vCISO Services · Fractional Security Leadership
Virtual CISO (vCISO) Services for Canadian SMBs
A vCISO gives a 10-to-150-user business a virtual chief information security officer without the $300,000 hire: security strategy, board-ready reporting, and a documented compliance roadmap. Fusion’s CEO holds the CISSP, the same credential your CISO would hold, and runs every fractional CISO engagement personally.
by Fusion’s CEO
monthly reporting
NIST CSF / SOC 2
2024 & 2025
What a free security discovery covers
A 30-minute discovery with a senior Canadian security lead. We’ll look at where your security program, compliance evidence, and board reporting are most exposed.
- ✓ An honest read on your security program, or the lack of one
- ✓ The frameworks your insurer, clients, or regulator actually ask about
- ✓ Your biggest governance and compliance gaps, ranked
Named one of Canada’s 50 Best Managed IT Companies two years running (2024 & 2025). 4.9/5 on Google. See our certifications →
What a vCISO does (and what it’s not)
A virtual CISO, or vCISO, is the executive who owns your security program: the strategy, the framework, the board narrative, and the response when something goes wrong. The fractional CISO is the person your insurer, your auditor, and your board call when they have a security question and need an answer in business language. It is security leadership on a fractional basis, not a senior engineer with a certificate.
A Fusion vCISO owns six things on your behalf: security strategy and program ownership, board and executive reporting, the compliance roadmap, incident response leadership, third-party and vendor risk, and the cyber-insurance evidence insurers ask for at renewal. One accountable owner, documented, signed, and dated.
What a vCISO is not:
- A 24/7 SOC, EDR, or managed detection and response service
- A help desk, a SOC analyst, or a penetration tester
- A one-time gap report you file and forget
Those sit underneath the vCISO program, not in place of it. If you need round-the-clock monitoring, that’s our managed cybersecurity service. If you need a one-time gap report, that’s our cybersecurity assessment. The vCISO is the executive who decides which of those investments you actually need.
According to the Canadian Centre for Cyber Security (2025), ransomware remains the top threat to Canadian organizations, and most SMB incidents trace back to missing governance: no risk register, no patch policy, no tested incident plan. A vCISO owns those programs, not just the tools. For a 10-to-150-user business, that is the gap: large enough to carry real security risk, too small to fund a full-time security executive.
Why Canadian SMBs hire a vCISO instead of building one in-house
A full-time CISO in Canada earns $250,000 to $450,000 in base, before bonus, equity, and benefits. The market is thin. Recruitment takes six to twelve months, and the pool of CISSP-credentialed security executives who will join a 10-to-150-person SMB is small enough that most Canadian businesses in this band never find one. Meanwhile, cyber-insurers and enterprise customers increasingly demand named security leadership. A vCISO supplies that accountable executive without the hire.
Most SMBs we talk to are doing one of three things right now:
- Stretching an IT manager into security ownership they aren’t trained for. IT operations and security strategy take different reflexes. Asking a sysadmin to lead a board security conversation isn’t a fair ask.
- Buying tools without a strategy underneath. EDR plus SIEM plus MFA plus DLP is a budget line. A program is the framework that decides which controls matter, in what order, against which risks.
- Waiting for a forcing function. An insurer questionnaire, a client SOC 2 demand, a ransomware near-miss, or a deal that won’t close without security documentation. By then the program has to be built in 60 days.
The vCISO model gives you the executive layer of a security program at roughly 15 to 30 percent of an in-house hire, available in weeks instead of quarters, with no recruiting risk, no turnover risk, and no single point of failure. You get a named, accountable security executive on a fractional basis, which is exactly what the “hire-or-go-without” choice fails to deliver for the mid-market.
