
How to Choose a vCISO Provider in the UAE: Criteria, Red Flags, and the Questions to Ask (2026)
The short version: you are hiring an accountable person, not subscribing to a service. Every criterion in this guide follows from that one distinction, because the market sells three very different things under the same vCISO label, and the wrong one costs you a failed audit or a licence delay, not just a wasted retainer.
This guide is for companies in the UAE and the wider Middle East that need the CISO function without the full-time salary: fintechs and payment firms under CBUAE, VASPs under VARA, healthcare entities under ADHICS, and scaling companies facing ISO 27001, SOC 2, or investor due diligence. It covers what you are actually buying, the criteria that separate providers, the red flags, what pricing should look like, and the exact questions to ask on the first call.
Your vCISO in the UAE and Middle East
A named security leader of record, backed by a delivery team that builds the programme, not just advises. From $2,500 / mo
What you are actually buying
Three models trade under the vCISO name, and they are not interchangeable.
Advisory. A consultant reviews your environment and hands you reports and recommendations. Your team executes, or nothing does. Useful when you already have strong internal capacity and only need direction.
Platform-led. You buy a compliance platform subscription with some analyst hours attached. The software tracks controls; the people behind it are pooled and anonymous. Workable for a first SOC 2 at a small SaaS company with no regulator watching.
Named CISO. A senior security executive takes the accountable role: named in your documents, running the programme, facing your auditor and regulator, with delivery capacity behind them.
None of these is wrong in itself. The damage comes from a mismatch, and in this region the mismatch is common, because UAE regulation often requires the third model while vendors quietly sell the first two. We wrote separately about why a platform is not a CISO.
The UAE layer: why this market is different
In several UAE regimes the security lead is not a nice-to-have but an appointed role, so the provider you choose has to be able to fill an actual appointment:
VARA names the CISO directly in its Technology and Information Rulebook for every licensed VASP. We cover it in the VARA guide.
ADHICS Section 2.1.3 requires Abu Dhabi healthcare entities to appoint a CISO or equivalent to lead the security workgroup and face the Department of Health. Details in the ADHICS v2 guide.
The UAE Information Assurance Standards make the leadership appointment an Always Applicable control (M1.1.3), separate from IT, with a governance committee above it. See the UAE IAR guide.
CBUAE requires the IA Standards as a baseline for payment providers and applies fit-and-proper scrutiny to the senior people who own technology risk. See the CBUAE guide.
A provider that cannot put a named, credible individual into that seat, and have that individual answer an examiner, does not meet the requirement no matter how good the dashboards look. That is the single biggest filter in this market, and it eliminates more vendors than any pricing comparison.
The nine criteria
Run every candidate through these. The order matters less than the discipline of asking all of them.
A named individual in the contract. The statement of work should name the person who serves as your CISO, with their certifications (CISSP and CISM are the recognisable bar) and their client load. Ask who covers when that person is unavailable, and whether substitution needs your written approval. If the answer to "who exactly" is "our team", you are buying the platform model with better packaging.
Regulatory coverage that matches your licence. Not "we know UAE compliance" in general, but your regime specifically: CBUAE, VARA, ADHICS, UAE IAR, DFSA or FSRA if you sit in a free zone, PDPL for the privacy side. Ask for the most recent engagement under your regulator, and what the outcome was.
Delivery, not advice. Who writes the policies, runs the risk assessment, remediates the findings, and prepares the evidence? If the honest answer is "we recommend and your team implements", price your own team's hours into the comparison, because you will spend them.
Evidence discipline. Audits in this market turn on records: individual-level training logs, a live risk register, access reviews with dates, tested recovery results. Ask to see the structure of an evidence pack from a past engagement, sanitised. A provider who cannot show one has not been through many audits.
Regulator and auditor fluency. Will this person sit in your audit, answer a DoH or CBUAE examiner directly, own the corrective action plan, and run the portal submissions? Reports do not answer examiners. People do.
