CISO-as-a-Service
Your expert CISO on a part-time basis. Governance, compliance, risk management, and DevSecOps — without the cost of a full-time hire.
A senior CISO costs €80-140k/year
Out of reach for most SMEs and startups that still face growing regulatory obligations.
NIS2, ISO 27001, GDPR are mandatory
Thousands of companies must appoint a CISO or strengthen their security governance by 2025-2026.
You need technical AND managerial skills
A technical consultant is not enough. A CISO must master strategy, compliance, reporting and tooling.
The Fractional CISO model gives you access to an experienced CISO, 2 to 5 days per month, exactly when you need it — at a fraction of a full-time hire.
Senior CISO expertise. Consultant flexibility. SME budget.
What I do for you
A complete CISO scope, tailored to your context.
Governance & Strategy
Setting up a security policy (ISMS), defining security strategy, board/COMEX reporting.
- ·Security policy (ISMS) drafting & validation
- ·Security KPIs & dashboard
- ·Quarterly executive reporting
- ·12-24 month security roadmap
Risk Management
Risk mapping, EBIOS Risk Manager analysis, treatment plans and action tracking.
- ·EBIOS Risk Manager / ISO 27005
- ·Critical asset mapping
- ·Risk treatment plans
- ·Residual risk monitoring
Compliance & Audit
Support for NIS2, ISO 27001, GDPR, PCI-DSS — from initial audit to certification.
- ·ISO 27001 / NIS2 gap analysis
- ·Prioritised remediation plan
- ·Certification support
- ·Liaising with auditors and regulators
DevSecOps & Architecture
Architecture reviews, CI/CD pipeline hardening, Zero Trust, cloud security.
- ·Security architecture review
- ·DevSecOps pipeline hardening
- ·Zero Trust & network segmentation
- ·IAM/PAM, secrets management
Incident Response
Incident response plan (IRP), crisis exercises, forensics, and operational incident management.
- ·IRP drafting and testing
- ·Crisis simulation exercises
- ·Forensics coordination
- ·Crisis communication (CEO, legal, regulators)
Awareness & Training
Team awareness programme, developer training, security culture.
- ·DevSecOps training for teams
- ·Simulated phishing & awareness
- ·Security metrics dashboards
- ·Security culture and best practices
How it works
Fast start, structured, no bureaucracy.
Initial audit
2-3 days analysing your current security posture — systems, processes, compliance, teams.
Personalised roadmap
Deliverable: prioritised 6-12 month action plan with effort, cost, and impact for each action.
Implementation
Monthly execution — driving actions, technical reviews, workshops with teams.
Monitoring & Reporting
Monthly dashboard, quarterly report for leadership, continuous roadmap adjustment.
Offers & Pricing
Monthly retainer, no onboarding fee. Cancel with 30 days notice.
Starter
Startups · SMEs < 50 people
- ✓2 days / month
- ✓Initial security posture audit
- ✓Simplified ISMS policy
- ✓Monthly reporting (1 page)
- ✓Dedicated Slack/email
- ✓Ideal to start an ISO 27001 or NIS2 journey
Growth
SMEs · Scale-ups 50-250 people
- ✓4 days / month
- ✓Everything in Starter +
- ✓ISO 27001 certification support
- ✓EBIOS risk management
- ✓Architecture & DevSecOps pipeline review
- ✓Quarterly board reporting
- ✓Incident response plan
Enterprise
Mid-market · Groups · Critical operators
- ✓5+ days / month
- ✓Everything in Growth +
- ✓LPM / OIV / PCI-DSS compliance
- ✓Full-time CISO during critical months
- ✓Crisis management & forensics
- ✓Regulator interactions (ANSSI, CNIL)
- ✓Incident response SLA
All prices excl. VAT. Minimum 3-month engagement. Custom quote available for one-off engagements.
Why me?
DevSecOps engineer with hands-on experience in banking (BNP Paribas), asset management (Rivage Investment), and startups — I combine CISO-level vision with technical execution.
- ✓EPITA Paris — Expert in Cybersecurity & Systems Security
- ✓Experience in regulated environments: banking, FinTech, SaaS
- ✓Technical depth: Go, Python, Terraform, Vault, Kubernetes, AWS
- ✓Pragmatic approach: focus on ROI and regulatory quick wins
- ✓Bilingual FR/EN — comfortable with international teams and auditors
- ✓In progress: CISSP · ISO 27001 LA · OSCP
Need technical DevSecOps execution?
CISO governance sets the direction. My DevSecOps-as-a-Service offering delivers the implementation: hardened pipelines, Zero Trust cloud, dynamic secrets — shipped to production.
Ready to structure your security?
A 30-minute call to understand your challenges and see if I can help — no commitment.
Book a free 30-min diagnosis →