What you get: deliverables and cadence
Every Fusion vCISO engagement comes with a defined set of monthly, quarterly, and annual deliverables. No mystery scope. No retroactive billing for “extra work.”
| Deliverable | Cadence | What it is |
|---|---|---|
| Security strategy & roadmap | 12-month plan, quarterly refresh | Risk-ranked priorities, control investments, and milestones tied to business outcomes. |
| Board-ready security report | Monthly | A two-to-four-page brief in plain financial language: posture, incidents, risks, and what changed. |
| Compliance evidence package | Annual + on demand | Mapped controls, signed policies, and audit-ready evidence for CIS Controls v8.1, NIST CSF, PIPEDA (private-sector), Ontario PHIPA, SOC 2, and OSFI E-21 where it applies. We map the two or three frameworks your customers or regulators actually ask about, not all of them. |
| IR plan + tabletop exercise | Annual tabletop, IR retainer | A documented incident response plan and a live tabletop with leadership to test it. Named retainer leadership when an incident fires, on a 1-hour critical response. |
| Vendor risk program | Quarterly reviews | Third-party inventory, risk tiering, security clauses in contracts, and an onboarding workflow for new SaaS. |
| Policy library maintenance | Annual review | Acceptable use, access control, data handling, BYOD, incident response, and business continuity, reviewed, signed, and dated. |
| Cyber-insurance & awareness | Renewal + quarterly | Insurer questionnaires completed, MFA and EDR evidence, backup attestation, plus a security-awareness training and phishing-simulation cadence: the human-layer evidence insurers and auditors now require. |
Everything is written down. Nothing lives in a single engineer’s head, so the program survives staff changes on either side. For the hands-on, CISSP-led detection-and-response program underneath the vCISO, see our managed cybersecurity services.
How a Fusion vCISO engagement starts
No long sales cycle, no surprise scope. Three steps from first call to operating cadence.
Discovery (week 1)
A 30-minute conversation, then a working session to map your current state: what tools, which frameworks apply, what your insurer, clients, and regulators are asking for, and where the program has gaps. You walk out with a written summary whether or not we work together.
90-day plan (weeks 2–4)
A documented security strategy, control roadmap, framework scope, board-reporting template, and IR plan first draft. Priorities ranked by risk, mapped to dollars. You approve before anything ships.
Operating cadence (month 2 on)
Monthly board report, monthly working session with leadership, quarterly business review, annual tabletop, and an ongoing IR retainer. We meet the cadence whether the month was quiet or noisy.
Field note from Mike
The first month of most vCISO engagements is un-doing the wrong framework. A program I inherit has usually been mapped to whatever a vendor was selling, with evidence collected on the wrong cadence. Wrong framework, wrong evidence, wrong reporting rhythm is the most common failure mode I see. The 90-day plan is the deliverable that makes the program real, not the contract.
Mike Pearlstein, CISSP, CEO and CISO of Fusion Computing. About Mike
vCISO vs vCIO vs in-house CISO
These three roles aren’t interchangeable. Most SMBs need one. Some need two. Very few need all three. A vCISO owns security; a vCIO owns IT strategy, vendors, and budget; an in-house CISO does both, full time.
| Factor | vCISO (Fusion) | vCIO (Fusion) | In-house CISO |
|---|---|---|---|
| Primary focus | Security strategy, compliance, IR | IT strategy, vendors, budget | Security strategy + day-to-day program ownership |
| Typical cost | $2,000–$5,000 / month | Monthly retainer by scope | $250K–$450K base + benefits |
| Time to start | 2 weeks | 2 weeks | 6–12 months |
| Board reporting | Monthly, in business language | Quarterly, technology + budget | Monthly, depending on culture |
| Compliance ownership | Yes, primary owner | No, consulted | Yes, primary owner |
| Incident response | Yes, named retainer lead | No, not the IR seat | Yes, on the bridge in real time |
| Turnover risk | Low, team-backed | Low, team-backed | High, CISO tenure averages 18–26 months |
| Best for | 10–150 employees needing security exec leadership without the hire | 10–150 employees needing IT strategy and vendor oversight | 200+ employees in regulated industries with full-time program load |
The common pattern at 30 to 150 employees: a vCISO for the security program, managed cybersecurity for the 24/7 detection and response underneath, and a vCIO if there’s no internal IT leader. Three roles, one Canadian partner, well under one full-time hire.
vCISO pricing
Fusion’s vCISO engagements run a flat monthly retainer, not a per-user fee. Strategic security leadership doesn’t scale with headcount the way a help desk does. We don’t bill by the hour and we don’t bill for “extras.” The scope is what we agree on; the cadence is what we deliver.
