Retainers for vCIOs and vCISOs: A Comprehensive Guide


If you’re running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system monitoring, and business intelligence are getting more sophisticated with a raft of new AI-driven tools. Meanwhile, regulators, cyber insurers, and your own C-suite demand more proof of data safety standards than ever.

Unfortunately, all this demand for increased IT performance is coming during a historic shortage of IT talent—a shortfall that will swell to more than 85 million tech workers by 2030, according to the latest predictions from Gartner. It’s enough to make you throw up your hands and say: should I trust my senior IT leadership to contract talent from an MSP and hire someone on retainer? 

As a national MSP offering vCIO and vCISO services, we admit to being slightly biased on this question. We’ve spent years providing affordable, scalable, senior IT consulting services for companies big and small. In our experience, this is a great way to get enterprise-grade a great way to get enterprise-grade leadership that’s right-sized for your organization—especially when you’re working with these experts on a retainer. 

If you’re looking for some background on what it’s like to work with a vCIO and vCISO and what those retainers cover, keep reading. We’ll explain the ins and outs of this important buying decision. 

First, let’s discuss what separates a virtual chief information officer (vCIO) from a virtual chief information security officer (vCISO). 


vCIOs and vCISOs: How Do They Differ?


Put simply, a vCIO oversees the work of your overall IT operation, while a vCISO focuses on how cybersecurity is integrated into your IT infrastructure and company procedures. We recommend companies hire both experts to ensure a healthy, future-focused, and well-resourced IT operation. Here’s how their roles break down. 

What a vCIO Handles


  • Aligning your infrastructure with your business objectives  
  • Assessing your existing IT infrastructure to recommend improvements and create technology roadmaps 
  • Securing and managing licenses for your SaaS products and platforms 
  • Negotiating relationships and contracts with technology vendors to ensure optimal service delivery 
  • Ensuring that your patching and monitoring gets completed efficiently and consistently 
  • Setting your IT budget for the year and helping you implement plans for expansions or additions 

Now that we’ve established what a vCIO does, how does that translate into the services you can expect daily? Let’s dig a little deeper. 


What Should a vCIO Retainer Include?


Some MSPs may include your vCIO service as a part of the overall package price when you sign on for a fully managed service account. Some may call your vCIO service out as a separate line item. Either way, there are specific management tasks that every vCIO should do to provide your organization with quality service, including: 

  • Coordination of your introductory assessment—where our engineering team reviews your IT infrastructure, ensuring it meets your needs for speed, productivity, safety, and compliance 
  • Regular Consultations—scheduled meetings to discuss technology strategy, project updates, and business priorities 
  • Technology Roadmap—including a written implementation plan for the maintenance and upgrades of your IT infrastructure for the year 
  • IT Budgeting—creating and managing the IT budget, including negotiating with vendors to get the best price/tools for your needs 
  • Vendor Management—coordinating with technology vendors and evaluation of their performance 
  • Emergency Support—being available for urgent issues or unexpected technology challenges 

Consider your vCIO the chief service provider for your account and the person responsible for making your MSP experience run smoothly. Much like an internal CIO, your vCIO ensures that all your tools and procedures are running as intended. 

vCISOs work in much the same way, except they oversee the functioning of your cybersecurity operations, specifically. Ideally, they’ll work hand in hand with your vCIO to ensure your cybersecurity runs seamlessly within your overall IT operations. 


What a vCISO Handles


  • Managing cybersecurity policy and procedure 
  • Monitoring your system, finding patterns in your incident, and patching reports that might highlight emerging threats 
  • Conducting third-party vendor reviews to ensure their safe cybersecurity practices 
  • Reviewing results of your employee cybersecurity training programs to ensure compliance 
  • Completing Third-party vendor reviews 
  • Handling client’s customer risk response requests 
  • Overseeing incident response, mitigation, and forensic analysis 


What Should a vCISO Retainer Include?


