Who it’s for
CISOs, CTOs, COOs, and boards at regulated fintech operators who need board-level security leadership without the cost — or wait time — of a permanent CISO hire.
Outcome
- A working ISMS mapped to the regulator(s) you serve, audit-ready by design
- A monthly board pack that translates security posture into the language a CFO or audit committee can act on the same week
- A vendor / ICT third-party risk register that satisfies DORA Article 28 and the equivalent FCA / PRA expectations
- A 90-day plan updated every quarter, anchored to your business priorities
- A ready-to-hire spec when you’re ready to bring the role in-house
On pattern across prior engagements: vCISO programmes have stood up audit-ready ISMSes inside 26 weeks with zero major non-conformities at first certification.
Operating model
We act as your CISO inside your environment, with named coverage from one of our senior practitioners. We attend your security forum, your risk committee, and your board sessions. We hold the pen on the ISMS. We hold the relationships with auditors, regulators, and key vendors. We stay narrow on what we don’t do (see “What’s NOT in scope” below) and tell you up front when you need a different kind of partner.
Engagement length & shape
- Initial scope: 8 weeks. By the end of week 8 you have an ISMS skeleton, a 90-day plan, and a board pack template.
- Retainer: monthly thereafter, typically 1.5 days/week with monthly board cadence.
- Exit ramp: when you hire a permanent CISO, we transition cleanly with a 4-week shadowing period and an exit pack of artefacts.
We needed AI guardrails that the board could understand and the engineering team could ship. Salvador Cloud delivered both.
What's NOT in scope
- Penetration testing (we recommend partners)
- Forensic incident response (we partner with specialist firms)
- Mass-market awareness training (we focus on board + senior leadership)
Anonymised case study
See how this service plays out in practice.
Read the case study →
Frequently asked
We already have a CISO. Why would we engage a vCISO?
Most of our vCISO engagements augment an existing security leader rather than replace one. Common patterns: covering parental leave, providing board-ready depth on a specific regulator (DORA, PCI DSS v4, ICO), acting as a sparring partner during a high-stakes programme, or taking the ISMS pen so the in-house CISO can focus on people and budget.How is this different from Big-4 advisory?
Big-4 advisory tends to deliver against a defined statement of work with a pyramid team. We work as a small senior team and we hold the pen on the ISMS itself, not just the report. Every engagement is led by someone who has been the accountable security owner inside a regulated business — not just diagrammed it.What's the engagement risk if it doesn't work?
Initial scope is 8 weeks, monthly retainer thereafter. By the end of week 8 you have an ISMS skeleton, a 90-day plan, and a board pack template — concrete artefacts you keep regardless of whether you continue. There is no long lock-in.Who else have you worked with?
Engagements have spanned regulated UK fintech, consumer finance, energy market operations, and APAC crypto custody. All current and past clients are NDA-bound; descriptions on this site are anonymised by design. The list of organisations we have worked with appears on the About page; what specific work we did for whom is private.When you exit, what's left behind?
A working ISMS, a 90-day plan refreshed each quarter, a board pack template, a vendor risk register that satisfies DORA Article 28, and a ready-to-hire spec for the permanent CISO role when you're ready to bring it in-house. Exit includes a 4-week shadowing period.What's NOT in scope?
Penetration testing (we recommend partners), forensic incident response (we partner with specialist firms), and mass-market awareness training (we focus on the board and senior leadership). We tell you up front when you need a different kind of partner.
Next step
Ready to scope this engagement?
No proposals, no pitching. We'll diagnose, scope, and price up front.