An external Chief Information Security Officer, on demand: strategic and operational cybersecurity support for your organisation, without the cost of a full-time internal hire.
Context
vCISO
Thinking App's Virtual Chief Information Security Officer (vCISO) service gives organisations access to expert cybersecurity leadership without the need to hire a dedicated internal figure. The vCISO acts as an extension of the company's management, supporting risk assessment, mitigation strategy definition, and coordination across the roles involved in information security: IT, DPO, supervisory board, and board of directors. The service is designed to meet the concrete needs of organisations looking to improve their security posture, align with the NIS2 Directive, and implement the NIST Cybersecurity Framework controls selected by the Italian national cybersecurity agency (ACN). It covers six operational areas: governance and policy, risk assessment and compliance, operational and infrastructure security, incident response and business continuity, staff training and awareness, and third-party security management.
What we did on it...
Vision
Service definition
The service was born from the recognition that many organisations, particularly mid-sized ones, cannot afford a full-time CISO but still need expert guidance on information security. The goal was to build a flexible, modular offering that brings enterprise-level expertise to organisations that lack the resources to internalise it, with an engagement level calibrated to each client's actual needs.
Structure
Service structure
The service is organised across six complementary areas. Governance covers the definition and annual review of the cybersecurity strategy and operational policies, aligned with NIS2, GDPR, and ACN/AgID guidelines. Risk assessment involves analysing the results of an existing Cyber Risk Assessment and building a prioritised remediation plan. Operational security includes oversight of network, systems, and endpoint security, verification of IAM policies, and coordination of the annual Vulnerability Assessment cycle. Incident response takes the form of a fully developed Incident Response Plan built according to the NIST IR Framework, ISO 27035, and ACN guidelines. Training covers security awareness sessions and simulated phishing campaigns. Supplier management includes assessing the security posture of key partners and reviewing contractual security and privacy clauses.
Interface
Service delivery
The service is delivered primarily remotely, with an average commitment of 2-3 days per month. It includes periodic video sessions with management and the IT team, ongoing documentation drafting, risk analysis, and supplier coordination, availability during working hours with extended reachability in the event of critical incidents, and semi-annual and annual security status reporting. On-site presence can be arranged on request.
Launch
Activation and operations
The service begins with a dedicated onboarding phase to gather organisational context, review existing documentation, and define intervention priorities. From there, work proceeds incrementally, progressively building a solid governance foundation, documented processes, and a measurable, continuously improving security posture.
vCISO / Security Strategist
Cybersecurity Consultant
Who on it...
