Frequently Asked Questions

Answers to the most popular questions

How much does it cost?

We are not the cheapest option. We are also not the most expensive — a full-time senior
CISO will cost you €150,000–€250,000 per year before benefits, equity, and recruiting fees.
Working with Big4 or large consulting firms will cost the same or more — with the added overhead of rotating teams, slow turnaround, and senior partners who hand off to juniors after the pitch. We offer senior-level delivery throughout, at a materially lower cost.
‍
Our engagements are scoped to your business size, complexity, frameworks, and where you
are in your security journey; all factor in. To get a clear picture of what it would look like for
your company specifically, book a scoping call, and we will give you a straight answer within
24 hours.

What does a vCISO engagement actually look like month to month?

We start with a structured onboarding — baseline assessment, security strategy, and
roadmap. From there, we run your security program. That means risk register maintenance,
policy management, vendor oversight, compliance tracking, and handling whatever comes
up — security questionnaires from prospects, pre-audit preparation, and incident response.
‍
You get a quarterly posture report and regular touchpoints with your dedicated consultant. It
does not look like a monthly call where someone reads slides at you.

Who will I actually be working with?

A named senior consultant from day one, a senior analyst, and a dedicated onboarding +
implementation PM. CISSP, CISA, CISM, and CIPP/E certified professionals with real
delivery track records — not junior analysts supervised from a distance. You will know who to
contact. And they will already know the answer.

Is there a minimum number of hours of commitment per month?

No. We do not structure our engagements around hours. We work towards outcomes —
what your business needs in a given month is what gets done. Some months are heavier
than others. We do not penalize you for slow months or charge overages for busy ones.

How long before we see results?

Depends what you mean by results. Within 30 days, you will have a documented security
strategy and a prioritized roadmap — that is immediately useful for board conversations and
investor due diligence.
‍
For certification, the realistic timeline is 8 weeks (rare occasions) to 16 weeks onward (more
realistic) months, depending on your starting point and which framework you are targeting.
We will tell you exactly what to expect during the scoping call.

Can’t we just do this ourselves using a compliance tool?

You can. Vanta, Drata, Secureframe, and similar tools are useful. They automate evidence
collection and control monitoring well. What they do not do: set strategy, talk to your board,
manage the manual work, handle a difficult auditor, respond to a complex customer security
questionnaire, or tell you which risks actually matter for your business versus which ones are
checkbox theatre.
‍
Tools are infrastructure. We are judgment. If you are already using one of these platforms,
we work with them — we are not trying to replace them. Worth reading: Surprising amount of
manual work

We already tried to get ISO 27001 certified/SOC 2 attested, and it stalled. Can
you help?

Yes, and we see this regularly. Certifications stall for predictable reasons — scope that was
too broad, a risk assessment that was never properly finished, or a consultant who handed
over documents and disappeared.
‍
We will do a rapid assessment of where you are, identify what is blocking you, and give you
an honest view of what it will take to get across the line. We have never had a client fail a
certification audit that they were properly prepared for.

What is your money-back guarantee?

If you follow our project plans and recommendations and fail to pass your certification audit,
we will refund your fees. No exceptions, no small print. We put this in writing at the start of
every engagement.
‍
It exists because we are confident in our delivery — and because it makes the decision
easier for you.

Do you work with early-stage companies or only established ones?

Both. We have clients ranging from pre-revenue companies building their first security
program to regulated fintechs managing multi-jurisdiction compliance across the EU, UK, and
US. The engagement scope differs — the quality of delivery does not.

We just need a pen test / gap assessment / internal audit / one-off piece of
work. Do you do that?

Yes. Not every engagement needs to be ongoing. If you have a specific, scoped need, we
can handle it as a standalone engagement. That said, if the work surfaces broader gaps —
which it usually does — we will tell you, and you can decide what to do with that information.

Can I speak to a current client before deciding?

Yes. Ask us during the scoping call, and we will connect you with a relevant reference —
someone in a similar industry or at a similar stage. We would rather you speak to someone
who has worked with us than take our word for it.

Can I ask something else?

Yes. Book a scoping call at security-consultant.com or email us at hello@security-
consultant.com — we respond the same business day.