vCISO & Board Advisory

Security leadership at .board level Without the full-time hire.

Your directors are responsible for cyber risk whether they understand it or not. A virtual CISO gives them the expertise, the language, and the confidence to govern it properly — at a fraction of the cost of an in-house appointment.

Book a Board Security Briefing See service options ↓

From £1,500 · West Midlands based · Available UK-wide

What we take off your plate
Board reporting
Plain English security updates written for directors — not engineers. Quarterly or on demand.
Policy ownership
We write, maintain, and own your information security policies. Someone has to — it may as well be someone qualified.
Compliance calendar
Cyber Essentials renewals, ISO27001 surveillance audits, insurance reviews. We track the dates. You don’t miss them.
Incident response authority
Named point of contact with the authority to act. When something goes wrong, you need someone who can make decisions — fast.
The board’s blind spot

Most directors are responsible for cyber risk.
Few are ready for it.

Cyber security sits in the boardroom whether your directors invited it or not. The ICO, insurers, investors, and clients are all asking the same question: who in your organisation owns this? If the honest answer is “nobody, really” — you need to read on.

A virtual CISO is not a technology solution. It is a governance solution. We give your board the expertise, the language, and the documented evidence to demonstrate that someone competent is in charge of information security — because increasingly, that’s what contracts, insurers, and regulators require proof of.

Sound familiar?
01
The insurer question
“Our cyber insurer sent a renewal questionnaire and half the questions we genuinely don’t know the answers to.”
02
The client question
“A major client has asked for evidence of our information security management. We don’t have a formal programme to point them to.”
03
The board question
“We had a board discussion about cyber risk. Nobody could say with confidence what our actual exposure is.”
04
The supply chain question
“A client in our supply chain has told us they need to see a documented security programme before they can continue the relationship.”
Plain English

What a virtual CISO actually
does.

A Chief Information Security Officer is the person in an organisation who owns the security strategy — answers to the board, manages risk, owns the policies, and is accountable when something goes wrong. Most SMEs can’t justify — or afford — a full-time one. We deliver the same function as a service.

01 — STRATEGY
We set the direction
We assess your current security posture, identify the gaps, and build a prioritised roadmap. Not a generic framework copy-paste — a plan specific to your business, your risk profile, and your budget.
02 — GOVERNANCE
We write and own your policies
Information security policies, acceptable use, data classification, incident response procedures. Written, maintained, and version-controlled. Ready for an auditor, an insurer, or a due diligence process at any time.
03 — REPORTING
We brief your board
Regular board-level reports written for directors, not engineers. What your risk position is. What has changed. What decisions the board needs to make. No acronym soup. No hiding behind jargon.
04 — ACCOUNTABILITY
We’re the named contact
When your insurer, auditor, or a large client asks “who is responsible for information security in your organisation?” — the answer is a named person with a phone number. That person is us.
£120k
Average UK CISO salary efore employer NI, pension, and recruitment costs. A full-time CISO is a £150k+ annual commitment for most businesses.
72hrs
ICO breach reporting window 400+ businesses rated ACUTEC on Feefo after paying for our services. Every review is verified. You cannot buy a Feefo rating.
43%
Of cyber attacks target SMEs The assumption that attackers only go after large organisations is wrong. SMEs are targeted precisely because they are less likely to have robust defences — or a plan for when something goes wrong.
ervice options

Three ways to work with
us.

We’ll always tell you which option makes sense for your situation — and why. No upselling. No pressure.

One-off session
Board Security Briefing
£1,500 – £3,000 per session

A single session with your senior leadership team. We assess your current security posture, translate the findings into plain language, and give directors a clear picture of their exposure and responsibilities. Practical, honest, and done in a day.

  • Pre-session questionnaire to assess current posture
  • Half or full day on-site session with your leadership team
  • Written summary of findings and recommended actions
  • No jargon — designed for non-technical directors
  • Can be repeated annually or used as a starting point for a retainer
Book a Briefing
Most popular
vCISO Retainer
£1,500 – £5,000 / month

ngoing virtual CISO engagement. We own your security strategy, attend board meetings, write and maintain your policies, manage your compliance calendar, and provide a named point of contact for any incident or audit. Director-level accountability, delivered as a service.

