vCISO Insights — GRC RADAR
Published: 30 May 2026 · 18 min read · Category: vCISO Insights
If you run a 100-500 person company in India and have ever thought “we probably need a security leader but we cannot afford one,” this guide is for you.
A virtual CISO — vCISO for short — is a senior cybersecurity executive who works with your company on a part-time, retainer, or fractional basis instead of as a full-time hire. For the typical Indian SME, that means access to fifteen to twenty years of CISO-grade judgment at roughly thirty to fifty per cent of what a full-time hire would cost.
This playbook is written for the buyer, not the practitioner. It covers what a vCISO actually does for your business, the signals that tell you it is time to engage one, what Indian regulation expects of cyber leadership, the engagement models you will be offered, what reasonable pricing looks like in INR, how to scope your first month, and the red flags to watch for in a contract. By the end you should be able to walk into a vCISO conversation, ask the right four questions, and know whether the answer is a fit.
Skip the jargon if you can. Most of the value of cyber leadership is decision-quality, not vocabulary.
What a vCISO Is — and What a vCISO Is Not
A vCISO is an experienced security executive who steps into your organisation as the accountable owner of your cybersecurity programme, on a part-time basis. They are not an analyst, not a help-desk, and not a tool. Their job is to make decisions about risk, build a roadmap, hold the room accountable to it, and report progress to your board or founders in language they can act on.
What a vCISO is not is just as important.
- A vCISO is not a managed security service provider (MSSP). An MSSP runs your SOC, monitors your firewall, and pages you when something is on fire. A vCISO decides whether you need an MSSP in the first place, picks one, holds them accountable, and translates their alerts into business decisions. Many Indian SMEs end up with both — the MSSP for operations, the vCISO for direction.
- A vCISO is not an auditor. A vCISO designs your control environment and prepares you to be audited; they do not certify themselves. ISO 27001 and SOC 2 audits must be done by an independent third party.
- A vCISO is not a compliance officer. Compliance is downstream of security. A vCISO will keep you compliant with CERT-In, the DPDP Act, SEBI CSCRF, and RBI IT governance as a consequence of running a sensible programme, but the job is broader than ticking circulars.
- A vCISO is not legal counsel. They will tell you what a regulation operationally requires of you, but a lawyer should review the contracts and the privacy notices.
The simplest mental model: a CISO is what an enterprise hires when it has fifty crore of revenue at stake and a hundred-plus employees. A vCISO is the same role, time-shared across companies that cannot — or should not — carry the full cost yet.
Six Signals That You Need Cyber Leadership Now
Most Indian SMEs do not have a CISO and do not need one. The right question is not “should we have one?” but “do any of these six signals describe us today?” If two or more apply, it is time to scope a vCISO.
Signal 1: An enterprise customer or regulator is asking the security question. The deal is contingent on you completing a vendor security questionnaire, signing a Data Processing Agreement, or producing an information-security policy. Whoever is filling those forms today is not the right person — they are guessing. A vCISO answers the questions correctly and uses the engagement to close gaps in real time.
Signal 2: You took a hit. Phishing succeeded, a vendor got breached, a ransomware note appeared, an employee’s laptop disappeared with customer data on it. Even if you cleaned it up, the right question is what stops the next one. The first ninety days after an incident is when the board will fund what was hand-waved away the previous year.
Signal 3: You crossed a regulatory line. Your business model now puts you in scope of CERT-In’s reporting duties, the SEBI CSCRF if you serve a regulated entity, the RBI Master Direction if you are or service a bank or NBFC, or the DPDP Act’s Significant Data Fiduciary criteria. A vCISO with India-specific experience will walk you through what each regulator actually expects.
Signal 4: You are raising capital or being acquired. Investors and acquirers now run security due diligence on every deal above modest size. A messy security posture knocks valuations down or breaks deals. A vCISO engaged sixty to ninety days before a process can repair the visible problems and produce the documentation that diligence asks for.
Signal 5: Your team is shipping fast and nobody owns risk. Engineering is adding features, marketing is integrating new tools, finance is moving to a new ERP, HR is rolling out an HRMS. Each launch quietly expands your attack surface and nobody is asking the question. A vCISO inserts that question into your change process.
Signal 6: Your IT lead has been wearing the security hat by default. Your IT manager is intelligent and capable, but the job of running infrastructure is different from the job of governing risk. The conflict of interest alone — the same person who builds the system also being responsible for telling the board the system is risky — is why both SEBI’s CSCRF and the RBI Master Direction now explicitly require the CISO to be independent of the Head of IT.
