vCISO and Cybersecurity for SMBs

Offering subscription-based, cost-effective cybersecurity and regulatory compliance solutions to enhance digital security by addressing unique needs.
Write your awesome label here.
coaching and mental health support

Empowering Security Professionals

Coaching and mental health referrals through PsyberThrive™.
Write your awesome label here.

Small and Medium-Sized Businesses

We provide expert defense against evolving cyber threats, partnering to identify vulnerabilities and implement safeguards to ensure peace of mind.

Board Cyber Advisory

We provide boards and steering committees with guidance on cybersecurity risk management, assisting in identifying and safeguarding critical assets and integrating industry-standard techniques into their enterprise risk approach.

Security Awareness

Implementing an enterprise-wide cybersecurity awareness program equips employees with knowledge and vigilance against potential threats, reducing human errors, and bolstering the organization's overall security posture.


PsyberThrive™ is a free service for cybersecurity professionals  to coaching and mental health practitioners, addressing the stress and burnout inherent in their demanding environment and bolstering their mental resilience.

Phish Testing

Phish testing simulates real-world phishing attacks to measure user susceptibility, enabling organizations to evaluate their security training effectiveness, and reduce the risk of successful attacks and data breaches.


Virtual Chief Information Security Officer (vCISO) services offer part-time, as-needed, or project-based senior-level security leadership to organizations, encompassing risk management, strategy, and regulatory compliance.
Compliance prep

Compliance Needs? We can Help!

Navigating the maze of privacy and security regulations can be overwhelming, but it doesn't have to be. CISO Sidekick is here to guide you through the process.
U.S. Department of defense

Cybersecurity Maturity Model Certification

CMMC is a cybersecurity framework being developed for the U.S. Department of Defense (DoD) supply chain referred to as the Defense industrial Base (DIB). Depending upon the type of controlled unclassified information (CUI) present in computing systems, varying levels of maturity are needed that measure the implementation of cybersecurity controls and processes in a company. It is intended to enhance the protection of sensitive information and intellectual property from cyber threats.
state of california

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is a privacy law that gives Californians more control over their personal information collected by businesses. CCPA requires businesses to disclose what personal information they collect and how it will be used and gives consumers the right to request that their personal information be deleted. In terms of cybersecurity, CCPA incentivizes businesses to implement robust data security measures to protect the personal information of their customers from cyber threats. If a business experiences a data breach, CCPA requires them to notify affected individuals and the authorities and could subject them to legal penalties.

Cybersecurity Assessment Tool (CAT)

The FFIEC CAT is a framework designed to help financial institutions identify and assess their cybersecurity risk and preparedness. It provides a repeatable and measurable process that allows financial institutions to evaluate their cybersecurity posture and determine the level of risk they face and identify areas that need improvement. The FFIEC CAT is used by regulators in the United States to evaluate the cybersecurity of financial institutions and ensure they are adequately protecting their customers' information.

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a regulation in the European Union that sets guidelines for the collection, use, and protection of personal data of EU citizens. The GDPR requires businesses to implement appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction, and to promptly report any data breaches to authorities and affected individuals. GDPR also empowers individuals to control their personal data and request that it be deleted or corrected if necessary. In terms of cybersecurity, GDPR incentivizes businesses to adopt strong cybersecurity measures to safeguard personal data and avoid penalties for non-compliance.

Cybersecurity Regulation, 23 NYCRR Part 500

23 NYCRR 500 is a cybersecurity regulation of the New York State Department of Financial Services (NYDFS) that requires financial services companies to implement and maintain a cybersecurity program designed to protect consumers' private data and financial information. NYDFS 500 mandates numerous requirements, aiming to establish a baseline of cybersecurity requirements and promote the protection of sensitive financial data.

Data Security Standard (DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards developed by major payment card companies to protect against payment card fraud. PCI DSS applies to any organization that accepts, processes, stores, or transmits payment card information. The standard provides a framework for implementing security controls to protect against unauthorized access to sensitive payment card data.

Systems and Organization Controls 2

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It provides a set of guidelines for evaluating the effectiveness of a service organization's internal controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports provide assurance to customers and stakeholders that the service organization has adequate controls and safeguards in place to protect their data and systems. SOC 2 reports are commonly used by cloud computing providers, data centers, and other service organizations to demonstrate their commitment to security and compliance.
UNited states - US Congress

Sarbanes-Oxley Act

The Sarbanes-Oxley Act (SOX) was created by the US Congress and signed into law in response to a series of high-profile financial scandals, such as the Enron scandal, to restore public trust in the financial markets and improve corporate accountability. SOX established new standards for corporate governance, financial reporting, and internal controls to prevent fraud and financial malpractice. It includes provisions that indirectly impact cybersecurity as it requires companies to establish and maintain security controls over IT systems that support financial reporting.

The Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) is a federal regulation that governs the protection of consumers' private data and financial information in the financial services industry. GLBA imposes various requirements on financial institutions, aiming to establish a baseline of cybersecurity standards and promote the protection of sensitive financial data. Among its provisions, the GLBA Safeguards Rule specifically mandates the implementation and maintenance of comprehensive information security programs to ensure the ongoing protection of consumer information. Financial institutions must regularly assess and update their security measures to adapt to changes and maintain compliance.


