Who it's for

Organisations that need oversight — without a full-time CISO

Not having a formal CISO isn't just a capability gap — it's increasingly a regulatory and legal exposure. NIS2 imposes personal liability on board members for cybersecurity governance. A Fractional CISO closes that gap without the cost and commitment of a C-suite hire.

01 · Situation

Organisations without a CISO

Companies growing into the need for a security function but not ready — or not able — to hire a full-time CISO. A Fractional CISO provides a capable, accountable programme owner scaled to current needs and budget, without the obligations that come with a permanent C-suite position. The engagement grows with the organisation.

02 · Situation

Boards facing NIS2 obligations

NIS2 Article 20 places personal responsibility on management bodies for overseeing cybersecurity risk management measures. This is not theoretical — regulators across the EU are building enforcement capacity. The Managed CISO Programme creates documented board oversight: review records, approved risk decisions, audit trails. Evidence that due diligence was exercised, not just asserted.

03 · Situation

Organisations implementing NIS2, DORA or ISO 27001

Information security management system implementations, risk registers, policy frameworks — without an external programme owner these typically run long and deliver less. For financial sector entities under DORA: continuous ICT risk management with the audit trail and documentation the regulator requires. For certification programmes: a structured approach that delivers compliance and real security, not compliance theatre.

Scope of service

What the Managed CISO Programme includes

NOXVERI takes ownership of the security programme — not as a consultant delivering a report, but as a standing point of accountability. Scope depends on the engagement model, but every engagement means continuity, not a one-time intervention.

Strategic oversight and board due diligence — regular board-level reviews, decision-ready materials in non-technical language, documented oversight that constitutes real legal protection under NIS2. The board has evidence it exercised its Article 20 obligations, not just a declaration that it did.
Continuous cyber risk management — a live risk register updated as circumstances change (not annually at audit time), full audit trail of every risk decision, key risk indicators, reporting aligned with NIS2 and ISO 27001 requirements. Risk management as an ongoing process, not a periodic exercise.
Security programme ownership — a security roadmap and action plan prioritised on real risk, not a wish list. Escalation of blockers, tracking of action status, coordination with internal IT and compliance teams. Someone accountable for whether things actually happen.
Monthly risk management meetings and quarterly board reviews — monthly sessions covering programme status, risk register updates and open decisions. Quarterly executive dashboard for the board: concise, decision-focused materials that inform without overwhelming.
Policies and procedures scaled to the organisation — the necessary minimum, not documentation for its own sake. Only what regulation requires or what genuinely reduces risk. Documents written to be followed, not to pass an audit and then be filed away.
External representation — in client due diligence processes, with external auditors, with regulators. NOXVERI speaks security where it matters — without consuming board time on technical detail.
Remediation oversight — decisions without follow-through are just deferred risk. NOXVERI tracks implementation of every recommendation, escalates blockers and verifies that corrective actions actually close the identified gaps.

On NIS2 board liability: Article 20 of the NIS2 Directive requires management bodies of essential and important entities to oversee cybersecurity risk management measures and can be held personally liable for infringements. The Managed CISO Programme builds the documentation of that oversight — review records, approved risks, decision history — in a form that carries legal weight when a regulator or court looks at whether due diligence was exercised.

Engagement models

Three starting points

Scope is tailored to the organisation's needs and maturity. There is no standard package — these are three starting points. Every engagement begins with a conversation about the situation, not a selection from a price list.

Model A

Strategic oversight

Advisory and oversight at board level. Regular board-level reviews, decision support on security matters, independent validation of the direction of an internally-run security programme. For organisations with an internal IT or security team that need independent, external oversight at the strategic level — without involvement in day-to-day operations. The security function exists; the gap is at the top.

board advisory · governance reviews · decision support · independent assessment

Model B

Fractional CISO

The full CISO function, delivered on a part-time basis. Ownership of the security programme, live risk register, policies and procedures, monthly and quarterly meetings, external representation with auditors and clients. For organisations without a dedicated CISO that need the complete security function and a clear point of accountability. This covers everything a CISO would own.

full CISO scope · security programme · continuous risk management · NIS2 / ISO 27001

Model C

Fractional CISO + operational layer

Fractional CISO with additional operational support: direct involvement in implementing specific elements of the security programme — policies, board-level security awareness, risk assessments, regulatory documentation. For organisations in active security transformation or mid-implementation of NIS2 and ISO 27001, where support beyond oversight is needed to maintain momentum and quality.

full CISO scope + operational support · ISO 27001 implementation · security transformation

Experience

Built in environments where security had to work

25+ years. CERT.GOV.PL, Deloitte Poland (Red Team), Standard Chartered, 500+ threat simulations. The founder of NOXVERI built security programmes in institutions where the cost of failure was real — not in sandboxes. That translates into a different quality of judgement: both in the boardroom and when evaluating whether controls actually hold.

We understand what real risk looks like — not from textbooks, but from operating in CERT.GOV.PL and global financial institutions where incidents had genuine operational and reputational consequences. The difference between a theoretical threat model and an actual attack path is something you learn by seeing it.
We can talk to a board — risk is translated into business decision language, not technical indicators. A board that understands what is at stake can make an informed decision. One that doesn't understand is just approving slides.
We separate paper from reality — compliance without real security is one of the things NOXVERI actively works against. Policies matter only when they are followed. Certifications have value only when they reflect operational reality. Both can coexist; they often don't without pressure to make it so.
Co-created 1Strike.io — a threat simulation and defence validation engine. Practical verification of whether controls work in practice, not just on paper — the kind of credibility that comes from having built the tooling.

NOXVERI works with a limited number of Managed CISO clients. Scale is not the objective — quality of judgement is. Every engagement requires genuine understanding of the organisation's context, not the application of a template.

Fractional CISO — strategic cybersecurity oversight without the headcount