What Indian Regulation Expects of Cyber Leadership
A common mistake Indian SMEs make is to treat “do we need a CISO?” as a budget question. For an increasing number of regulated entities, the answer is set by regulation, not budget.
SEBI Cybersecurity and Cyber Resilience Framework (CSCRF). SEBI’s CSCRF, issued in August 2024 with clarifications in 2025, requires every regulated entity — stock brokers, depository participants, asset managers, intermediaries, market-infrastructure institutions — to designate a CISO. For Market Infrastructure Institutions and Qualified REs the framework requires the CISO to be at least at the seniority of the CTO or CIO and to report to the Managing Director or CEO. Smaller regulated entities have lighter obligations but still must designate an accountable person.
RBI Master Direction on IT Governance. Effective 1 April 2024, the RBI Master Direction applies to all banks, Small Finance Banks, Payments Banks, and NBFCs in the Top, Upper, and Middle Layers. It requires the CISO to be a senior-level executive who does not report into the Head of IT, does not carry business or revenue targets, and reports directly to the Executive Director or equivalent who oversees the risk-management function. The CISO is also a permanent invitee to the IT Steering Committee. The independence requirement is the point: you cannot have your CTO mark their own cyber homework.
Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025. The DPDP Act requires only Significant Data Fiduciaries — entities the central government notifies based on volume and sensitivity of personal data processed — to appoint a Data Protection Officer based in India who reports to the board. The Act explicitly allows the central government to relax certain obligations for startups and MSMEs, and the relevant provisions are expected to be notified by mid-2027. In the meantime, any organisation processing personal data still owes basic obligations on consent, security, breach notification, and grievance redressal — a vCISO doubling as your interim DPO is a common arrangement.
CERT-In Directions. CERT-In’s 2022 Directions require every body corporate that experiences a reportable cyber incident to notify CERT-In within six hours. There is no CERT-In-mandated CISO role, but the named “responsible person” for the notification is in practice your cyber leader. CERT-In also empanels information-security auditing organisations and supports cyber-skilling through the ISEA (Information Security Education and Awareness) initiative.
Information Technology Act, 2000 and Rules. Section 43A and the Reasonable Security Practices and Procedures (Sensitive Personal Data or Information) Rules, 2011, expect “reasonable security practices” of every body corporate that handles sensitive personal data. ISO 27001 is named as one accepted standard for what “reasonable” means.
The practical takeaway: if you are in SEBI’s perimeter, the RBI’s perimeter, or likely to be notified as a Significant Data Fiduciary, you are not choosing whether to have a CISO — you are choosing between a full-time hire and a vCISO that satisfies the regulator.
The Four Engagement Models You Will Be Offered
Most vCISO providers in India work with one of four shapes. Understanding which one fits your situation prevents you from buying the wrong thing.
Fixed-fee monthly retainer. A flat monthly fee buys you a defined number of hours per month — typically eight to twenty-four — and a defined deliverable cadence (monthly steering, quarterly board report, ad-hoc on incidents). This is the most common SME engagement and the one that delivers most consistently if you have a real programme to run.
Hourly or block-of-hours. You pre-purchase fifty or hundred hours and draw against them. This works for early-stage companies that are not sure how much they will need yet, or for surge work like getting through an ISO 27001 audit. The risk is that without a retainer rhythm, the engagement drifts.
Fractional CISO. Slightly heavier than a vCISO retainer — typically twenty to forty hours a month — and almost always involves named decision authority on the org chart. A fractional CISO will sign policy documents, sit on the change-advisory board, and represent you to regulators. Pricing is correspondingly higher.
Project-based / outcome-based. A fixed scope: take us through SEBI CSCRF compliance in six months; build an ISO 27001-ready ISMS; respond to an incident and produce the post-incident report. Useful when you know exactly what you are buying. Risky when you do not — most “projects” benefit from a few months of retainer that follows them.
A common pattern for growing Indian SMEs is to start with a three-month retainer to take stock, transition to a project-based engagement (most often around ISO 27001 readiness or SEBI/RBI compliance), and then settle back into a long-term retainer once the heavy lifting is done.
What a vCISO Delivers, Month by Month
Pricing without deliverables is a number without a unit. Here is what a well-run six-month vCISO engagement for an Indian SME actually produces.