Subscription Plans

Compliance Focus

From $3,000 /mo 
Ideal for smaller organizations or those focused primarily on meeting specific compliance obligations.
  • Planned & Tracked
  • Requirements Driven
  • Audit Ready

Enterprise Security

From $5,000 /mo
Best for small and medium sized organizations that require a more comprehensive approach to cybersecurity.
  • Security Risk Based
  • Enterprise Standardization
  • Coordinated Security Practices


From $9,000 /mo
Recommended for organizations that require advanced measures & metrics-driven practices.
  • Quantitative Understanding
  • Detailed Metrics
  • Performance Forecasting

Subscription Benefits

Predictable Costs

With our vCISO pricing, you know how much you'll be billed each month, making budgeting and expense management a breeze.

Focus on Results

Concentrate on achieving desired outcomes rather than counting hours worked, promoting a results-driven approach to your projects.

Simplified Billing

Enjoy the convenience of a single, recurring charge instead of multiple invoices for individual services or hours worked.

Consistent Service

With a monthly subscription, clients have access to ongoing support and services, which can lead to more consistent and reliable results over time.

Frequently asked Questions about vCISO Pricing

What services are included in each subscription tier?

Compliance Focused: This tier is suitable for clients who need to meet specific compliance obligations and have some documentation and tracking of their security and privacy controls. The services we provide in this tier include:

    • Conducting a gap analysis to identify the compliance requirements and the current state of the controls
    • Developing and documenting policies and procedures for the required controls
    • Assigning and training roles and responsibilities for implementing and maintaining the controls
    • Defining and reporting metrics for monitoring and measuring the effectiveness of the controls
    • Providing guidance and support on complying with relevant laws, regulations, standards, and best practices

Enterprise Security:
This tier suits clients who want to standardize and optimize their security and privacy controls across the enterprise and integrate them into their business processes, systems, and projects. The services we provide in this tier include:

    • Conducting a maturity assessment to evaluate the current level of standardization and optimization of the controls
    • Developing and implementing a roadmap for achieving enterprise-wide standardization and optimization of the controls
    • Integrating and aligning the controls with the strategic objectives and risk appetite of the organization
    • Implementing and improving continuous processes for auditing, reviewing, assessing, and testing the controls
    • Providing support and advice on managing and remediating security and privacy incidents and breaches

Metrics-Driven: This tier suits clients who want to achieve excellence and innovation in their security and privacy controls and demonstrate their value proposition and competitive advantage in the market. The services we provide in this tier include:

    • Conducting a benchmarking analysis to compare the performance of the controls with industry peers and best practices
    • Developing and implementing a plan for adopting emerging technologies, methodologies, and frameworks for security and privacy
    • Demonstrating the value proposition and competitive advantage of the security and privacy controls to stakeholders and customers
    • Providing thought leadership and advocacy on security and privacy issues and trends
    • Influencing the development of standards and regulations for security and privacy

Can a custom tier be developed with services from different levels?

Yes, we can create a custom tier for you that incorporates services from different levels. We understand that each client's needs are unique, and our goal is to provide tailored solutions that best fit your requirements. Our team will work closely with you to understand your needs and combine elements from various levels to design a custom package that aligns with your objectives and budget. Please feel free to contact us to discuss your needs, and we'll be more than happy to develop a custom tier just for you.

Note: Our pre-packaged tiers are inspired by Secure Controls Framework’s™ (SCF) Security & Privacy Capability Maturity Model (SP-CMM). 


License Link:

I don't need a subscription or vCISO pricing. Do you offer project work options?

Yes, we absolutely offer project work options for clients who do not require a subscription. We understand that each client's needs are unique, and we strive to provide flexible solutions that cater to your specific requirements. Contact us for a free consultation and needs assessment.

What are some project examples performed outside subscriptions?

Here are some project examples that can be performed outside of subscriptions, and feel free to contact us with your particular need to determine if we can meet it:

Table Top Exercises: Conducting simulated cybersecurity incidents or crisis scenarios to evaluate your organization's response capabilities and identify areas for improvement.

Maturity Assessments: Assessing the maturity of your organization's cybersecurity practices, processes, and controls to identify gaps, prioritize risk mitigation efforts, and ensure compliance with industry standards and regulations.

Insider Threat Program Development: Designing and implementing a comprehensive insider threat program to detect, prevent, and mitigate risks posed by employees, contractors, or other individuals with access to your organization's sensitive information and systems.

Ransomware Preparedness and Response: Helping your organization to develop and implement a proactive strategy to prevent and respond to ransomware attacks, including employee training, incident response planning, and data backup and recovery solutions.

Vulnerability Assessments and Penetration Testing: Identifying potential weaknesses in your organization's systems, networks, and applications through vulnerability assessments and penetration testing to reduce the risk of unauthorized access and data breaches.

Phishing Simulation and Awareness Training:
 Specifically designed to help your organization assess and improve your employees' ability to recognize and respond to phishing attacks. This standalone service aims to minimize the risk of security breaches resulting from phishing and other social engineering tactics.

Incident Response Planning: Developing and implementing a robust incident response plan to ensure your organization can quickly and effectively respond to security incidents and minimize potential damage and downtime.

Compliance Audits and Gap Analysis: Evaluating your organization's compliance with relevant industry regulations, standards, and best practices, such as GDPR, HIPAA, PCI DSS, or NIST frameworks, and providing recommendations to address identified gaps and risks.

Data Privacy Program Development: Creating and implementing a comprehensive data privacy program that aligns with applicable privacy regulations and helps protect your organization's sensitive information while ensuring compliance.

Third-Party Risk Assessments: Evaluating the cybersecurity posture of your vendors, partners, or other third parties to manage potential risks and ensure that they meet your organization's security and compliance requirements.

Custom Subscriptions

Don't see what you need? Contact us for customized options to meet your needs. We have vCISO pricing that will fit your budget. 
vCISO Pricing Explained

Membership and Courses

Stay up-to-date

Upcoming Events

Created with