vCTO/vCISO Engagement SOP¶
Standard Operating Procedure for Virtual CTO and Virtual CISO Services
Service Type: Plan (vCTO) | Protect (vCISO) Typical Duration: Ongoing monthly retainer Primary Deliverable: Monthly strategic report + ongoing advisory
1. Service Overview¶
1.1 Service Definition¶
SBK's vCTO and vCISO services provide fractional executive leadership for organizations that need strategic technology or security guidance without the cost of a full-time hire.
vCTO (Virtual Chief Technology Officer): - Technology strategy and roadmap development - Vendor evaluation and selection oversight - Digital transformation leadership - IT budget optimization - Executive-level technology decisions
vCISO (Virtual Chief Information Security Officer): - Security program development and oversight - Compliance framework implementation - Risk assessment and management - Security policy development - Incident response leadership
1.2 Target Client Profile¶
| Criteria | Ideal Fit |
|---|---|
| Company Size | 50-300 employees |
| IT Staff | 0-3 internal IT resources |
| Primary Need | Strategic guidance without full-time executive cost |
| Decision Timeline | Active initiative within 90 days |
| Budget Authority | CFO/CEO engaged in technology decisions |
1.3 Pricing Structure¶
Note: Pricing reflects NYC metropolitan market rates. See Pricing & Positioning for complete rate card, industry benchmarks, and internal target pricing.
Usage: Tables below show [EXTERNAL] sales language. For [INTERNAL] target ranges, see Pricing & Positioning document.
vCTO Tiers: | Tier | Hours/Month | [EXTERNAL] Sales Language | Best For | |------|-------------|---------------------------|----------| | Standard | 8-12 hours | Starting at $6,000/month | 50-150 employees | | Professional | 16-20 hours | Starting at $10,000/month | 150-300 employees | | Enterprise | 24+ hours | Starting at $15,000/month | 300-500 employees | | On-Demand | As needed | Starting at $275/hour | Project-specific needs |
vCISO Tiers: | Tier | Hours/Month | [EXTERNAL] Sales Language | Best For | |------|-------------|---------------------------|----------| | Standard | 10-15 hours | Starting at $7,500/month | 50-150 employees | | Professional | 20-25 hours | Starting at $12,500/month | 150-300 employees | | Enterprise | 30+ hours | Starting at $18,000/month | 300-500 employees | | On-Demand | As needed | Starting at $350/hour | Project-specific needs |
2. Engagement Lifecycle¶
2.1 Phase Overview¶
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ DISCOVERY │ → │ ONBOARD │ → │ MONTHLY │ → │ REVIEW │
│ (Week 0) │ │ (Week 1-2) │ │ (Ongoing) │ │ (Quarterly) │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
2.2 Phase 1: Discovery (Pre-Engagement)¶
Duration: 1-2 meetings Owner: Account Manager + Senior Consultant
Activities: 1. Initial needs assessment call (30-60 min) 2. Document current technology/security state 3. Identify immediate pain points and priorities 4. Define success metrics with stakeholders 5. Confirm engagement tier and scope
Discovery Questions: - What technology/security decisions are you facing in the next 90 days? - Who currently makes technology decisions, and how? - What's your biggest technology frustration right now? - Have you had any security incidents or close calls? - What compliance requirements apply to your business?
