Too big to go without a CISO. Too small for a full-time one.
An experienced CISO in your organisation, for as long as it is needed.
Not a name on the org chart, but mandate that is assigned, execution that runs and a board that gets the trade-off. Senior and independent, and we stay until it stands.
Where it stalls
The role is filled. The leadership is not.
This comes up when your organisation is too big to do security on the side, but too small for a full-time CISO. You know what needs to happen. What is missing is the role to enforce it, or it exists only on paper.
The title is there, the authority is not. You can advise, but you cannot enforce. And when it goes wrong, you face the board.
The report is there and the recommendations are sound, but the execution never gets off the ground. What is technically right does not land by itself in legacy and live production.
Leadership wants to know whether it is handled, in a language the technology does not speak. Since NIS2 and the Dutch Cybersecurity Act that responsibility sits explicitly with the board.
The insight
A role on paper is not leadership that lands.
A name on the org chart does not cover the responsibility. NIST CSF 2.0 and ISO 27001 require that roles, authority and resources are demonstrably assigned, and that the board is involved. What closes the gap is not more policy, but mandate and execution brought together.
How we work
Mandate and execution, in a fixed cadence.
Not advice over the wall, but a function that makes sure it is right.
Diagnosis
We map where the leadership does not land: where the mandate is missing, where execution is stuck, what the board cannot account for.
Strategy and priorities
We translate that into a defensible route: which risks first, which decisions the board has to make, and what can wait.
Oversight and execution
We stand in the delivery: roles assigned, measures that land, and the cadence that keeps the programme running.
Reporting and handover
The board gets the trade-off in board language. And we hand over once your organisation runs it itself.
Direction over the decision, not the technical work.
During an incident we steer the decision-making: who decides what, what goes to the board, and how you meet the statutory reporting duty in time. Not the technical incident response itself, but the direction around it that makes sure the right calls land on time.
The trade-off
Compare the options honestly.
Do nothing
The cheapest option, until an incident or audit arrives. The responsibility stays, the mandate does not.
Hire a full-time CISO
The right answer when there is enough work and budget. But hiring takes months, and turnover in the role is high.
A generic consultant
Delivers advice and a report. The execution and the mandate stay with you.
A vCISO from Radian
Senior leadership that also delivers and stays until it stands. For as long as it is needed, not longer.
Why this holds up
Senior, independent, and done by the same people.
You work with the person who also does the work. Senior certifications and 25 years of practice at large, complex Dutch organisations.
Capabilities and outcomes, no platform or tool we sell on the side. We will not go looking for a problem to fit the solution we sell.
We work from NIST CSF 2.0, ISO 27001, NIS2 and DORA, so that what we do holds up with auditor and regulator.
ABN AMRO · Shell · IBM · Enexis · Essent
The same seniors who advise you held comparable security leadership roles at large, complex organisations across finance, energy and critical infrastructure.
TODO-HANS: a measurable case for a vCISO engagement. Sector, scale and an effect in numbers (for example lead time, a closed finding or a decision made). Do not fill in, no invented data.
Source level: A / B / C (to be filled in by Hans)TODO-HANS: a quote from a client about the vCISO role. Only with consent, no polished result.
Source level: A / B / C (to be filled in by Hans)
A selection of our clients
For the board
Demonstrably diligent, not scared into action.
The Dutch Cybersecurity Act is expected to take effect on 1 July 2026. With it, final responsibility for cyber risk sits explicitly with the board, not with IT, with personal liability for material failures, not for every incident. Under NIS2 you also have to control your supplier and supply-chain risk, and you are often a supplier in someone else’s scope yourself. We provide the evidence with which you can show that you acted with due care. Because our advice does not stem from a tool or platform interest of our own, it serves your organisation, not a vendor.
Frequently asked
The questions you probably have.
How is this different from a consultant?
A consultant delivers advice and a report. A vCISO takes the role: mandate, execution and the accountability towards the board, until it stands.
Do you sit at the board table too?
Yes. The translation into board language is core: we deliver the trade-off the board needs, and join where the decisions are made.
Do you take us towards ISO 27001 or NIS2?
Yes, but as an outcome of risk management, not a tick-box exercise. We work from NIST CSF 2.0 and ISO 27001 so it holds up under review.
Who do we actually work with?
With a senior who also does the work, not a junior with a vCISO label. No handover from a salesperson to an unknown operator.
What if we hire a full-time CISO later?
Then that is the goal. A vCISO is a bridge, not a destination. We hand over once your permanent CISO arrives, and prepare that transition.
How does it work with our own IT team?
We work alongside your team, not over it. We assign roles and a cadence so your organisation carries it itself in the end.
Do you sell tools or platforms yourselves?
We sell capabilities and outcomes, not a platform or tool on the side. That way advice follows your risk, not what would suit us. We will not go looking for a problem to fit the solution we sell.
The first step
Start with a conversation, not a vacancy.
One conversation with a senior. We look at where the leadership does not land and what a vCISO would mean in your situation.
Schedule a conversation