  • Named vCISO — a real person you can call
  • Information security policy suite — written and maintained
  • Quarterly board reporting — plain English risk updates
  • Compliance calendar management — CE, ISO27001, insurance
  • Incident response authority — we make decisions fast
  • ISO27001 alignment support throughout
  • Audit preparation and attendance
Discuss a Retainer
Specialist session
Director Liability Briefing
Included in retainer or standalone

The ICO is clear: directors can be held personally liable for data breaches where the board failed to take reasonable steps. This session covers exactly what that means — what you are responsible for, what a regulator looks for, and how to demonstrate due diligence.

  • What “reasonable steps” means in practice under UK GDPR
  • Scoped to your environment
  • Director responsibilities under the Data Protection Act 2018
  • What the ICO looks for in an enforcement investigation
  • How to document board-level security decisions
  • Practical steps you can take before you leave the room
Book this Session
The process

How it works.
Start to finish.

No long procurement process. No six-month onboarding. Most clients have a working engagement running within three weeks.

01
Initial conversation
A 45-minute call — no charge, no obligation. We ask about your business, your current security position, and what’s driving the decision. We’ll tell you honestly whether a vCISO is the right solution or whether something simpler would serve you better.
02
Posture assessment
We review your current policies, technical controls, compliance position, and risk profile. This gives us — and you — a clear baseline. We won’t recommend anything without understanding where you actually are first.
03
Engagement begins
We agree the scope and start work. For retainer clients this means immediate policy ownership, compliance calendar setup, and your first board report scheduled. For briefing clients, we’re typically on site within two weeks.
04
Ongoing & evolving
Security isn’t a one-time event. The threat landscape changes, your business changes, and compliance requirements evolve. We stay current so you don’t have to. Retainer clients get a proactive service — we flag issues before they become problems.
Who delivers this

A real person.
Not a framework.

vCISO services only work if there’s genuine expertise behind them. Neil has spent his career in technical infrastructure and security — the kind of depth that comes from actually doing the work, not just advising on it.

NF
Neil Fletcher
Technical Director
Security
Compliance
Infrastructure
ISO27001
Cyber Essentials

Neil leads ACUTEC’s technical infrastructure and security practice. He’s the person who built our own security programme from the ground up — <strong>we’re pursuing ISO27001 certification internally</strong>, which means Neil has lived through the same process your organisation would face, not just advised clients through it.

His day-to-day covers everything from firewall configuration and network security to compliance frameworks and board-level risk conversations. When a client receives a letter from Severn Trent, the NHS, or a major contractor asking for security certification, Neil is the person who picks up the phone.

The infrastructure team he leads — Sam, Jack, Darren, Ricardo, and Harshim — are the people who keep client systems running day to day. The security work Neil does at the strategic level is grounded in that operational reality. He knows what actually breaks, not just what the frameworks say should break.

If you’re considering a vCISO engagement, the first conversation will be with Neil. No sales layer between you and the person delivering the service.

Speak to Neil directly →
Why trust ACUTEC with this

We hold the credentials we advise
you
to hold.

Cyber Essentials Plus
ACUTEC holds CE+ ourselves — independently verified, not self-assessed. We’re also an IASME-accredited certification body, which means we certify other businesses. Both sides of the process.
↗ We certify others — not just advise
ISO27001 — In Progress
We are pursuing ISO27001 internally. Neil is going through the same process he advises clients through. We believe you should not sell a standard you haven’t held yourself. Completion target: September 2026.
↗ One of very few MSPs in the region to hold it
Microsoft Solutions Partner
Modern Work & Security specialisation. Microsoft has independently verified our technical capability, customer satisfaction, and ongoing training investment. This is relevant to vCISO because Microsoft 365 configuration is a core part of most clients’ security posture.
↗ Modern Work & Security — both halves
Next step

Start with a conversation.
No agenda.

We’ll ask you about your business, your current situation, and what’s prompted the conversation. At the end, you’ll have a clear picture of whether a vCISO engagement makes sense — and if it doesn’t, we’ll tell you that too.

Book a Board Security Briefing Call 01675 469020

St Peters House · Church Hill · Coleshill · Birmingham · B46 3AL · hello@acutec.co.uk