Skip to content
Virtual CISO

Board-level security leadership. Without the board-level salary.

A 10–50 staff business rarely needs a full-time Chief Information Security Officer. It always needs someone accountable for the answer when the board asks about risk. A vCISO is that person, on demand.

SEATED · your boardroom, not a call centre
REPORTING · quarterly, board-ready
GOVERNANCE · risk, roadmap, compliance
AVAILABLE · dedicated or metered hours
The governance gap

A growing business can’t hire what it actually needs.

Security governance stops being optional the moment a business holds real client data, a cyber-insurance policy, or a board that asks questions. Almost none of them can justify a full-time CISO salary to answer those questions.

  • A full-time CISO salary few businesses this size can justify.
  • Security decisions made without anyone formally accountable for the risk.
  • A board asking about cyber exposure with no one in the room who can answer.
  • Privacy Act, APRA and AHPRA obligations tracked informally, if at all.
67%of AU SMB owners rate cyber a top-3 concern — few have anyone accountable for it in the room
How GMAN runs it

Governance as a discipline, not a document.

A vCISO engagement is judged on decisions made and risk reduced — not hours logged against a retainer.

  1. 01

    We sit in your boardroom, not a ticket queue

    Security governance is a leadership function. It gets a seat at the table, not a support ticket in a queue.

  2. 02

    We translate risk into decisions a board can make

    Technical findings become plain-English options with a cost and a consequence attached to each.

  3. 03

    We own your compliance posture, continuously

    Privacy Act, APRA CPS 234 and AHPRA obligations tracked and maintained, not scrambled together before an audit.

  4. 04

    We report on a fixed cadence, not when asked

    A board-ready briefing every quarter, whether or not anyone remembered to request one.

Board-ready, by design

The briefing your board actually receives.

This is the shape of a quarterly vCISO review — not an abstract promise. Select a quarter to see what a board sees.

Quarterly Board Briefing

Foundation quarter: baseline and prioritise.

Risk posture
Baselined
Critical gaps closed
4 of 9
Compliance items
In progress
Board actions
3 raised

“The board's first real answer to ‘how exposed are we’ — with a prioritised list, not a guess.”

What a vCISO delivers

Governance, without the headcount.

Every line below is delivered by a senior security leader — dedicated inside Fortress, or engaged by the hour alongside Shield or Co-Managed IT.

CPS 234 awareBoard-readyMetered by the hour

Virtual CISO — Inclusions Ledger

  1. Board-ready quarterly risk and compliance reportingThe same reporting standard as the Fortress Quarterly Business Review — a briefing your board can actually use.
  2. Security roadmap ownership and prioritisationA single accountable voice deciding what gets fixed first, and why.
  3. Direct advisory access for security decisionsA senior security leader in the room (or on the call) when a decision actually needs to be made.
  4. Compliance posture managementPrivacy Act 1988, APRA CPS 234 and AHPRA obligations tracked continuously, where they apply to your business.
  5. Incident governanceThe accountable voice during a breach — coordinating response, not discovering the plan for the first time mid-incident.
  6. Dedicated or metered availabilityIncluded inside GMAN Fortress, or engaged by the hour alongside Shield or Co-Managed IT.
Operational excellence

The board finally got a straight answer.

Case file · Regulated Financial Services Firm · 35 staff · redacted

Thirty-five staff. No one accountable for security governance.

  • The board had asked about cyber risk in three consecutive meetings with no consistent answer.
  • APRA CPS 234 obligations were understood in outline, not tracked in any structured way.
  • The firm's cyber-insurance renewal was at risk of new conditions the business couldn't yet evidence against.

A vCISO now owns the risk roadmap and delivers a board-ready briefing every quarter — the insurance renewed without new conditions.

Read the full file

The complete teardown — every gap found and closed — sent to your inbox. No call required.

One email, the file, nothing else. We don't sell lists — discretion is the work.

Before you ask

The questions every board asks first.

Someone should be accountable before the board asks.

See exactly where your security governance stands today. The assessment fee is credited toward your first year.