Detection and response behind the paper. Incident management controls require actual monitoring, and someone has to pick up the phone at 2am. Establish what the retainer includes: business-hours advisory, or a 24/7 SOC with defined escalation. Neither answer is wrong, but an undefined answer is.
Independence from attestation. The party that builds and runs your programme should not also be the party that independently assesses it. A serious provider prepares you and then steps aside for a separate assessor or certification body. A provider selling you both sides in one package is selling you a conflict of interest your regulator can flag.
Right-sized scope and honest pricing. Hour bands should be explicit (more on numbers below), and the provider should be willing to argue you down: a small licensed firm in steady state often needs four hours a week, not sixteen. A vendor who sizes every client at maximum is optimising their revenue, not your risk.
Exit and portability. You should own the policies, the registers, the evidence, and the tool tenants. Ask what offboarding looks like and what leaves with the provider. A vCISO arrangement you cannot exit cleanly is a dependency, not a service.
Red flags
Any one of these is a reason to slow down. Two or more, walk.
Guaranteed outcomes on someone else's decision: "ISO 27001 certificate in two weeks" or "guaranteed to pass the regulator review". Certification bodies and regulators decide those outcomes, and anyone guaranteeing them is either lying or has a conflict with the assessor.
The vCISO turns out to be a dashboard. You are shown software in the demo and meet a senior person in the sales call, then the account is run by rotating analysts you never met.
No named person in the SOW, or a substitution clause that lets the provider swap your CISO without your approval.
One package covering both preparation and the "independent" audit. See criterion seven.
A template policy pack delivered in week one with your logo on it. Policies written before anyone has seen your risk register describe a fictional company.
Pricing that only materialises after a paid discovery workshop. Discovery is legitimate; hiding the price card behind it is not.
No definition of incident scope in the retainer. When the breach happens, "that's out of scope" is the most expensive sentence in security.
No references from regulated clients in your sector. Logos on a slide are not references; a phone call with a peer CISO or founder is.
What pricing should look like
Serious named-CISO retainers in the UAE are typically structured in weekly hour bands, and the bands should map to real stages, not to sales tiers:
Around 4 hours a week. Steady-state oversight for a small regulated firm: the quarterly cycles, board reporting, evidence upkeep, regulator liaison.
Around 8 hours a week. An active programme: one certification track (say ISO 27001) alongside the standing role, or a licensing process in flight.
Around 16 hours a week. Build phase: standing up the framework from scratch, multiple regimes in parallel, or remediation under a regulator's deadline.
On absolute numbers, named-CISO engagements in this market generally start around USD 2,500 a month at the entry band. Below roughly USD 1,500 a month you are almost always buying the platform model with pooled hours, whatever the label says. Compare either figure with a full-time hire at AED 400,000 to 700,000 a year and the economics of the retained model are clear; we set out the full comparison in Virtual CISO vs Full-Time CISO.
One honest caveat on cost: the retainer is not the whole spend. Tooling and the certification body's own fees sit outside it, and penetration testing usually does too, though some providers fold testing into the larger bands when retainer hours allow. A provider who itemises those up front is showing you respect; one who lets you discover them mid-engagement is not.
Ten questions to ask on the first call
Take this list into the meeting. The answers matter, but so does how quickly and specifically they come.
Who exactly will be our CISO of record, how many other clients does that person carry, and who covers when they are unavailable?
Which UAE regimes have you taken a client through in the last twelve months, and under which regulator?
Will you be named in our filings and face our regulator or certification auditor directly?
What do you deliver in the first 90 days, as artefacts we can open, not activities?
Who writes and maintains the evidence, and in what form do we receive and keep it?
What happens when we have an incident at 2am: scope, response time, escalation path?
How do you keep audit independence: who assesses the programme you build?
What sits inside the 4, 8, and 16 hour bands, and what moves a client between them?
If we leave in a year, what do we own and what does the handover look like?
Which of our stated requirements would you push back on as unnecessary?
The last question is the honesty test. A provider who answers "none, everything you listed is essential" has just told you how they scope engagements.
How Dynova answers these criteria
Dynova runs the named-CISO model in our virtual CISO service, with execution built around it. Here is how we score against our own checklist.
