A board asking cyber questions your IT team cannot confidently answer. A client, funder or insurer demanding evidence of security governance. A certification deadline with nobody senior to lead it. These are not IT problems. They are security leadership problems. Starkhorn solves them through a virtual CISO: experienced, independent security leadership on a part-time or retained basis, accountable for your posture and speaking the language your board, auditors, regulators and insurers actually need. No software commissions. No referral fees. Just clear advice and accountable delivery, framed around NIST CSF, ISO 27001 and Cyber Essentials rather than infrastructure jargon.
In most organisations, security sits outside the leadership conversation entirely. Controls drift unchecked. Certifications stall because nobody senior owns them.
The board gets vague answers on cyber risk, or no answers at all. And every quarter, the gap between the assurance stakeholders expect and the assurance you can actually evidence widens. We bring independent security leadership built for boards, auditors, regulators and insurers.
Every assessment, every recommendation, and every board report is framed in risk reduced, assurance gained, and compliance achieved, not infrastructure jargon.
Served as interim CIO and CISO at VetPartners, a BC Partners-backed group with GBP 1.2bn turnover and 14,000 staff across multiple countries.
Set security strategy and governance across a fragmented, multi-country estate.
Built standardised security and assurance practices replacing ad-hoc approaches across hundreds of sites, as evidence of leadership at genuine scale.
Served as CIO and CISO through a period of significant change across a complex, multi-country group.
Modernised infrastructure, hardened security posture, and positioned security as a board-level priority across a high-transaction-volume, operationally complex business.
Current fractional Associate Director of IT at Alzheimer’s Society, providing senior technology and security leadership to one of the UK’s most trusted charities, with prior work at Age UK.
Responsible for protecting sensitive beneficiary and donor data, strengthening governance, and giving trustees clear assurance on cyber risk.
The first step in every engagement.
Within the opening weeks, we map your security estate, assess your posture against NIST CSF and ISO 27001, benchmark your controls, evaluate your team’s capability, and deliver a board-ready report with a prioritised roadmap, all framed in risk and assurance.
This assessment becomes the foundation for everything that follows: framework alignment, certification readiness, incident preparedness, and long-term security strategy.
Not a technical audit.
A board-level assessment that identifies specific risks, control gaps, and compliance shortfalls, all presented in plain language your board, auditors, regulators and insurers can act on.
Most organisations carry security risks they cannot see and cannot evidence. We find them, quantify them, and show you how to close them.
Facing a certification deadline, your team needs answers fast.
Which controls already meet the standard. Which gaps must close first.
Where the evidence sits. Where the quick wins are.
We translate the requirements of ISO 27001, Cyber Essentials and Cyber Essentials Plus into a clear plan that de-risks the timeline and gets you certification-ready without wasted effort.
An insurer or auditor will interrogate your security estate: control maturity, cyber posture, supplier dependencies, data quality, and incident readiness.
We identify everything that could be flagged as a weakness and build the remediation plan before the review begins. The goal: a security programme that lowers your cyber insurance premiums and passes audit instead of failing it.
Every finding framed in risk reduced, assurance gained, compliance achieved, and stakeholder confidence. RAG-scored across key domains with a prioritised roadmap at 30 days, 90 days, and 12 months.
Presented to your board in person, not emailed as a PDF. No technical jargon. No infrastructure complexity. Just clarity your board, auditors, regulators and insurers can trust.
A single breach or failed audit can cost far more than a year of vCISO support: lost contracts, higher insurance premiums, regulatory penalties, and the time your team loses cleaning up an incident nobody led.
The organisations that stay secure are the ones that bring security leadership in before the incident, not after it.
Every quarter without independent security oversight is a quarter where controls drift, certifications stall, and your exposure grows.
Not a technical audit. A board-level assessment that identifies specific risks, control gaps, and compliance shortfalls, all presented in plain language. Most organisations carry security risks they cannot see and cannot evidence. We find them, quantify them, and show you how to close them.
Stalled certification programmes are where security credibility goes to die. We identify which controls already meet the standard, which gaps must close, where the evidence sits, and how to reach ISO 27001 or Cyber Essentials Plus on time, not eventually.
RAG-scored reporting across key domains with a prioritised roadmap at 30, 90, and 365 days. Presented to your board in person, in the language of assurance, risk reduced, compliance achieved, and stakeholder confidence. Not emailed as a PDF. Not written in jargon.
Security posture evidenced. Supplier dependencies mapped. Data quality assured. Incident readiness demonstrated. Everything an auditor, regulator or insurer will interrogate, assessed, addressed, and documented before they arrive. Security becomes a strength on the record, not a red flag.
The Free Security Assessment Toolkit
Deploy Starkhorn’s free self-assessment tools across your organisation. Each team self-assesses in under 5 minutes. Results flow into a clear view of your security maturity, giving you visibility across the whole organisation within a week, at zero cost.
Share the assessment links with your team leads
Each assessment completes in 3 to 5 minutes
Review your security maturity scores
Organisations that score below threshold are offered a scoping call. No cost. No obligation. Starkhorn only engages where we can genuinely improve your security posture.
