Fractional CISO · Virtual CISO

CISO-as-a-Service

Your expert CISO on a part-time basis. Governance, compliance, risk management, and DevSecOps — without the cost of a full-time hire.

💸

A senior CISO costs €80-140k/year

Out of reach for most SMEs and startups that still face growing regulatory obligations.

📜

NIS2, ISO 27001, GDPR are mandatory

Thousands of companies must appoint a CISO or strengthen their security governance by 2025-2026.

🎯

You need technical AND managerial skills

A technical consultant is not enough. A CISO must master strategy, compliance, reporting and tooling.

The Fractional CISO model gives you access to an experienced CISO, 2 to 5 days per month, exactly when you need it — at a fraction of a full-time hire.

Senior CISO expertise. Consultant flexibility. SME budget.

What I do for you

A complete CISO scope, tailored to your context.

🏛️

Governance & Strategy

Setting up a security policy (ISMS), defining security strategy, board/COMEX reporting.

  • ·Security policy (ISMS) drafting & validation
  • ·Security KPIs & dashboard
  • ·Quarterly executive reporting
  • ·12-24 month security roadmap
⚠️

Risk Management

Risk mapping, EBIOS Risk Manager analysis, treatment plans and action tracking.

  • ·EBIOS Risk Manager / ISO 27005
  • ·Critical asset mapping
  • ·Risk treatment plans
  • ·Residual risk monitoring
📋

Compliance & Audit

Support for NIS2, ISO 27001, GDPR, PCI-DSS — from initial audit to certification.

  • ·ISO 27001 / NIS2 gap analysis
  • ·Prioritised remediation plan
  • ·Certification support
  • ·Liaising with auditors and regulators
🔧

DevSecOps & Architecture

Architecture reviews, CI/CD pipeline hardening, Zero Trust, cloud security.

  • ·Security architecture review
  • ·DevSecOps pipeline hardening
  • ·Zero Trust & network segmentation
  • ·IAM/PAM, secrets management
🚨

Incident Response

Incident response plan (IRP), crisis exercises, forensics, and operational incident management.

  • ·IRP drafting and testing
  • ·Crisis simulation exercises
  • ·Forensics coordination
  • ·Crisis communication (CEO, legal, regulators)
📊

Awareness & Training

Team awareness programme, developer training, security culture.

  • ·DevSecOps training for teams
  • ·Simulated phishing & awareness
  • ·Security metrics dashboards
  • ·Security culture and best practices

How it works

Fast start, structured, no bureaucracy.

01

Initial audit

2-3 days analysing your current security posture — systems, processes, compliance, teams.

02

Personalised roadmap

Deliverable: prioritised 6-12 month action plan with effort, cost, and impact for each action.

03

Implementation

Monthly execution — driving actions, technical reviews, workshops with teams.

04

Monitoring & Reporting

Monthly dashboard, quarterly report for leadership, continuous roadmap adjustment.

Offers & Pricing

Monthly retainer, no onboarding fee. Cancel with 30 days notice.

Starter

Startups · SMEs < 50 people

€2,500/ month
  • 2 days / month
  • Initial security posture audit
  • Simplified ISMS policy
  • Monthly reporting (1 page)
  • Dedicated Slack/email
  • Ideal to start an ISO 27001 or NIS2 journey
Book a free diagnosis →
Recommended

Growth

SMEs · Scale-ups 50-250 people

€4,500/ month
  • 4 days / month
  • Everything in Starter +
  • ISO 27001 certification support
  • EBIOS risk management
  • Architecture & DevSecOps pipeline review
  • Quarterly board reporting
  • Incident response plan
Book a free diagnosis →

Enterprise

Mid-market · Groups · Critical operators

Custom
  • 5+ days / month
  • Everything in Growth +
  • LPM / OIV / PCI-DSS compliance
  • Full-time CISO during critical months
  • Crisis management & forensics
  • Regulator interactions (ANSSI, CNIL)
  • Incident response SLA
Book a free diagnosis →

All prices excl. VAT. Minimum 3-month engagement. Custom quote available for one-off engagements.

Why me?

DevSecOps engineer with hands-on experience in banking (BNP Paribas), asset management (Rivage Investment), and startups — I combine CISO-level vision with technical execution.

  • EPITA Paris — Expert in Cybersecurity & Systems Security
  • Experience in regulated environments: banking, FinTech, SaaS
  • Technical depth: Go, Python, Terraform, Vault, Kubernetes, AWS
  • Pragmatic approach: focus on ROI and regulatory quick wins
  • Bilingual FR/EN — comfortable with international teams and auditors
  • In progress: CISSP · ISO 27001 LA · OSCP
4+
years in offensive security & DevSecOps
10+
production systems secured
6
industries: Banking · FinTech · SaaS · IoT · Marketing · Defence
Complementary service

Need technical DevSecOps execution?

CISO governance sets the direction. My DevSecOps-as-a-Service offering delivers the implementation: hardened pipelines, Zero Trust cloud, dynamic secrets — shipped to production.

View DevSecOps-as-a-Service →

Ready to structure your security?

A 30-minute call to understand your challenges and see if I can help — no commitment.

Book a free 30-min diagnosis →