Monthly retainer
$2,000–$5,000/month
Scoped to your team size, regulatory exposure, and how mature your existing security program is. We quote a fixed monthly number after discovery, not a range.
That retainer includes:
- Board-ready security report, monthly
- Strategic working session, monthly
- Quarterly business review
- Vendor risk reviews, quarterly
- Annual IR tabletop and plan refresh
- Annual policy library review
- Compliance evidence package
- Named IR retainer when an incident fires
Pricing scales with three things: headcount (a 30-person firm and a 130-person firm carry different program loads), regulatory exposure (PHIPA plus SOC 2 plus cyber insurance is more program than PIPEDA alone), and existing maturity (a green field is more effort in month one; a documented program is less). The vCISO bundles cleanly with managed cybersecurity and managed IT, or works alongside co-managed IT when you have an internal lead.
Fixed monthly fee after discovery, no hourly billing. Or call: (416) 566-2845
Who we serve as vCISO
Some sectors carry a non-negotiable compliance load. Others have client-driven security demand. Fusion’s vCISO practice goes deepest where the regulatory or contractual pressure is highest, and the roadmap looks different inside a law firm than a clinic or a manufacturer.
Industries we go deepest in
- Legal firms: solicitor-client privilege, PIPEDA, law-society records retention
- Finance and wealth management: heaviest cyber-insurance scrutiny of any sector
- Healthcare and dental: Ontario PHIPA, agent agreements, IPC breach notification
- Manufacturing: OT/IT boundary, supply-chain access, customer security questionnaires
What usually forces the conversation
- A cyber-insurance renewal questionnaire you can’t answer
- A client demanding SOC 2 or documented security posture
- A ransomware near-miss that exposed the governance gap
- A deal or audit that won’t close without named security leadership
We also serve professional services, construction, non-profits, and design firms as vCISO, usually triggered by one of those four. See all industries Fusion serves →
Strategic work, board reporting, and compliance evidence are delivered remotely nationwide, from three regional offices in Toronto, Hamilton, and Metro Vancouver, with on-site tabletop exercises and board meetings across those regions on request.
Security leadership, on the record
Most fractional CISO offers hand you an account manager. Fusion’s vCISO is Mike Pearlstein, CISSP and CEO of Fusion Computing, who has run a Canadian MSP since 2012 and holds the same credential your CISO would. That matters because the person setting your security strategy is the same person who can read an EDR alert, brief your board on an incident, and sign off on the compliance evidence your insurer wants.
“Most SMBs do not need a full-time CISO, they need CISO decisions made consistently. The failure mode I see is a company that bought tools but never assigned anyone to own risk, so nothing gets prioritized until an incident forces it. A vCISO is the accountable adult in the room who decides what gets fixed first and can defend that decision to an auditor.”
CISSP, not a generalist
The Certified Information Systems Security Professional designation (ISC2) is the global benchmark for senior security practitioners, and it’s the same credential a hired CISO carries. Mike holds it personally and runs every vCISO engagement, which is exactly what regulators, insurers, and enterprise clients expect to see.
Proof, not adjectives
Named one of Canada’s 50 Best Managed IT Companies two years running (2024 and 2025). 4.9/5 on Google. Independent, peer-reviewed recognition of service quality and client outcomes.
Board-level fluency
Mike translates technical risk into governance language a board can act on, with an MSc in Computer Science (AI) behind the analysis. The monthly report your directors read is written for them, not for engineers.
Canadian-owned since 2012
Three regional offices in Toronto, Hamilton, and Metro Vancouver, with Canadian data residency and CIS Controls v8.1 alignment mapped to PIPEDA, Ontario PHIPA, and SOC 2 for regulated clients.
What our vCISO clients say
“Our insurer was about to non-renew unless we could show a documented security program. Fusion’s vCISO put together our compliance evidence package in six weeks, walked our broker through the questionnaire line by line, and we kept our coverage at the same premium. The board now gets a one-page security report every month and we finally know where we stand.”