Gate G1 Checklist: - [ ] Signed engagement letter/SOW - [ ] Point of contact identified - [ ] Meeting cadence agreed - [ ] Communication channels established - [ ] Initial priorities documented
2.3 Phase 2: Onboarding (Weeks 1-2)¶
Duration: 2 weeks Owner: Assigned vCTO/vCISO
Week 1: Assessment
| Day | Activity | Output |
|---|---|---|
| 1-2 | Environment documentation | Technology inventory |
| 2-3 | Stakeholder interviews | Priority matrix |
| 3-4 | Current state analysis | Gap assessment |
| 4-5 | Quick wins identification | 30-day action plan |
Week 2: Planning
| Day | Activity | Output |
|---|---|---|
| 1-2 | Strategic roadmap draft | 12-month roadmap |
| 2-3 | Budget review | Cost optimization opportunities |
| 3-4 | Risk assessment | Risk register |
| 4-5 | Executive presentation | Onboarding report |
Onboarding Deliverables: 1. Current State Assessment (5-10 pages) 2. 12-Month Strategic Roadmap 3. Risk Register with Mitigation Recommendations 4. 30-Day Quick Wins Action Plan 5. Recommended Meeting Cadence
Gate G2 Checklist: - [ ] Onboarding report delivered - [ ] Client sign-off on roadmap - [ ] Monthly cadence confirmed - [ ] Success metrics baselined
2.4 Phase 3: Monthly Engagement Cycle¶
Standard Monthly Rhythm (8-hour tier example):
| Week | Focus Area | Activities | Hours |
|---|---|---|---|
| 1 | Strategy | Roadmap progress review, priority adjustment | 2 |
| 2 | Vendor Management | Vendor reviews, contract negotiations, selections | 2 |
| 3 | Executive Translation | Board prep, stakeholder communication, education | 2 |
| 4 | Decision Support | Tactical decisions, ad-hoc requests, planning | 2 |
Monthly Deliverables: 1. Executive Summary Report (2-3 pages) - Progress against roadmap - Key decisions made - Risks and recommendations - Next month priorities
-
Meeting Minutes from all sessions
-
Action Item Tracker (shared document)
2.5 Phase 4: Quarterly Business Review (QBR)¶
Duration: 90 minutes Attendees: vCTO/vCISO, Client Leadership, Account Manager
QBR Agenda: 1. Quarter accomplishments review (15 min) 2. Metrics and KPI assessment (15 min) 3. Roadmap progress and adjustments (20 min) 4. Next quarter priorities (20 min) 5. Engagement satisfaction feedback (10 min) 6. Open discussion (10 min)
QBR Deliverables: - Quarterly Performance Report - Updated 12-Month Roadmap - Next Quarter Action Plan
3. Service-Specific Procedures¶
3.1 vCTO-Specific Activities¶
Technology Strategy: - Annual technology strategy development - Digital transformation planning - Build vs. buy analysis - Technology stack rationalization
Vendor Management: - RFP development and evaluation - Contract review and negotiation support - Vendor performance monitoring - Renewal decision support
Budget Optimization: - IT budget review and recommendations - Cost reduction opportunity identification - ROI analysis for technology investments - Licensing optimization
Executive Communication: - Board presentation preparation - Technology update briefings - Risk communication to leadership - Investment justification support
3.2 vCISO-Specific Activities¶
Security Program Development: - Security policy creation/updates - Security awareness program design - Incident response plan development - Business continuity planning
Compliance Management: - Framework gap assessments (HIPAA, SOC 2, etc.) - Compliance roadmap development - Audit preparation support - Evidence collection guidance
Risk Management: - Risk assessments and registers - Vulnerability management oversight - Third-party risk evaluation - Security metrics development
Incident Response: - IR plan development and testing - Incident response leadership (if needed) - Post-incident analysis - Lessons learned documentation
4. Communication Standards¶
4.1 Meeting Cadence¶
| Meeting Type | Frequency | Duration | Participants |
|---|---|---|---|
| Weekly Check-in | Weekly | 30 min | vCTO/vCISO + Primary Contact |
| Monthly Review | Monthly | 60 min | vCTO/vCISO + Leadership |
| QBR | Quarterly | 90 min | Full Team + Account Manager |
4.2 Response Time SLAs¶
| Priority | Description | Response Time | Resolution Time |
|---|---|---|---|
| Critical | Security incident, major outage | 2 hours | Best effort |
| High | Urgent decision needed | 4 hours | 24 hours |
| Medium | Standard requests | 1 business day | 3 business days |
