliance requirements on a defined timeline. This isn't a 200-page theoretical document. It's an actionable plan with owners, timelines, and defined outcomes.
Ongoing strategic oversight - Regular engagement - typically monthly or quarterly sessions - to review progress, address emerging risks, prepare board reporting, and ensure the roadmap is being executed. The vCISO is available for escalation between sessions when something needs immediate attention.
Specific project leadership - Compliance certifications, security assessments, incident response planning, tabletop exercises, vendor security reviews - a vCISO leads these initiatives rather than just advising on them.
Board and executive reporting - A significant part of the vCISO value for many businesses is the ability to present credibly to boards, partners, and clients on the state of security. This requires both the substantive knowledge and the communication skills to translate complex risk into decisions that non-technical leadership can act on.
What's the difference between a vCISO and a security consultant?
A security consultant typically delivers a defined piece of work - an assessment, a policy review, a penetration test and then leaves. A vCISO has ongoing accountability for your security function. They own the strategy, track progress against it, and are accountable for outcomes over time. The difference is the difference between a project and a relationship.
Do I still need an IT provider or managed services if I have a vCISO?
Yes. A vCISO provides strategic leadership - they set direction and own risk at the executive level. Your managed services provider or IT team handles operational execution. The vCISO directs; the MSP delivers. If you're not sure whether you need an MSP at all, our post on whether you need a managed service provider covers that question in detail.
Can a vCISO help us get cyber insurance?
Yes - significantly. A vCISO helps build and document the security posture that underwriters require, ensures controls are genuinely in place rather than just claimed, and can support the application process with accurate, evidenced responses. Our post on the security baseline every NZ business needs before buying cyber insurance covers what insurers are looking for specifically.
How long does a vCISO engagement typically last?
Most engagements are ongoing - security strategy is not a one-time project, and the value of a vCISO compounds over time as they develop deeper understanding of your environment and business context. That said, some engagements are scoped to specific projects: a compliance certification, a post-incident recovery programme, a period bridging a leadership gap. The right scope depends on what you actually need.
What should I look for when choosing a vCISO?
Experience in your industry or with businesses of similar complexity. Real-world incident response experience - not just theoretical knowledge. The ability to communicate with both technical staff and non-technical leadership. A track record of compliance work relevant to your obligations. Transparency about scope and outcomes. And critically: a willingness to tell you what you don't need, not just what they can sell you.
Does a vCISO work alongside our existing IT team?
Yes - and this is one of the most valuable aspects of the model. Rather than competing with or replacing your IT team, a vCISO provides the strategic direction that most IT teams don't have the bandwidth or positioning to own. It typically frees IT staff to focus on what they're genuinely good at, while someone else owns the security strategy and risk framework.
How quickly can a vCISO engagement get started?
Significantly faster than hiring a full-time CISO, which typically takes three to six months of recruitment, notice periods, and onboarding. A vCISO engagement can typically start within weeks. This makes it particularly valuable for businesses dealing with urgent compliance requirements, post-incident recovery, or security due diligence that has a defined deadline.
Book a free security consultation with NSP. We'll talk about where your business is, whether a vCISO is the right answer, and what that engagement would look like for your specific situation.
Or call us directly: 0508 010 101