Your vCISO will provide leadership that overlays your existing IT operation, usually leading them to execute several monthly security touchpoints for fully managed service accounts. While every contract varies, you can generally expect these deliverables from your vCISO: 

  • An annual internal security risk assessment includes a review of your policies, procedures, compliance posture, backup protocols, disaster recovery, security training, and more. 
  • A written cybersecurity plan—that specifically identifies your risks, recommends fixes/tools to mitigate the risk, and sets budgets and implementation plans for these remediations.
  • A refresh of your written cybersecurity policies and procedures—which fills in any gaps in your cybersecurity documentation and helps standardize your security response companywide 
  • Incident Response Planning—including tabletop exercises to ensure your organization has the proper procedures and resources in place in the event of hacks, outages, or disasters 
  • Ongoing review of your system monitoring and patching— looking for patterns that may indicate latent threats or the need to make security changes 
  • Regular reporting to your C-suite—about your cybersecurity, showing performance numbers, and giving recommendations for future investment 
  • Preparation of cybersecurity reports/reviews for critical constituents—including audits by cyber-risk insurers, regulators, as well as potential customers and vendors 
  • Supervision of disaster recovery and event remediation—which includes forensic analysis and documentation of the steps taken 

With such an essential scope of work, vCIOs and vCISO have the potential to make or break your IT operations. Here’s what you should look for when hiring an MSP with these professionals on staff. 


What Kind of Experience Should You Look for in your vCIO or vCISO?


When you begin a relationship with an MSP, it pays to ask about their vCIO/vCISO qualifications. After all, an MSP is only as strong as the people it employs. It’s best to ask questions early and often. What’s considered standard at one MSP may not be standard at another. For this article, let’s go by what’s considered “best practice.”

It’s not unusual for a vCIO to come into an MSP after a broad array of business experiences, but most will require a degree in computer science, IT administration, business administration, or a related field. Relevant qualifications such as a PMP (Project Management Professional) Certification or ITIL (Information Technology Infrastructure Library) Certification are also desirable but not required. 

The bar for becoming a vCISO usually starts with a bachelor’s and master’s degree in IT, Computer Science, Cybersecurity, Information Systems, or Risk Management. Additionally, vCISOs are required to have certifications to demonstrate that their cybersecurity expertise is up to date. Most will have a CISSP Certification (Certified Information Systems Security Professional) or another relevant credential such as a CISM (Certified Information Security Manager) or CISA (Certified Information Systems Auditor).   

Of course, the longer they’ve been in IT, the better. Also, many MSPs have established practices around specific industry verticals, such as the Financial Industry Division at Integris. It pays to ask if your MSP has experience working within your industry’s regulatory limits. It could mean the difference between whether your operation is genuinely regulation-ready or not. 


How Should a vCIO/vCISO Retainer Be Billed?


Most MSPs will bill your retainer monthly based on an estimate of the work hours your organization will need. This retainer should cover a broad scope of work that covers most standard reporting, project management, and service response. It’s best to discuss what the “standard” package of monthly services requires up front, as some may tack on extra charges for extra work, such as handling significant expansions of your services /infrastructure. 


Are You Interested in Hiring a vCIO or vCISO for Your Business?


We can help. Integris has nationwide offices that offer high-level IT consulting services to small and mid-sized businesses. Contact us for a free consultation. 

Darrin Maggy is the Information Security Operations Manager for the Integris vCISO program. A CISSP with over 25 years of experience, Darrin provides leadership and oversight for Integris' vCISO team.

Keep reading

Small Business Cybersecurity Guide: Tips from Top Consultants

Small Business Cybersecurity Guide: Tips from Top Consultants

If you've been putting off cybersecurity investments for your small company, the time to invest is now. There's never been a more critical time to address your small business cybersecurity. Consider these facts: The average cost for a data breach for a US company in...

Four Social Engineering Hacks You Need to Prevent in 2024

Four Social Engineering Hacks You Need to Prevent in 2024

In the first quarter of 2024, Statista reports over 963,000 unique phishing sites worldwide were detected, collectively sending out billions of spam emails a day. Is this number scary? You bet. But it's the growing sophistication of these social engineering attempts...

Updating Your Bank’s Security Training for the Age of AI

Updating Your Bank’s Security Training for the Age of AI

How much could AI-driven models like Copilot for M365, Google Gemini, or Apple Intelligence improve the productivity at your bank? The jury is still out on that one, but initial experiments place the overall AI-driven productivity gains for the US economy at between 8...