Fib.Code
The vCISO model addresses two simultaneous challenges: growing regulatory requirements (NIS-2, KRI, DORA, ISO 27001) and the global cybersecurity talent shortage. We provide continuous oversight of information security in your organization — with the competencies of a team, not a single individual.
Mid-sized companies (50–500 employees) subject to regulations but not needing a full-time CISO
Local government units required to meet KRI and NIS-2 requirements
Municipal companies — utilities, heating plants, waste management companies subject to regulations
Organizations pursuing ISO 27001 certification needing an experienced coordinator
Companies after a security incident requiring immediate expert support
Three layers of competency — strategy, operations, and communication — delivered by a multidisciplinary team
Assessment — initial review of the organization: structure, IT systems, documentation, risks. Result: a report with priorities for the first 3 months.
Engagement setup — defining responsibilities, communication channels, reporting frequency, and incident escalation rules.
Quick wins — fast, visible actions: organizing documentation, closing the most obvious security gaps, launching monitoring.
System building — systematic work on the ISMS: risk analysis, policies, procedures, training, internal audit.
Ongoing operations — monitoring, reviews, incident response, documentation updates, board reporting.
Yes — provided there is no conflict of interest. Combining roles is common in smaller organizations and economically justified. In larger organizations, we recommend separating the functions.
Yes — no Polish regulation (KRI, NIS-2 Act, GDPR, ISO 27001) requires the information security officer to be a full-time employee. The requirement concerns the function, not the form of employment.
It depends on the size and maturity of the organization. Typically several to a dozen hours per month during ongoing operations, more during implementation. On-site presence: 1–2 days per month plus continuous remote availability.
The assessment phase takes about a week. First quick wins are visible within 2–4 weeks. Full operational capability — after 4–6 weeks.
Yes — we establish emergency channels and maximum response times upfront. In the event of a security incident, the vCISO coordinates response, reporting, and communication.