| Low | Non-urgent inquiries | 2 business days | 1 week |
4.3 Communication Channels¶
| Channel | Use Case |
|---|---|
| Formal communications, documentation | |
| Phone/Video | Scheduled meetings, urgent matters |
| Shared Workspace | Document collaboration, action tracking |
| Ticketing | Service requests, issue tracking |
5. Deliverable Standards¶
5.1 Document Templates¶
All deliverables follow SBK brand standards:
- Executive Summary: 2-3 pages, bullet-focused, clear recommendations
- Assessment Report: 10-20 pages, detailed findings, prioritized recommendations
- Roadmap: Visual timeline with quarterly milestones
- Risk Register: Standardized format with likelihood/impact scoring
5.2 Quality Checklist¶
Before client delivery: - [ ] Peer review completed (G3) - [ ] Grammar and formatting verified - [ ] Data accuracy validated - [ ] Recommendations are actionable - [ ] SBK branding applied - [ ] Client context considered
6. Handoff Procedures¶
6.1 Internal Handoff¶
When transitioning between SBK consultants:
- Knowledge Transfer Session (2 hours minimum)
- Client background and history
- Current initiatives and status
- Key stakeholder relationships
-
Known sensitivities or concerns
-
Documentation Review
- All deliverables to date
- Action item status
- Meeting notes history
-
Roadmap and progress
-
Client Introduction
- Joint meeting with outgoing/incoming consultant
- Formal handoff communication
6.2 Engagement Closeout¶
When client ends engagement:
- Exit Interview (Account Manager)
- Final Deliverables Package
- All documents created
- Roadmap and progress summary
- Recommendations for continuity
- Lessons Learned documentation
- CRM update with engagement summary
7. Quality Assurance¶
7.1 Quality Gates¶
| Gate | Checkpoint | Owner | Timing |
|---|---|---|---|
| G1 | Engagement kickoff complete | Project Lead | Day 1 |
| G2 | Onboarding delivered and accepted | vCTO/vCISO | Week 2 |
| G3 | Monthly deliverable peer review | Senior Consultant | Monthly |
| G4 | QBR client satisfaction | Account Manager | Quarterly |
| G5 | Annual engagement review | Delivery Manager | Annually |
7.2 Success Metrics¶
| Metric | Target | Measurement |
|---|---|---|
| Client Satisfaction (CSAT) | 4.5+ / 5.0 | Quarterly survey |
| Retention Rate | 85%+ | Annual renewal |
| Net Promoter Score | 40+ | Annual survey |
| Response Time SLA | 95%+ compliance | Monthly tracking |
| Deliverable Quality | <5% rework | Per deliverable |
8. Escalation Procedures¶
8.1 Escalation Path¶
Level 1: vCTO/vCISO (standard issues)
↓
Level 2: Delivery Manager (scope/quality issues)
↓
Level 3: Account Manager (relationship issues)
↓
Level 4: Practice Lead (engagement at risk)
8.2 Escalation Triggers¶
| Trigger | Escalation Level |
|---|---|
| Missed SLA | Level 2 |
| Client complaint | Level 2 |
| Scope creep | Level 2 |
| Budget overrun | Level 3 |
| Relationship concern | Level 3 |
| Contract dispute | Level 4 |
9. Tools and Systems¶
9.1 Required Access¶
| System | Purpose | Access Level |
|---|---|---|
| CRM | Client tracking | Standard |
| Time Tracking | Billing, utilization | Standard |
| Document Repository | Deliverables, templates | Standard |
| Communication Platform | Client messaging | Client-specific |
9.2 Templates Library¶
| Template | Location | Use Case |
|---|---|---|
| Onboarding Report | /templates/vcto-vciso/ |
Initial assessment |
| Monthly Report | /templates/vcto-vciso/ |
Monthly deliverable |
| QBR Presentation | /templates/vcto-vciso/ |
Quarterly review |
| Risk Register | /templates/common/ |
Risk documentation |
| Roadmap | /templates/common/ |
Strategic planning |
10. Vendor-Neutral Standards¶
10.1 Core Principle¶
All recommendations must be vendor-neutral and in the client's best interest. SBK does not receive commissions, kickbacks, or incentives from any vendor.
10.2 Disclosure Requirements¶
- Disclose any prior vendor relationships
- Document evaluation criteria objectively
- Provide multiple options when recommending solutions
- Include total cost of ownership analysis
10.3 Prohibited Actions¶
- Recommending vendors based on personal relationships
- Accepting gifts or incentives from vendors
- Making decisions without client approval
- Sharing client information with vendors without consent
Related Documents¶
Last Updated: January 2025 Version: 1.0