Questions I Get Asked
Before Every Engagement

A full-time CISO costs €80–150k/year in salary alone, plus benefits, and is often overkill for a company that doesn't yet have a mature security programme. A vCISO gives you the same strategic leadership — security roadmap, risk management, vendor oversight, board-level reporting, compliance — on a retainer that scales to what you actually need. I work across multiple clients, so you get the expertise of someone who sees dozens of environments, not just yours.

It depends on the engagement type. vCISO retainers are monthly and scoped to a set number of hours. Penetration tests and audits are fixed-price based on scope. Security awareness tiers are annual subscriptions. I don't publish rates publicly because scope varies significantly — a 10-person company and a 200-person company have very different needs. The best starting point is a free 30-minute call where I can give you a realistic estimate with no obligation.

My company is registered in Prague and the majority of my clients are Czech, but international work is a natural part of how I operate. I've delivered trainings for OSCE and UNDP in Bosnia and Herzegovina, worked with Dutch companies, and taken on US-based clients as well. Remote engagements work well across time zones for strategy and advisory work; onsite delivery is possible anywhere with reasonable notice.

For retainer engagements, I typically start within 2–4 weeks of signing. The first month is discovery: I review your existing policies, infrastructure, contracts, and risk landscape before making any recommendations. For a penetration test, scoping and scheduling usually takes 1–2 weeks, and execution follows shortly after.

Yes — and honestly, that's where the impact is highest. Starting from scratch means we can build things correctly from the beginning rather than retrofitting security onto bad foundations. I've worked with companies whose entire "security policy" was a Post-it note, and I won't judge where you are today. What matters is where you need to be.

Yes, always. I don't ask clients to expose their architecture, vulnerabilities, or compliance gaps without a mutual NDA in place. If you want to send one before our first call, I'll review and return it within 24 hours. If you don't have a template, I have a standard mutual NDA I use.

Most of my clients operate in regulated sectors and prefer confidentiality — I respect that. For public references, my work with OSCE and UNDP on cybersecurity capacity building in Bosnia and Herzegovina is documented and I'm happy to share details. For commercial clients, I can provide anonymised case study summaries on request, or in some cases arrange a direct reference call after a signed NDA.

NIS2 applies to medium and large companies (50+ employees or €10M+ annual turnover) operating in critical sectors — energy, transport, health, digital infrastructure, manufacturing, financial services, postal services, and others. It also applies to their supply chains in some cases, which means smaller companies can be pulled in indirectly. If you're unsure whether it applies to you, that uncertainty is itself a risk worth resolving. I can assess your scope in a single consultation.

For a company starting from zero, realistic full compliance takes 6–18 months depending on company size and existing controls. However, demonstrable progress matters — showing regulators a structured roadmap and active implementation is far better than doing nothing while you wait for a perfect plan. I typically prioritise the highest-risk gaps first so you have defensible posture within the first 90 days.

NIS2 enforcement sits with national authorities (in CZ, that's NÚKIB). Penalties for significant entities can reach €10M or 2% of global annual turnover — whichever is higher. Beyond fines, there is mandatory incident reporting and potential personal liability for senior management. That last point is new and important: NIS2 explicitly holds C-suite executives accountable, not just the IT department.

They solve related but different problems. ISO 27001 is an international management standard — a voluntary certification that proves to customers and partners that you manage information security systematically. NIS2 is EU law — a legal obligation with regulatory teeth. The good news is they overlap significantly. Implementing ISO 27001 covers a large portion of NIS2's technical requirements, so doing both together is more efficient than tackling them separately. I typically run them in parallel.

A vulnerability scan is automated — a tool checks your systems against a database of known weaknesses and produces a list. It's fast and cheap but tells you what might be exploitable, not what actually is. A penetration test is manual work: I use a combination of tools and human judgement to chain together vulnerabilities, bypass controls, and demonstrate real-world impact. The difference is like a metal detector versus a locksmith — one finds something, the other tells you whether it actually opens.

Only if we agree in advance that it should. For web application testing I always prefer working against a non-production environment — this eliminates any risk of impacting live users and also maximises the attack surface, since production environments are often locked down in ways that hide vulnerabilities that would be reachable in reality. For network and infrastructure tests we define the rules of engagement upfront: scope, excluded systems, out-of-hours restrictions, and emergency contacts. I've never taken a client's production environment offline without prior agreement.

I always prefer whitebox, and the reason is straightforward: I'm your consultant, not your enemy. You're paying me to find and exploit vulnerabilities — not to spend days mapping your application. A real attacker has unlimited time; automated scanners can run for weeks. As your tester, every hour I spend on discovery is a billable hour that produces zero findings. Share what I need — API documentation, role definitions, architecture overview — and I skip the discovery phase entirely and go straight to exploitation. You get more findings, faster, for less money. Whitebox is not a shortcut. It's the professional approach. Blackbox is valid if you specifically want to simulate a completely external attacker with zero prior knowledge, but it takes longer and costs more. The choice is yours — but I'll always recommend sharing the information.

You get a written report with two sections. The first is an executive summary: a plain-language explanation of what was found, the business risk, and the priority order for fixing it — written for a CEO or board member who doesn't need to know what SQL injection is. The second is a technical appendix: full reproduction steps, tool output, evidence screenshots, and specific remediation guidance for your IT team. I also walk through the findings on a call so questions get answered immediately, not buried in an inbox.

At minimum, once a year and after any significant infrastructure change — a new application, cloud migration, acquisition, or major code release. NIS2 and ISO 27001 both expect regular testing as part of a risk management programme. For companies with active development cycles, I recommend quarterly reviews of new attack surface, with a full test annually.

No — and most vendors selling annual phishing tests know this. One test measures a snapshot; it doesn't change behaviour. Security awareness is a culture problem, not a knowledge problem. People know not to click suspicious links — they do it anyway under time pressure, distraction, or authority. Effective programmes run simulations monthly with varied scenarios, pair them with brief training immediately after a click, and reinforce the message through internal communications year-round. The goal is building reflexes, not passing a test.

Three metrics I track for clients: phishing click rate over time (should decrease with variance), report rate (employees actively flagging suspicious emails — this is the real success indicator), and post-incident root cause (are human errors decreasing as a proportion of incidents?). If your training provider can't show you trend data on these, they're not measuring outcomes — they're just selling seat licences.