vCISO Cost: What a Small Business Actually Pays in 2026

Three realistic scenarios

Compared to a full-time CISO

A full-time CISO in the US runs roughly:

• Base salary: $180k–$320k for SMB / mid-market roles.
• Bonus & equity: $30k–$120k.
• Benefits, payroll taxes, recruiting: +25–35% of comp.
• Tooling and support: $20k–$60k/year for the CISO's own platform stack.
• Realistic fully-loaded cost: $280k–$520k/year for a competent SMB-fit CISO.

A vCISO retainer at $4,000/month is $48k/year — roughly 10–15% of the fully-loaded full-time cost. The trade-off: you're buying a fraction of the time, not the full job. For a small business that doesn't need a full-time security executive (which is most of them), that trade is correct.

What's typically included

• Written security programme (WISP / SSP) build and ongoing maintenance.
• Risk register and risk assessment cadence.
• Policy library (acceptable use, access control, incident response, vendor management, data classification).
• Vendor inventory and security attestation reviews.
• Monthly leadership report.
• Quarterly strategy review.
• Incident response plan + at least annual tabletop exercise.
• Cyber-insurance renewal support.
• Reasonable on-call availability for active incidents.

What's typically not included (and what to ask about)

These items frequently sit outside the retainer and are billed separately, project-based, or handled by another vendor:

• Penetration testing. Usually project-based, $8k–$40k per test depending on scope.
• SOC 2 / ISO 27001 / HITRUST audit fees. Auditor charges are separate; the vCISO prepares you and shepherds the audit.
• 24/7 SOC monitoring. This is MSSP territory, not vCISO.
• EDR / email security / backup tooling. The vCISO recommends and validates; the tooling itself is a separate spend ($10–$30 per user per month typically).
• Major incident response. Some firms include up to a defined number of incident-hours; beyond that, project rates apply.
• Custom development or implementation work. The vCISO advises; engineering is separate.

Hourly vs retainer — which to choose

Retainer (monthly): The right model for ongoing programme ownership. Continuity matters — a vCISO who shows up monthly knows your business, can spot regressions, and represents you credibly during audits and renewals.

Hourly ($300–$500/hour): Useful for one-off projects — a specific risk assessment, a vendor questionnaire response, an incident retainer. Not a great fit for continuous programme work because the relationship lacks context.

Project-based: Sensible for bounded outcomes — SOC 2 readiness assessment, CMMC Level 2 readiness, a one-time policy refresh. Often a useful entry point to a longer retainer.

The honest ROI test

A vCISO retainer pays back when:

1. The documentation it produces lets you defensibly answer a regulator, insurer, or enterprise customer (the alternative is losing a contract or having a claim denied).
2. The vendor / tooling decisions it influences save more than its retainer (replacing redundant or underused tools, negotiating better contracts).
3. The incident readiness work means a real incident is recoverable in days instead of weeks (the median cost of a serious SMB cyber incident exceeds $200k in downtime alone).
4. The owner's time gets re-invested somewhere worth more per hour than the retainer.

If none of those four apply to your business right now, you may not need a vCISO yet. We unpack that in the companion article When Does a Small Business Need a vCISO?.