Most small and mid-sized businesses can't justify a full-time Chief Information Security Officer - but they still carry the risk one would manage. The virtual CISO service builds your security strategy from the ground up: governance and risk first, then policy, then technical defence, then ongoing uplift. Australian-based, working globally.
It's the same four-stage method as the free SMB security guide - the guide teaches it; this is me doing it with you.
Straight about where this is. UMBRASEC is a new, independent practice run by one practitioner with years in defensive security. There's no inflated client list or team-of-fifty pitch here, because that would be a lie. What there is: published, sourced work you can evaluate today, a strictly defensive scope, and engagements scoped honestly to what one experienced person can do well.
A real security program isn't a product you buy - it's built in a sequence. The vCISO engagement follows the same arc as the free guide, but delivered with you: governance and risk first (so every technical decision has a reason), then policy, then defence, then the ongoing climb.
In Australia, cyber security is now a board and legal accountability issue, not just an IT one. ASIC has taken licensees to court over security failures - the Federal Court found against RI Advice in 2022 for inadequate cyber risk management, and ASIC has since pursued FIIG Securities over similar failings like unpatched systems and weak access controls. Add the Privacy Act's Notifiable Data Breaches scheme and the Cyber Security Act 2024, and the question directors face isn't "did we get hacked" but "can we show we took reasonable steps." A vCISO engagement is how you manage that accountability deliberately - with documented governance, not good intentions.
You stay in control the whole time. I bring the structure, the frameworks, and the experience - you make the decisions and own the outcomes.
No big-consultancy process, no being handed off to a junior - it's the same person on every call. Here's how an engagement usually flows, from the first conversation to the ongoing seat, and what each side actually does at every step.
Tailored to your business, not pulled from a template folder. Everything here is yours - documented, handed over, and built so your team can maintain it after the engagement ends.
A practical policy suite that fits how you actually work - access, data handling, acceptable use, vendor management - not a 90-page document nobody reads.
A risk register the board can read, a POA&M (plan of action and milestones) for tracking gaps, a governance model, and the evidence processes auditors expect.
Vendor-neutral recommendations and oversight for the controls that matter - MFA, EDR, backups, logging, hardening - chosen on fit and budget, not vendor relationships.
Awareness training that sticks, an incident-response plan written for your environment, and tabletop exercises so the plan has been tested before you ever need it.
A repeatable way to assess the third parties holding your data or plugged into your systems - because their breach becomes your breach, and your customers will ask.
Security translated into business terms - risk reduced, obligations met, money well spent - so leadership can make decisions without needing to read a SIEM.
The difference between these is how involved I am, not what you get charged for a box. Most engagements start light and deepen as the work does. None of them are packages off a shelf - the actual scope and cadence get agreed and quoted in writing before anything begins.
You've got a team or an MSP and some momentum - what's missing is direction. I set the strategy and the roadmap, then check in to keep you pointed the right way.
We're building the program side by side, on a regular cadence. I stay close to the work, keep the documentation current, and report as controls go live.
Deeper, more frequent involvement for businesses chasing a certification, under regulatory weight, or carrying enough risk to need a steady hand on the program.
On pricing: fixed scope, quoted in writing before work starts - no hourly creep, and month-to-month so you're never locked into a seat you've outgrown. A vCISO exists to give a smaller business the strategic security function of a full-time CISO at a fraction of the cost and commitment. What that costs you depends on the shape above and your environment, so the number comes after the scoping call, not before.
UMBRASEC is a new practice, so this is a composite picture, not a case study. Imagine a 30-person professional services firm: a major client sends a security questionnaire, and there's nothing formal to point at - just a busy founder and good intentions. A few months into an engagement like this, the founder isn't the one fielding security questions anymore; there's a risk register and a roadmap that answer them. The questionnaire stops being a deal-blocker and becomes something the sales team can handle on its own. Leadership can finally see, in plain terms, where the real risk sits and what's being done about it. None of that is a tool you buy - it's the structure and the habit the engagement leaves behind.
