Board-level security leadership. Without the board-level salary.
A 10–50 staff business rarely needs a full-time Chief Information Security Officer. It always needs someone accountable for the answer when the board asks about risk. A vCISO is that person, on demand.
- SEATED · your boardroom, not a call centre
- REPORTING · quarterly, board-ready
- GOVERNANCE · risk, roadmap, compliance
- AVAILABLE · dedicated or metered hours
A growing business can’t hire what it actually needs.
Security governance stops being optional the moment a business holds real client data, a cyber-insurance policy, or a board that asks questions. Almost none of them can justify a full-time CISO salary to answer those questions.
- A full-time CISO salary few businesses this size can justify.
- Security decisions made without anyone formally accountable for the risk.
- A board asking about cyber exposure with no one in the room who can answer.
- Privacy Act, APRA and AHPRA obligations tracked informally, if at all.
Governance as a discipline, not a document.
A vCISO engagement is judged on decisions made and risk reduced — not hours logged against a retainer.
- 01
We sit in your boardroom, not a ticket queue
Security governance is a leadership function. It gets a seat at the table, not a support ticket in a queue.
- 02
We translate risk into decisions a board can make
Technical findings become plain-English options with a cost and a consequence attached to each.
- 03
We own your compliance posture, continuously
Privacy Act, APRA CPS 234 and AHPRA obligations tracked and maintained, not scrambled together before an audit.
- 04
We report on a fixed cadence, not when asked
A board-ready briefing every quarter, whether or not anyone remembered to request one.
The briefing your board actually receives.
This is the shape of a quarterly vCISO review — not an abstract promise. Select a quarter to see what a board sees.
Foundation quarter: baseline and prioritise.
- Risk posture
- Baselined
- Critical gaps closed
- 4 of 9
- Compliance items
- In progress
- Board actions
- 3 raised
“The board's first real answer to ‘how exposed are we’ — with a prioritised list, not a guess.”
Governance, without the headcount.
Every line below is delivered by a senior security leader — dedicated inside Fortress, or engaged by the hour alongside Shield or Co-Managed IT.
Virtual CISO — Inclusions Ledger
- Board-ready quarterly risk and compliance reportingThe same reporting standard as the Fortress Quarterly Business Review — a briefing your board can actually use.
- Security roadmap ownership and prioritisationA single accountable voice deciding what gets fixed first, and why.
- Direct advisory access for security decisionsA senior security leader in the room (or on the call) when a decision actually needs to be made.
- Compliance posture managementPrivacy Act 1988, APRA CPS 234 and AHPRA obligations tracked continuously, where they apply to your business.
- Incident governanceThe accountable voice during a breach — coordinating response, not discovering the plan for the first time mid-incident.
- Dedicated or metered availabilityIncluded inside GMAN Fortress, or engaged by the hour alongside Shield or Co-Managed IT.
The board finally got a straight answer.
Thirty-five staff. No one accountable for security governance.
- The board had asked about cyber risk in three consecutive meetings with no consistent answer.
- APRA CPS 234 obligations were understood in outline, not tracked in any structured way.
- The firm's cyber-insurance renewal was at risk of new conditions the business couldn't yet evidence against.
A vCISO now owns the risk roadmap and delivers a board-ready briefing every quarter — the insurance renewed without new conditions.
The questions every board asks first.
No. A vCISO is a governance and leadership function — risk decisions, compliance ownership and board reporting — not day-to-day technical support, which sits under Managed IT or Co-Managed IT.
Not necessarily. A dedicated vCISO is included inside Fortress; businesses on Shield or Co-Managed IT can engage vCISO time on a metered, hourly basis instead.
Additional vCISO hours are billed at a published hourly rate, tracked transparently against whatever your board or a specific decision actually required that month.
Someone should be accountable before the board asks.
See exactly where your security governance stands today. The assessment fee is credited toward your first year.