Month 1 — Discovery. A current-state risk assessment, an asset inventory (data, systems, third parties), a regulatory applicability memo (which of CERT-In, DPDP, SEBI, RBI, ISO 27001 apply to you), a gap analysis against the relevant framework, and an initial twelve-month roadmap with cost estimates. You walk out of month one with a written answer to “where do we stand?”
Month 2 — Foundations. A core policy set — Information Security Policy, Access Control Policy, Acceptable Use Policy, Vendor Risk Policy, Incident Response Policy, Data Retention Policy. Identity foundations: MFA on every critical system, role-based access for the top five applications, an offboarding checklist. The first vendor risk pass over your top ten suppliers. A first draft of your incident response runbook.
Month 3 — Operations. Logging and monitoring in place for the critical systems, with someone (you, the MSSP, or the vCISO’s analyst layer) named as the watcher. Endpoint protection rolled out and verified. A first tabletop exercise — a simulated phishing-to-ransomware scenario walked through end to end with your leadership in the room.
Month 4 — Compliance. Whichever framework you are anchored to — ISO 27001, SEBI CSCRF, RBI Master Direction, DPDP — gets a formal gap-to-target plan, a Statement of Applicability where relevant, and external audit prep if certification is in scope. Privacy notice and consent flows reviewed against the DPDP Act.
Month 5 — Awareness. Mandatory cyber-hygiene training for every employee, a phishing simulation run against the company, and remediation training for whoever clicked. A board-level cyber risk briefing prepared and delivered.
Month 6 — Sustainment. A monthly cyber risk metrics pack — patch status, incidents, training compliance, vendor risk, audit findings. A handover plan describing what an in-house owner would inherit if the vCISO engagement ended. A renewed twelve-month roadmap that builds on what was done.
If a provider cannot describe what they will deliver in each of these months, they are not running a programme — they are billing hours.
What Reasonable Pricing Looks Like in INR
Global benchmarks place vCISO retainers in the $3,000 to $7,000 per month range for emerging markets including India (ValueMentor’s 2025 global pricing analysis); at prevailing exchange rates that works out to roughly ₹2.5 to ₹6.5 lakh per month, with India-based providers landing in that band depending on seniority of the named operator, hours included, and whether incident-response standby is built in. Fractional CISO engagements with executive-level authority sit higher, typically ₹6 to ₹12 lakh per month. Block-of-hours engagements at the level you would expect from a competent practitioner are ₹15,000 to ₹35,000 per hour.
For context, a full-time senior CISO in India costs ₹40 lakh to ₹1 crore per year all-in, not counting recruitment cost and the time it takes to find one (six to twelve months is normal). A well-scoped vCISO engagement delivers seventy to eighty per cent of the strategic value at thirty to fifty per cent of the all-in cost — which is the entire reason this category exists.
Three pricing red flags to watch for. First, suspiciously low retainers (below ₹1.5 lakh a month) — at that price point either the seniority is junior or the hours are token; the value of a vCISO is the experience in the room, and that has a floor. Second, no incident-response provision — a vCISO retainer without an emergency-hours clause leaves you negotiating rates during a crisis. Third, “all-you-can-eat” engagements with no defined hours — these almost always result in disengagement after month two.
How to Scope Your First Engagement
You do not need a perfect brief to start. You need three things written down before you sign anything.
One — the trigger. Why are you doing this now? “We have a SEBI CSCRF audit in six months.” “We lost a deal because of the security questionnaire.” “We just had an incident.” If you cannot finish the sentence, you are not ready to hire; you are ready to take a vCISO discovery call.
Two — the in-scope perimeter. Which entities, which systems, which countries. Indian SMEs often have a parent and one or two subsidiaries, mixed cloud and on-premise systems, and one or two SaaS estates that nobody fully owns. The vCISO needs to know what they are responsible for and, just as importantly, what they are not.
Three — the decision-rights agreement. Who in your company can sign a policy, approve a vendor exception, or call an incident? The vCISO will advise, but you remain the accountable owner of your business. The first month of a poorly scoped engagement is usually wasted on this question.
A standard pre-engagement asks the provider for: a one-page proposal naming the operator, hours per month, deliverable cadence, escalation contact, pricing including incident-response premium, contract term and exit clause, and two references from comparable Indian SMEs. If they cannot produce all seven in a week, they are not the right partner.
