Most Indian companies with 50–500 employees face the same dilemma: they need senior security leadership — but a full-time CISO costs ₹50–80 lakhs per year before benefits, ESOPs, and the 3–6 month hiring cycle. A Virtual CISO (vCISO) solves this problem by providing the same expertise on a flexible retainer.
This guide explains what a vCISO actually does, how much it costs in India, when it makes sense, and what to look for when hiring one.
A Virtual CISO (also written vCISO, fractional CISO, or part-time CISO) is an experienced cybersecurity executive who works with your organisation on a part-time or retainer basis rather than as a full-time employee.
The “virtual” part refers to the engagement model — not the person’s location or availability. A good vCISO is as accessible, invested, and strategically involved as a full-time CISO, just working with your organisation for a defined number of days per month.
A vCISO’s responsibilities mirror those of a full-time CISO. The specific scope depends on your organisation’s needs, but typically includes:
| Factor | Full-Time CISO | Crewtec vCISO |
|---|---|---|
| Annual cost | ₹50–80L (+ benefits + equity) | ₹18–48L (retainer only) |
| Hiring cycle | 3–6 months | Start in 5 business days |
| Notice period risk | 3 months notice | Pause or cancel with 30 days notice |
| Domain expertise | One generalist CISO | Team of specialists |
| Availability | Full-time, one organisation | Part-time, dedicated days |
| Scale up/down | Costly and slow | Flexible retainer adjustment |
For most Indian companies with under 500 employees, a vCISO delivers better ROI than a full-time CISO — you get senior expertise from a team (not just one person’s knowledge) at a fraction of the cost.
Many companies hire a vCISO specifically to lead the ISO 27001 certification programme. The vCISO owns the ISMS, coordinates the gap assessment, manages policy development, oversees implementation, and supports the certification audit. Post-certification, they maintain the ISMS on a lighter-touch retainer.
Investors in growth-stage companies — especially those in BFSI-adjacent or B2B SaaS — increasingly include security due diligence in their investment process. A vCISO helps you get security documentation, policies, and posture to a level that satisfies investor requirements without the cost and time of a full-time hire.
If enterprise clients are sending you security questionnaires, asking for ISO 27001 certificates, or including security requirements in contracts — a vCISO can systematically address these instead of your CTO spending 2 days per month on security forms.
After a breach, ransomware attack, or data leak, organisations need experienced security leadership to assess the damage, communicate with affected parties and regulators, remediate the vulnerability, and build controls to prevent recurrence. A vCISO provides that leadership without the cost of a permanent hire.
NBFC and fintech companies preparing for RBI IT audits, or healthcare organisations preparing for DISHA / DPDPA compliance reviews, often engage a vCISO to prepare documentation, train staff, and interface with regulators.
A vCISO is not always the right answer. You should consider a full-time CISO when:
Most vCISO engagements are structured around a fixed number of days per month:
Light engagement (2–4 days/month): Suitable for organisations that have a basic security posture and primarily need compliance oversight, board reporting, and policy maintenance. Typical for companies post-ISO-27001 certification that need ongoing ISMS management.
Medium engagement (4–8 days/month): Most common. Covers strategy, risk management, compliance, and some operational oversight. Includes regular one-to-ones with the CTO/CEO, quarterly board presentations, and hands-on work during key milestones (audits, incidents, product launches).
Intensive engagement (8–15 days/month): Effectively a part-time CISO. Suits companies building a security programme from scratch, going through ISO 27001 for the first time, or managing an active incident.
Crewtec’s vCISO service is structured as a monthly retainer with a minimum 3-month commitment. Within that retainer:
Onboarding (weeks 1–2): Baseline security assessment, stakeholder interviews, review of existing policies and controls. Deliverable: current-state security posture report with prioritised recommendations.
Running engagement: Monthly cadence of activities agreed at onboarding — typically board/management reporting, risk register updates, vendor security reviews, compliance monitoring, and team calls.
Milestone support: Additional effort for specific milestones — ISO 27001 gap assessments, penetration test scoping, incident response, regulatory submissions.
Quarterly reviews: Progress against security roadmap, risk register updates, metric review, and planning for the next quarter.
When selecting a vCISO (whether an individual or firm), look for:
Credentials:
Track record:
Team vs. individual:
India-specific knowledge:
Crewtec’s vCISO retainers start at ₹1.5 lakhs per month (approximately 2 days/month). Typical retainers are ₹2–4 lakhs per month for medium engagement.
For comparison:
The best way to evaluate whether a vCISO is right for you is a free consultation. Crewtec offers a no-obligation 30-minute call with one of our senior consultants — we will ask about your current security posture, compliance requirements, and business goals, and give you an honest recommendation.
If a vCISO is not the right fit right now, we will tell you that too.
Crewtec is a Bangalore-based cybersecurity consultancy offering vCISO services to Indian enterprises. Our senior consultants are ISO 27001 Lead Auditors with 25+ years of India-specific security experience. Book a free consultation →
Tags
Navigate to sections as you read.
Need Help?
Get personalised guidance on implementing strategies discussed in this article for your enterprise.
Book Free Consultation