aa
Virtual CISO

A named person responsible
for cyber at board level.

Most SMEs do not have a Chief Information Security Officer. Most do not need one full-time. But they do need someone who owns cyber risk at a senior level. That is what a virtual CISO gives you.

No sales process. No commitment.

What is a virtual CISO?

A CISO — Chief Information Security Officer — is the senior person responsible for cyber security strategy. They sit at board level. They own the risk decisions. When something goes wrong, they are the person accountable.

A full-time CISO costs £100,000 to £180,000 a year. For most businesses with under 500 staff, that is not a realistic hire. The result is a gap — cyber risk with no one formally owning it.

A virtual CISO fills that gap. A named, experienced professional who takes responsibility for your cyber security posture, attends your board meetings, and gives you honest advice — without the full-time cost.

This is not a product or a software tool. It is a person. With accountability.

Clients or insurers asking about your cyber security governance

Larger clients and insurers increasingly require evidence that cyber risk is managed at a senior level.

A security incident with no one formally in charge of the response

If a breach happens and nobody owns the decision-making, the response is slower and more damaging.

Cyber Essentials or ISO 27001 in scope

These frameworks require someone to own security policy and risk decisions. That person needs appropriate seniority.

Board conversations about cyber with no one qualified to lead them

Most MDs are not cyber experts. Neither are most FDs. Someone needs to translate risk into decisions.

What I do as your virtual CISO

Practical, senior-level cyber governance. No jargon. No vendor agenda.

Cyber risk ownership

I take formal responsibility for your cyber security. That means assessing your real exposure, not the version your IT support company presented to you, and being the person who signs off on risk decisions.

  • Risk assessment and gap analysis
  • Risk register ownership
  • Cyber Essentials and CE+ guidance
  • Incident response planning

Policy and governance

Most cyber policies are written by IT teams and filed away unread. I write policies that are readable, practical, and enforceable. Then I make sure someone is actually checking they are being followed.

  • Cyber and information security policies
  • AI and data usage policies
  • Supplier and vendor risk policies
  • Staff awareness and training oversight

Board-level reporting

I translate cyber risk into business language for your board and senior leadership. Not technical briefings. A clear picture of what your actual exposure is, what has been done about it, and what decisions still need to be made.

  • Quarterly board reporting
  • Plain English risk briefings
  • Incident and near-miss reporting
  • KPI and metrics ownership

Incident response

When something goes wrong — and in most businesses, eventually something does — you need a named person making the right decisions quickly. I am available to lead the response, coordinate the right parties, and manage the communication.

  • Incident response plan ownership
  • Crisis decision-making support
  • Regulatory notification guidance
  • Post-incident review
Dave Lane
Dave Lane — Virtual CISO

Qualifications and experience

I have been working in IT security and governance since 2000. 25 years across infrastructure, cyber security, risk management, and board-level reporting for businesses in the UK and internationally.

I hold an MSc in Cyber Security. Not a vendor certification or a weekend course. A postgraduate academic qualification in the field I practice.

I also run a small business myself. I understand commercial reality: cash flow, margin, the pressure of decisions. Cyber governance that ignores business context is not governance — it is compliance theatre.

MSc Cyber Security

Postgraduate qualification in cyber security. Combined with 25 years of hands-on experience protecting real businesses.

Independent

No vendor commissions. No products to sell. Advice that is only ever in your interest.

No contracts

Walk away at any time. You stay because the service is useful, not because you are locked in.

Senior level

Board-ready reporting and decision-making. Not a junior analyst with a checklist.

Let's talk about what you actually need.

Not every business needs a full vCISO engagement. Sometimes the gap is smaller than it looks. Sometimes it is larger. A short conversation usually makes it clear.

30 minutes. No preparation needed.

MSc Cyber Security · 25 Years Experience · Independent