vCISO Services for BC, Alberta and Yukon
A virtual CISO gives your organisation a named security leader without a $200,000 salary. Strategy, risk, policy, insurance paperwork, incident response, and board reporting, all owned by one accountable person. Delivered from Prince George, serving businesses across BC, Alberta, and Yukon.
What a vCISO actually does.
Not a title on a slide deck. These are the deliverables a vCISO owns, month in and month out. If a provider cannot show you these, you are buying a label.
Security strategy and roadmap.
A rolling 12 to 24 month security plan tied to your business risk, not a vendor's product list. Reviewed every quarter and rewritten when your business changes, not when the calendar says so.
A risk register you actually use.
A living, ranked list of your real security risks, each with an owner and a decision: fix it, accept it, or insure it. Most businesses under 200 users have never written one down. It changes every conversation after that.
Policy ownership.
Acceptable use, access control, incident response, data handling. Written for your actual operation, kept current, and enforced through Entra ID and Intune instead of sitting in a binder nobody opens.
Cyber insurance questionnaires.
We own the renewal questionnaire, answer it truthfully, and close the gaps that could void a claim. MFA, EDR, tested backups, and the evidence behind every checkbox your broker asks about.
Board and insurer reporting.
Quarterly reports in plain language: what changed, what it cost, what risk remains. Numbers a non-technical board, council, or broker can actually act on.
Incident response leadership.
When something goes wrong, the vCISO runs the response. Containment calls, PIPEDA breach notification decisions, insurer contact, and the honest post-incident review that stops it happening twice.
Vendor security review.
Before you sign with a new SaaS tool or supplier, we review their security posture and contract terms. After you sign, we track what they can access and whether they still deserve it.
Compliance program ownership.
PIPEDA and BC PIPA obligations, and SOC 2 readiness when your customers demand it. Someone owns the program, tracks the evidence, and keeps it moving between audits. See our compliance services.
vCISO vs vCIO. Not the same job.
Technology direction.
The vCIO answers "where should our technology go and what should it cost?" Budgets, roadmaps, vendor decisions, build vs buy. It is a planning and spending role. We explain it fully in our vCIO guide.
Security accountability.
The vCISO answers "what could hurt us, and who is accountable if it does?" Risk, policy, compliance, and incident command. When the insurer or the privacy commissioner calls, this is the person who picks up.
When one person wears both hats.
Under about 50 users, one advisor often covers both roles, and that is fine. The roles split when insurance, regulators, or a board start asking security questions the technology roadmap cannot answer. Our advisory practice covers both sides.
vCISO vs hiring a full-time CISO.
A full-time CISO in Canada commonly runs $180,000 to $250,000 or more per year in total compensation, salary surveys vary. That is before recruiting costs and the six months it takes to find one willing to work outside a major metro.
A 60-person company cannot keep one busy.
A full-time CISO at a 25 to 200 user organisation spends most of their week on work a security engineer or an MSP should be doing. You pay executive rates for operational tasks, and the good ones get bored and leave.
Same decisions, fraction of the cost.
The strategic decisions a CISO makes, risk acceptance, policy, insurance posture, incident command, take hours per month, not forty per week. A fractional arrangement buys the decisions without the idle time.
There is a crossover point.
Heavily regulated, several hundred users, or security is your product: hire full-time. A good vCISO tells you when you have outgrown them and helps you write the job posting. We would rather lose the engagement than hold you back.
Who needs a vCISO. And who doesn't.
You probably need one if...
- You handle regulated or sensitive data: health, financial, legal, or personal information under PIPEDA or BC PIPA
- Your cyber insurance renewal questionnaire gets harder every year and premiums are climbing
- You have 25 to 200 users and no one formally owns security
- A board, council, or parent company expects someone to answer for security by name
- Customers or partners are asking for SOC 2 or security attestations before they sign
You probably don't, yet, if...
You run a 10-person shop and the basics are not in place. Strategy before fundamentals is paying someone to tell you what you already know. Get MFA on everything, EDR on every device, tested backups, and patching handled first. That is what our cybersecurity services and lower managed tiers are for. Come back for the vCISO when the fundamentals are boring.
Included in CIS-Aligned. Or standalone.
Two ways to buy it, both with the same deliverables and the same person accountable.
Built into the CIS-Aligned tier.
Our top managed tier includes the full vCISO function: quarterly board reporting, a maintained risk register, policy ownership, insurance questionnaire ownership, and annual penetration testing coordination. Priced per user per month, published openly on our pricing page.
Keep your IT, add the leadership.
If you have in-house IT or another MSP you like, we deliver vCISO as standalone advisory. We set direction, verify the work got done, and report to your board. Scoped and quoted per engagement, because a 30-user law firm and a 150-user manufacturer are not the same job.
Western Canada is our beat.
We are founder-led out of Prince George and Canadian-staffed. We know what cyber insurance brokers are asking BC and Alberta businesses this year, what PIPEDA notification actually requires, and what it means to run security for operations a long way from a big-city talent pool.
Find out what a vCISO would fix first.
Book a free assessment. We will look at your environment, your insurance questionnaire, and your obligations, then tell you honestly whether you need a vCISO or just the fundamentals.
Book a Free Assessment Back to AdvisoryFrequently asked questions
What is a vCISO?
A vCISO, or virtual Chief Information Security Officer, is a senior security leader who works for your business part-time. They own security strategy, the risk register, policies, incident response, and reporting to your board and insurer. You get named accountability for security without hiring a full-time executive.
What is the difference between a vCISO and a vCIO?
A vCIO owns technology direction: budgets, roadmaps, and vendor decisions. A vCISO owns security accountability: risk, policy, compliance, and what happens when something goes wrong. Many businesses under 50 users start with one advisor covering both, then split the roles as insurance and compliance demands grow.
What does a vCISO cost in Canada?
Standalone fractional arrangements vary widely by scope, from a few thousand dollars a month for quarterly-cadence advisory to considerably more for regulated industries with heavy compliance loads. North Star includes vCISO services in our CIS-Aligned managed tier, priced per user per month. If you want a standalone engagement, tell us your situation and we will give you a scoped quote instead of a vague range.
Does a small business need a vCISO?
Usually not first. A 10-person shop gets more protection per dollar from the fundamentals: MFA on everything, EDR, tested backups, and patching. A vCISO starts earning its cost around 25 users, or earlier if you handle regulated data, face hard cyber insurance questionnaires, or answer to a board.
Is a vCISO enough to get SOC 2 certified?
A vCISO is the right person to run a SOC 2 program, but not the whole answer. You still need the controls implemented, evidence collected over the audit period, and an accredited audit firm to issue the report. Our vCISO service handles readiness, control ownership, and auditor coordination. Budget 6 to 12 months from a standing start.
Who does the security work, the vCISO or our IT team?
The vCISO decides and verifies; your IT team, or ours, implements. If you are on our CIS-Aligned managed tier the same company does both, with the vCISO function holding the technical team accountable. In standalone engagements we direct your in-house IT or your current MSP and report on whether the work actually got done.