CISO as a Service


In some companies, next to the CISO you might have the CSO (Chief Security Officer) role. Typically, the mission of the CSO is to protect places, people and processes and manage relations with law enforcement. In some other companies, the CSO role includes the CSO role just described and the CISO role.

Both roles are very critical and in many businesses both security aspects are naturally very intertwined and a number of malicious actors will try to play on both sides. The use cases outlined below largely apply to both.

In CISO-as-a-Service all or some of the typical CISO activities are executed (Cybersecurity assessment, implementation of cybersecurity solutions...) This can typically happen in support of the board, the executive management, the Risk Officer, the CIO or the Information Security Officer.

Understand better what is CISO all about

The chart below gives some example of these services.

The Use Cases outlined below describe the type of engagements and a very indicative engagement duration. Your problem/use case may be different from the one’s outlined. All the engagements need to customized to fit the business case.


  1. Real-world expertise

    Our expertise is formed by decades of on-the-ground experience working with MNCs where we dealt with everything from hacktivists to espionage and cybercriminals. All while maintaining a keen business sense and managing different business units.

    1. Risk management operations

      1. Gap assessment

      2. 3rd party risk management

      3. Biz/IT project risk management

      4. Merger and acquisition

      5. Selling a business unit

    2. Risk management

      1. Risk Decision Making

      2. Risk Ownership

      3. Risk Register

      4. Risk Resource Allocation

      5. Risk Exceptions

      6. Residual Risk Tracking

  2. People-centric

    As cybersecurity consultants, we are decidedly collaborative and communicative. After all, a large part of our job is fostering cooperation and teamwork between management and security teams, and getting everyone to align on business improvement, risk orientation and actionable deliverables.

    1. Reporting

      1. Board Reporting

      2. Senior Leadership Reporting

      3. Operational Reporting

      4. Regulatory Reporting

      5. Top KPI, KRI

      6. Cascaded Metrics across Organisation

    2. Management Support

      1. Board Support & Advisory

      2. Senior Management Support & Advisory

      3. CIO Support & Advisory

      4. CISO Support & Advisory

      5. Public & Government Support & Advisory

      6. Investor Support & Advisory

      7. Incident Simulation & Desktop Exercises

    3. Planning

      1. Mid range Planning

      2. Budget Planning

      3. Cybersecurity Program

      4. Strategy

      5. Security Architecture

      6. Cost Management & Optimisation

  3. proactive strategies

    Managing information security in a corporate environment is complex. On one hand, there is a need for structural improvements. On the other hand, it requires real-time tacticalmanagement against offensive forces such as direct attacks and phishing attempts. Dealing with the dayto-day is necessary but focusing solely on it results in a never-ending list of changing tasks that do not contribute to long-term success. We keep both immediate needs and big-picture goals in mind, and direct your organisation to a sustainable defensive position.

    1. Policy

      1. Policies & Standards

      2. Regulatory Requirements

      3. Certifications

      4. Exception Handling

      5. Compliance Check

    2. Delivery Management

      1. Task & Project Management

      2. Security Organisation

      3. JIRA-ServiceNow Process

      4. KPI Metrics

      5. OKR

      6. Agile


CISO-as-a-Servise - Use cases

Bridging & Recruiting CISO Leadership

Engagement: 3 - 6 months

The last CISO left or reorganizations have reassigned roles and staff, and a temporary no CISO situation is a hard fact. Recruiting the right CISO in a market where demand is far higher than the offer, recruiting is hard. A seasoned CISO (part of CISO as service) can be hi...


Customer facing engagements

Engagement: 1-2 days per week

Cybersecurity is not only a concern of individual companies, but an industry issue. The extent may depend on the industry sector and size of the companies engaged. You may be facing suppliers, regulators or most important customers who demand cybersecurity assurances....


Cybersecurity Program Launch

Engagement: 3 - 6 months - full time or some day per month/week

The launch of a program is hard with sometimes no organization, no structures, no processes. A seasoned CISO as Service who has done it before will be able to act as a cybersecurity program project manager and put together an actionab...


Cybersecurity Program Optimization

Engagement: 1 month

You have an existing program but your environment has changed, the management has changed, the company goals has changed, more scrutiny is applied to all programs. A seasoned CISO as a Service will be able to quickly identify areas needing alignment and propose a way forward. C...


Increasing CISO Capacity

Engagement: 2 days a week for 3-6 months

The current CISO is very busy dealing with day to day issues - meetings, projects, Log4J etc.

The board and or the executive management wants to see a strategy, KPIs and metrics etc. All these cannot in good face and quality be produced on the fly and nee...


Maturity via Outsourced CISO

Engagement: 20 - 40 hours per month

You are a smaller company, possibly a start-up and do not require or can afford a full-time CISO. The sustainability of your business, your customers, the protection of intellectual property or customer data requires attention. The CISO as a Service allows build...



You can't fix problems you're unaware of. Get in touch with our consultants and let us help you navigate the situation.