We start with a framework that earns its keep for an SMB - NIST CSF 2.0, CIS Controls, or the Essential Eight here in Australia - and build against that. From there the same controls map to whatever you actually need to prove: SOC 2, ISO 27001, and the like. One foundation, many obligations - so you're not starting over every time a customer or regulator asks.
Not every business needs the full vCISO arc on day one. These are the hands-on pieces - available standalone, or as the delivery muscle inside a vCISO engagement's Implement stage.
Build and tune detections that actually fire on real techniques - Sigma, KQL (Sentinel / Defender), and Splunk - mapped to MITRE ATT&CK, with documented false-positive profiles so they survive contact with your environment.
A focused review of your Microsoft 365 / Entra ID and cloud posture - the high-leverage settings that quietly decide whether an attacker walks in. Concrete, prioritized findings, not a 200-page PDF nobody reads.
For teams with no in-house security lead: ongoing, plain-English advisory. What's actually relevant to your stack, what to prioritize next, and a sane detection roadmap - available as a light retainer.
Suspected compromise and need a calm, experienced second pair of eyes? Triage, scoping, log analysis, and guided containment/recovery for cloud and identity incidents.
Note: solo practice - for guaranteed 24/7 retained IR, a larger firm is the right call. Honest about that.
The lowest-friction way to work together: a defined review of your Microsoft 365 / Entra ID tenant with a written quote before any work starts and concrete deliverables you keep. No retainers, no open-ended hours - if it surfaces bigger problems, you'll get an honest recommendation, even when that recommendation isn't me.
Two things bite this sector hardest: invoice and payment-mandate fraud - where an attacker quietly redirects a supplier payment - and head contractors who now require a baseline of security maturity before you can win or keep a tender. Getting your Essential Eight posture in order does double duty: it closes the fraud gap and it unlocks work you'd otherwise be screened out of.
If you fall under SOCI (critical infrastructure) or APRA CPS 234 (financial services), the governance and reporting obligations are heavier and specific. Those engagements are scoped against the actual regulatory requirement - happy to talk through whether your obligations apply before you commit to anything.
A short call to understand the problem and whether I'm genuinely the right fit. If I'm not, I'll say so.
A written, fixed scope with clear deliverables and a price for that work. No surprise hourly creep.
Work delivered with artifacts you keep - rules, findings, runbooks - and a walkthrough so your team can own it.
Scoped per engagement - every problem is a different size, so pricing follows the agreed scope rather than a sticker on the wall. You'll always have the number in writing before any work starts.
Defensive only - detection, hardening, analysis, and response. No offensive engagements, no red-team or exploit work. That boundary is deliberate and it doesn't move.
The research here is published under a handle, which is normal in this field - but clients don't hire a handle. You'll know exactly who you're working with - full identity and background - at the scoping call, before any engagement or access. NDAs welcome.
The opposite. Large companies hire a full-time CISO. The virtual CISO model exists precisely so a smaller business gets the same strategic function - governance, risk, board reporting - at a fraction of the time and cost, sized to what you actually need.
Every engagement gets a written, fixed quote for a defined scope before work starts - no hourly creep. The M365 Security Review above is the defined entry point if you want a known shape first.
No. Detection, hardening, analysis, and response only - no red-team, exploit, or social-engineering engagements. That boundary is deliberate and it doesn't move.
A short reply, then a scoping call to understand the problem and whether I'm genuinely the right fit. If I'm not, I'll say so and point you somewhere better. If I am, you get the scope and quote in writing.
Tell me what you're dealing with - a noisy SIEM, an M365 tenant nobody's reviewed, a roadmap you need a second opinion on, or an incident in progress. Book a free scoping call and pick a time that works, or send a pre-structured email if you'd rather write first.
Prefer to read the work first? See everything on GitHub →