Six Contract Red Flags
The contract is where well-intended engagements go wrong. Watch for these six.
First, no named operator. The provider’s website lists impressive CVs but the contract names “the firm.” You will get whoever is on the bench. Insist the contract names the individual delivering the work.
Second, automatic indefinite renewal. Twelve-month auto-renew with a thirty-day exit notice is fine; auto-renew with a ninety-day notice and a substantial cancellation fee is not.
Third, broad confidentiality without symmetric obligations. Mutual NDAs are standard. One-sided clauses that bind only you, not the provider’s analysts and contractors, are a warning.
Fourth, liability caps below one month of fees. A provider claiming “industry standard” liability cap of “fees paid” is fine if they will accept that against the previous twelve months. A cap of “the last invoice” is not.
Fifth, no IP assignment for deliverables. Policies, runbooks, and assessments produced for you should be your property. If the contract says the provider retains rights to their “methodology” and you cannot use the deliverables without them, walk away.
Sixth, incident-response carve-out. Some providers exclude incident response from the retainer entirely and bill it at premium hourly rates with a forty-eight-hour response SLA. For an Indian SME with a real risk profile, this is not acceptable. Ask for a defined incident-response provision — even fifteen hours of standby per quarter with a four-hour response SLA changes the calculus.
ROI Markers — How to Know It Is Working
Cybersecurity is famously hard to measure because nothing happening is a good month. A few markers tell you the engagement is delivering.
You are now able to answer the enterprise security questionnaire from a client in under a working day, instead of two weeks of internal scrambling. Your last incident — a missed patch, a phishing click, a vendor breach — was contained without business interruption and produced a written post-mortem that changed something. Your insurance renewal asked sharper questions this year and your premium did not rise. Your board cyber update is no longer one slide of green ticks but a real conversation about three or four prioritised risks. New employees are completing their cyber training in onboarding without being chased. Your top ten vendors have signed Data Processing Agreements that you can produce in five minutes.
Conversely: if six months in you cannot point to any of these, the engagement is not landing. Re-scope or change providers — do not double down.
vCISO vs. Full-Time CISO vs. MSSP-Only vs. DIY
A four-line summary of when each shape fits the typical Indian SME.
A full-time CISO is the right answer when you cross ₹100 crore of revenue, employ five hundred or more, or run a regulated business with sustained cyber risk on the balance sheet. The seniority and time commitment outweigh the cost.
A vCISO or fractional CISO is the right answer for ten-to-five-hundred-person Indian SMEs, regulated and unregulated, that need senior decision-making on cyber but cannot — or should not — carry a full-time hire yet. This is the most common Indian SME case.
An MSSP-only model — operational monitoring without strategic leadership — is appropriate only for very small businesses with low data sensitivity and no regulated buyer asking the security question. As soon as the security questionnaire arrives, the MSSP cannot answer it.
A do-it-yourself approach, where the IT lead or the founder owns cyber on top of a day job, is the default at most Indian SMEs today — and it is why so many run security off the side of someone’s desk, with no formal policy and nobody accountable when a breach lands. It is the cheapest option and the most expensive outcome.
Key Takeaways
A vCISO is senior cybersecurity leadership on a part-time basis, designed for organisations that need the role but cannot or should not carry a full-time hire. The Indian SME case for it is strong: the regulatory load (CERT-In, DPDP, SEBI CSCRF, RBI IT, ISO 27001) is rising, the threat environment is real, and the talent shortage means a full-time hire is slow and expensive.
Engage one when at least two of the six signals apply to you — an enterprise customer or regulator is asking, you took an incident, you crossed a regulatory line, you are raising or selling, your team is shipping faster than risk is being governed, or your IT lead has been doing the job by accident.
Budget ₹2.5 to ₹6.5 lakh per month for a competent retainer, expect a defined operator named in the contract, expect a deliverable cadence you can describe back to your board, and expect to see programme value by month three. If you are not seeing it, change providers — do not change the model.
Next step: If you are weighing this decision now, download the vCISO Engagement Scoping Checklist to walk through the six signals, the four engagement models, and a sample first-month deliverable list — and bring it to your first conversation. Subscribe to the GRC RADAR newsletter for monthly briefings on Indian GRC and cyber regulation written for people running the function, not selling into it.
Last updated: 30 May 2026 (pre-publish verification pass). Regulatory references current as of this date — verify each against the regulator’s own publication before relying on them for a specific decision.