The assessment takes 3 minutes. The conversation takes 20. Across 20+ years in technology and security, 15+ of them in leadership roles, we have consistently given boards clarity on cyber risk they didn’t have before.” Daniel Jacobs, Founder, Starkhorn
The Cyber Essentials Readiness Assessment is a free diagnostic designed for mid-market and non-profit organisations. It scores your readiness across four dimensions: governance, controls, risk exposure, and evidence. It tells you where your security gaps sit before you commit to anything.
10 questions. 4 dimensions. Immediate results. No obligation.
If you are facing a ransomware attack, a data breach, or a significant security event, we can engage quickly. Daniel Jacobs can typically be briefed within 24 hours and begin working with your team immediately, coordinating your people, suppliers, and recovery.
Available for organisations dealing with a live security incident.
Whether you’re recovering from an incident, preparing for ISO 27001 or Cyber Essentials Plus, satisfying an insurer or auditor, or getting independent visibility into your cyber risk: start with a conversation.
Common questions
Why use a virtual CISO rather than a permanent hire?
Because most organisations cannot justify a full-time CISO, yet security is either protecting the organisation or quietly exposing it. You get experienced, independent security leadership tied to real assurance, without adding permanent cost.
When should security leadership come in?
As early as you can. Before an incident it sets strategy and closes gaps. During certification it controls the programme and gets you over the line. Through the year it keeps controls aligned to the standard. Approaching an audit, insurer review or tender it makes sure the security story stands up to scrutiny.
How do you tie the work to assurance?
Every recommendation is framed as outcome: risk removed, controls met, compliance achieved. Many engagements find quick wins in the first weeks, and the larger gains show up as a credible programme, lower insurance premiums, and a security story that passes audit.
Can you support charities and non-profits?
Yes. Non-profits hold highly sensitive data and face the same threats as commercial organisations, often with fewer resources. Starkhorn works with charity clients, including a current engagement at Alzheimer's Society, and understands the governance, budget and stakeholder expectations specific to the sector.
How is this different from a consultancy or an MSP?
A consultancy delivers a report and leaves; an MSP has an interest in selling you more of its own tooling. This is independent, accountable security leadership, with no software commissions and no referral fees, accountable for the outcome and with nothing to sell you but the result.
The Technology Health Check shows where your security and technology leadership has gaps, scored across eight dimensions with a one-line recommendation for each.
Weekly technology leadership insights.
Read past editions →
A virtual CISO (vCISO) is an experienced Chief Information Security Officer engaged on demand, part time or for a fixed period rather than as a permanent hire. The role delivers security strategy, governance, risk management and board level assurance, giving organisations senior cyber leadership without the cost of a full time executive.
Starkhorn's virtual CISO services and CISO as a service offering mean security leadership and governance: strategy, risk, policy, compliance and board reporting. This is information security leadership, not managed security operations. Starkhorn does not run a SOC, sell tooling or staff a 24/7 monitoring desk. The vCISO directs and assures your security, working with whichever operational providers you already use.
| Dimension | vCISO (virtual CISO) | Full time CISO | Fractional / interim CISO |
|---|---|---|---|
| Engagement | On demand, part time or remote retainer | Permanent salaried executive | Ongoing share of time (fractional) or full time fixed term (interim) |
| Cost model | Monthly retainer or day rate | Salary plus on costs and notice | Retainer or day rate, scoped to the gap |
| Best for | Mid market and non profit needing board level security without full headcount | Large enterprises with constant in house security demand | Bridging a vacancy or scaling leadership gradually |
vCISO stands for virtual Chief Information Security Officer. It is an experienced security leader engaged on demand, part time or for a fixed period, rather than as a permanent full time hire. The role covers security strategy, governance, risk and assurance, giving organisations senior cyber leadership without the cost of a salaried executive.
A virtual CISO sets and runs your security strategy: governance, risk management, policy, compliance, board reporting and incident readiness. They own the security roadmap, mature your controls and act as the senior point of accountability for cyber risk. Starkhorn delivers security leadership and governance, not a managed SOC, tooling or day to day operations.
The vCISO role is senior security leadership: owning cyber risk on behalf of the board, defining the security strategy and governance framework, and assuring controls against frameworks such as ISO 27001 or Cyber Essentials. They translate technical risk into commercial decisions, brief executives and trustees, and build lasting in house security capability rather than running operations.
A full time CISO is a permanent salaried executive carrying fixed cost and notice periods. A vCISO delivers the same strategic security leadership on demand, scaled to your need and budget, typically part time or for a defined engagement. For many mid sized and non profit organisations a vCISO gives board level security ownership without a full executive headcount.
The terms overlap heavily and are often used interchangeably for part time security leadership. Fractional usually describes an ongoing share of a leader's time across clients, while virtual CISO emphasises remote, on demand engagement. Interim CISO covers a full time fixed term gap. For a fuller comparison of engagement models, see our interim versus fractional guide.
UK virtual CISO cost is usually a monthly retainer or day rate scaled to scope, sector and risk, rather than a fixed list price. A vCISO is materially cheaper than a permanent CISO salary plus on costs, because you buy only the leadership time you need. See our pricing page for how Starkhorn structures retainers and day rates.
No. AI can accelerate detection, triage and reporting, but it cannot own cyber risk, set strategy, make accountable judgement calls or answer to a board. The CISO role is leadership, governance and decision making under uncertainty. A vCISO uses AI as a tool while remaining the named human accountable for your security posture.