The person. We select the most suitable senior CISO from our network for your sector and regime: a VASP gets someone who has faced VARA, a healthcare group gets ADHICS experience, a payment firm gets CBUAE work. That individual (CISSP, CISM) is then named in the engagement and fixed, with no silent substitutions. And every named CISO works in a pair with a briefed backup, so coverage holds through leave, travel, and the week your audit lands.
The delivery. We are execution-driven: we write the policies, run the risk assessments, remediate, build the evidence, and hold the quarterly cycles, rather than leaving a report with your team. On the larger bands the CISO comes with a Security on Demand team behind them, a GRC analyst and a security engineer, so implementation moves at the CISO's pace instead of waiting on your team's spare hours. Our own GRC platform runs underneath the programme to speed up control and evidence tracking. The platform serves the named CISO; it does not replace them, which is exactly the line the red flags above draw.
The coverage. The regimes this guide names: CBUAE, VARA, ADHICS, UAE IAR, and PDPL, alongside ISO 27001, SOC 2, and PCI DSS, and the same engagement can carry the Data Protection Officer function under UAE PDPL. Detection and response sits behind the role through our own 24/7 SOC as an add-on module, run by us rather than subcontracted, which keeps incident communication on one channel with the person who already knows your environment. And on the larger bands we fold penetration testing into the retainer when hours allow, so unused capacity becomes testing instead of expiring.
The boundaries. We prepare you for audits and stay out of the assessor's chair, because the attestation only means something if it is independent. Pricing is public, structured in the hour bands above, and we will tell you when the smaller band is enough. For what the model looks like in practice, OGold's ISO 27001 certification went from a standing start to a BSI certificate in six months.
If you are comparing providers right now, book a 30-minute call and put the ten questions above to us. That is what the call is for.
Frequently asked questions
What should I look for in a vCISO provider?
A named senior individual in the contract with defined backup coverage, regulatory experience under your specific regime, delivery capacity rather than advice alone, evidence discipline, the ability to face your regulator and auditors, defined incident coverage, independence from the audit itself, transparent hour-based pricing, and a clean exit where you own the documentation.
How much does a vCISO cost in the UAE?
Named-CISO retainers typically start around USD 2,500 a month for a steady-state band of roughly four hours a week, scaling to eight or sixteen hours during certification or build phases. Offers far below that level are usually platform subscriptions with pooled analyst hours. A full-time CISO in the UAE runs AED 400,000 to 700,000 a year in salary alone.
What is the difference between a vCISO and an MSSP?
An MSSP operates security tooling and monitoring; a vCISO owns the security programme: strategy, risk, policies, compliance, and accountability to the board and the regulator. Most regulated firms need both functions, with the vCISO directing what the MSSP or SOC executes. One is a service, the other is a role.
Can a vCISO be our official CISO with UAE regulators?
Yes. VARA's rulebook, ADHICS Section 2.1.3, and the UAE Information Assurance Standards (control M1.1.3) all require an appointed security lead, and a retained vCISO can hold that appointment, provided the individual is named, qualified, and able to face the regulator. The arrangement is part-time; the accountability is not.
How many vCISO hours a week do we need?
Match the band to the stage. Steady-state oversight for a small licensed firm fits in about four hours a week. An active certification or licensing track needs about eight. A ground-up build, parallel regimes, or remediation under a deadline justifies sixteen. Be suspicious of any provider that sizes every client at the top band.
Do we still need an external auditor if we have a vCISO?
Yes. The vCISO builds, runs, and prepares the programme; certification bodies and independent assessors validate it. Keeping those roles separate is what makes the certificate or the assessment credible, and a provider offering to do both sides should be treated as a red flag.
Related: Virtual CISO vs Full-Time CISO: The Real Cost in the UAE · UAE IAR Compliance (NESA IAS): A vCISO Guide · CBUAE Cybersecurity Requirements: A vCISO Compliance Guide · ISO 27001 & vCISO in the UAE: OGold's 6-Month Case Study
Experience