“We had three different vendors telling us we needed three different things. The Fusion vCISO sorted out which ones actually mattered for PHIPA and PIPEDA, killed two contracts we didn’t need, and gave us a 90-day plan with priorities ranked by risk. First time security has felt like a program instead of a fire drill.”
Their staff is very professional, reliable and trustworthy, able to handle absolutely all your IT needs and keeping all your data safe and secure. A must have for any business looking for IT solutions.
Truly a blessing to have them by your side and watching your back while you take care of day to day tasks.
4.9/5 on Google · Named one of Canada’s 50 Best Managed IT Companies, 2024 & 2025.
vCISO services FAQ
Answers from our CISSP-led security team. Need more detail? Book a 30-minute discovery and we’ll walk through your specific situation.
What is the difference between a vCISO and a vCIO?
A vCISO owns security strategy, compliance, board security reporting, and incident response leadership. A vCIO owns IT strategy, vendor management, technology roadmap, and budget planning. They’re complementary, not substitutes. Most clients with 50+ employees in regulated industries end up with both. For the IT-strategy role, see our vCIO services.
How is a vCISO different from managed cybersecurity or an MSSP?
Managed cybersecurity is the operational layer: 24/7 monitoring, EDR, SIEM, incident handling, patching, hardening. A vCISO is the executive layer above it, deciding which controls you need, mapping them to frameworks, reporting to the board, and owning compliance evidence. You can run managed cybersecurity without a vCISO, and many businesses do. You can’t run a documented security program without one.
Is the vCISO actually CISSP-credentialed?
Yes. Fusion’s CEO, Mike Pearlstein, personally holds the CISSP credential and runs every vCISO engagement. That’s the same credential your CISO would hold. The wider security practice is CISSP-led under his oversight, which is what regulators, insurers, and enterprise clients expect to see in a vCISO arrangement.
Does the vCISO handle cyber-insurance renewals?
Yes. Cyber-insurance support is a standard part of every vCISO engagement. We complete the insurer questionnaire, prepare the evidence package (MFA coverage, EDR deployment, backup attestation, training records, IR plan), and walk your broker through it line by line. Several clients have kept coverage at the same premium where they were facing non-renewal before engaging a vCISO.
Can Fusion’s vCISO get us to SOC 2 Type II?
Yes, through readiness. Fusion isn’t a SOC 2 auditor, because no firm can both attest and audit. Our vCISO handles trust services criteria scoping, control implementation, evidence collection, and pre-audit readiness, then liaises with your chosen independent CPA firm through the observation window. Most SOC 2 Type II programs run 9 to 14 months end to end, depending on maturity at kickoff.
Where does Fusion deliver vCISO services?
Across Toronto and the GTA, Hamilton and Burlington, and Metro Vancouver, with remote delivery available nationally. Strategic work, board reporting, and compliance evidence are delivered remotely, with on-site availability in our three regions when an engagement calls for it. Tabletop exercises and board meetings are the typical on-site sessions. Bill C-27 is still proposed and not yet enacted, so we plan around the frameworks that apply to your sector today.
CISSP-led · 50 Best Managed (2024 & 2025) · Canadian-owned since 2012
Get a vCISO without hiring one
Tell us your team size, your current security setup, and what’s forcing the conversation: insurer, client, regulator, near-miss, or growth. A senior security lead will tell you whether a vCISO is the right fit and what it would cost. No pressure, no strings.
Where does your security program need a senior hand?
Tell us what’s going on and a senior security lead will follow up within 1 business day. Fusion’s vCISO is best fit for Canadian businesses with 10 to 150 employees that need executive security leadership, not one-time fixes.
Related
Useful next reads
Managed Cybersecurity →
CISSP-led 24/7 SOC, MDR, and audit-ready compliance: the detection-and-response layer the vCISO governs.
vCIO Services →
Virtual CIO: IT strategy, technology roadmap, vendor oversight, and board-level IT reporting.
Cybersecurity Assessment →
A one-time, CIS-aligned gap report: where your security posture stands today, ranked by risk.
Updated
