Insights · Virtual CISO

What a virtual CISO costs in Canada

No two vCISO quotes look alike. Here's how the pricing actually works, what moves it up or down, and how to compare providers fairly.

How vCISO pricing is structured

Ask three providers what a virtual CISO costs and you'll get three versions of “it depends.” The answer is honest, but on its own it doesn't help you budget. What does help is knowing exactly what the fee depends on, how the market structures it, and which questions expose a weak quote. That's what this article covers. What you won't find is a dollar figure, because an honest number only exists after scoping — any provider who hands you one before that conversation is guessing.

In Canada, most vCISO engagements are sold as a monthly retainer: an agreed level of effort each month, for a fixed fee set up front. The model fits the work. Security leadership isn't a project with an end date; insurer questionnaires, board reporting and Law 25 obligations keep arriving whether or not someone owns them. For a business owner, the appeal is predictability — you know what security leadership costs this quarter and the next. Some firms, ours included, also work as-needed for organizations that want senior advice on tap without a standing commitment, and a defined push, like getting through a specific audit, is sometimes priced as a fixed-scope project.

What you shouldn't expect is a public price list. The same title covers very different amounts of work, so a serious provider scopes your situation first and then commits to a number. Our own practice is to define the scope with you, then quote a fixed monthly fee, with no hourly meter running in the background.

What actually drives the fee

Four factors move the number more than anything else. The first is hours per month — how much leadership you're actually buying. An organization that needs a roadmap, quarterly reporting and someone to field insurer questionnaires takes fewer hours than one driving a full compliance program against a deadline.

The second is compliance scope. Cyber-insurance readiness is a lighter mandate than a complete Law 25, SOC 2 or ISO 27001 program, which brings policies, evidence, audit preparation and privacy-officer duties along with it. Third comes the size and complexity of your environment: the systems, locations and cloud services the vCISO has to understand and answer for. Fourth, deadlines. An audit or insurance renewal a few months out compresses the same work into less time, which means more hours early on.

When quotes land on your desk, translate each price back into those four factors before comparing anything. A low retainer that assumes very few hours isn't cheap; it's small. The question isn't which number is lower; it's which mandate actually covers your obligations.

The rhythm of a typical engagement

Most engagements are front-loaded. The opening months are heavier: understanding where you stand, setting the roadmap, putting basic governance in place — policies, an incident-response plan, ownership of the insurer relationship. This is where the vCISO earns the right to make decisions about your environment, and it's normal for it to demand more attention than anything that follows. Some providers price this onboarding phase separately; others average it into the retainer. Neither approach is wrong, but you should know which one you're signing.

After that, the work settles into a steady monthly cadence: reviewing priorities, keeping evidence current, handling client and insurer questionnaires as they arrive, reporting to leadership in plain business language. The rhythm should adjust as your program matures — hours can come down once the foundations hold — and your fee should be able to follow. Ask any provider how they handle that curve. A retainer that only ever grows tells you something about who it was designed to serve.

The comparison everyone makes: a full-time hire

The benchmark buyers keep in mind is a full-time CISO, and the comparison is worth making properly. Compensation for the role easily runs into six figures — a cost most SMBs can't justify, or fill, in a very tight talent market. Budgeting for the seat doesn't conjure the candidate.

A vCISO delivers the same leadership layer part-time: the strategy, the accountability, the person who answers for your posture to the board, the auditor and the insurer, at a fraction of the cost of the full-time seat. The honest caveat cuts the other way. If your organization is large, regulated or complex enough to keep a security executive busy five days a week, you've outgrown the fractional model and should hire. Most SMBs are nowhere near that line.

When a vCISO is overkill

Not everyone needs one, and it costs us nothing to say so. If your organization is small, your environment is simple, and nobody — no insurer, no client, no regulator — is demanding ongoing proof of governance, a standing retainer buys you more leadership than you have decisions to make.

In that situation, a one-time cybersecurity assessment is usually the better purchase: an honest picture of your posture and a prioritized, plain-language plan that your existing IT provider can execute. Redo the exercise annually, or after a major change like a cloud migration or a new core system, and you've covered the essentials without a monthly commitment.

The signals that you've crossed into vCISO territory are specific: an insurer setting conditions on your renewal, clients sending security questionnaires before they'll sign, Law 25 obligations landing on a desk with no owner, or a board asking questions nobody internal can answer. When those show up, the question stops being whether you need security leadership and becomes how many hours of it.

How to compare quotes apples-to-apples

Once proposals are in hand, the fee is the least informative line on the page. Two retainers at the same monthly price can describe completely different mandates. Put the same questions to every provider and compare the answers instead.

Who actually does the work: the senior person you met during the sales conversation, or a bench of analysts you haven't? How many hours does the retainer assume, and what happens when an audit or an incident spikes the workload? What sits inside the fee — board reporting, policy writing, insurer questionnaires — and what gets billed on top? Can they lead Law 25 and PIPEDA in the same program, and deliver in French if your board works in French? Is the fee fixed after scoping, or an hourly arrangement whose real cost only shows up later?

For the record, here are our answers: founder-led, so the architect who scopes the mandate is the one who does the work; scope defined first, then a fixed monthly fee with no surprises; bilingual delivery, with Quebec compliance treated as the baseline rather than an add-on. Whoever you end up choosing, make them work through the same list.

For the role itself and what it delivers, see our virtual CISO service. And if you're in the region, our vCISO in the Outaouais meets in person, on both sides of the river.

FAQ

Frequently asked questions

What does a vCISO do?

A virtual CISO owns your security program part-time: a prioritized roadmap tied to business risk, governance and compliance (Law 25, PIPEDA, SOC 2 or ISO 27001 readiness), insurer and client security questionnaires, reporting to leadership in business language, and acting as your point person during an audit or incident. What a vCISO doesn't do is run the day-to-day tools — firewalls, monitoring, patching stay with your IT provider or MSSP.

Is a virtual CISO billed as a retainer or by the hour?

Most engagements in the Canadian market are monthly retainers: a fixed fee for an agreed level of effort. As-needed arrangements exist for organizations that want senior advice without a standing commitment, and defined projects, like an audit push, are sometimes priced as fixed-scope work. Whatever the model, insist on a fee set after scoping rather than an open hourly meter.

Is a vCISO really cheaper than a full-time CISO?

For most SMBs, considerably. Full-time CISO compensation easily runs into six figures, in a talent market where the role is genuinely hard to fill. A vCISO delivers the same leadership layer part-time, at a fraction of that cost. The exception is real too: if your size, regulation or risk would keep a security executive busy full-time, hire one.

Can we start with an assessment instead of a retainer?

Yes, and for smaller organizations it's often the right first purchase. A one-time cybersecurity assessment gives you an honest picture of your posture and a prioritized plan your own IT provider can execute. If the findings reveal ongoing obligations — insurer conditions, client questionnaires, Law 25 — that's the point where a retainer starts paying for itself.

Why don't vCISO providers publish their prices?

Because the same title covers very different mandates. A retainer sized for insurance readiness at a small firm and one driving a full SOC 2 program across several sites are not the same product, and a public flat rate would misprice one of them. A serious provider scopes your hours, compliance obligations, environment and deadlines first, then commits to a fixed fee. That's how we work — and it's why a quote offered without a scoping conversation deserves your skepticism.

Continue reading

Want a number for your organization?

We scope it with you, then give you a clear fixed fee — no surprises, sized to your organization and your risk.