Security leadership
What a vCISO does and when your organisation needs one
In short
A fractional CISO who owns your security strategy, governance, and board reporting. Built for Indonesian enterprises navigating OJK, UU PDP, and ISO 27001.
Most Indonesian enterprises have people responsible for security in some form. A network engineer who manages the firewall. An IT manager who runs the antivirus. A compliance officer who tracks regulatory deadlines. What they often lack is someone who connects those pieces into a coherent programme, owns the risk decisions, and can give the board an honest account of where the organisation stands.
That is what a Chief Information Security Officer does. And for the majority of mid-market organisations, a full-time CISO is either unaffordable, unnecessary at that volume, or impossible to recruit and retain in a market where experienced candidates are scarce.
A Virtual CISO (vCISO) fills that gap. This page explains what the role actually covers, when the fractional model makes sense, and what an engagement with Alpha Code looks like in practice.
What a vCISO owns
The term "virtual" sometimes creates the impression of a lighter-touch advisory arrangement. That is not how a well-structured vCISO engagement works. The vCISO takes genuine accountability for the security programme, with the same scope a permanent CISO would hold, delivered on a defined schedule that fits the organisation's actual demand.
Security strategy and roadmap
The vCISO sets the multi-year direction for the security programme, aligned to the organisation's business priorities and regulatory obligations. The roadmap covers what to build, what to fix, what to outsource, and in what order.
Risk ownership and governance
The vCISO owns the risk register, chairs or participates in the security steering committee, and makes or signs off on risk acceptance decisions. Risk stays owned, not distributed across departments where it tends to disappear.
Vendor and SOC oversight
The vCISO provides independent oversight of the managed SOC, penetration testing providers, and other security vendors. This keeps commercial relationships from drifting and gives the board an independent view of supplier performance.
Board and regulatory reporting
Clear reporting to the board on programme status, open risk decisions, and regulatory standing. When OJK or a BSSN examination occurs, the vCISO leads the response and manages examiner communication.
When a fractional model fits versus a full-time hire
A full-time CISO makes sense when the security function is large enough to occupy a senior executive five days a week, and the organisation can afford both the salary and the continuity risk of a single key person. For many Indonesian enterprises, neither condition is met.
The fractional model fits well when the organisation needs the function covered properly, but does not have the volume to justify a dedicated executive. This is common in mid-market businesses, regulated entities at the smaller end of the OJK-supervised population, and growing companies that are adding compliance obligations faster than their security team can absorb them.
It also fits when an organisation has previously had a senior security hire who left, and needs programme continuity while considering a permanent replacement.
The engagement model
The engagement begins with a structured assessment of your people, processes, and technology against your regulatory obligations and your actual risk profile. This produces a baseline and a prioritised gap list, not a generic framework checklist.
From there the vCISO designs a programme plan, covering governance structure, risk treatment priorities, compliance milestones, and the operating rhythm for the engagement. The plan runs for 12 to 24 months, with a review at each annual cycle.
During the operational phase the vCISO attends steering committees, reviews vendor performance, tracks the risk register, oversees the SOC, and prepares reporting for your board. The schedule is typically four to eight days per month, adjusted for periods of higher demand such as regulatory examinations or significant incidents.
Regulatory accountability in Indonesia
Two Indonesian regulatory frameworks place specific expectations on security leadership accountability.
UU PDP (Law No. 27 of 2022) requires certain data controllers to appoint a responsible person for personal data protection under Article 53, where processing is large-scale or involves sensitive categories of personal data. The Constitutional Court has clarified that these conditions are interpreted as "and/or," meaning that any one of them may be sufficient to trigger the obligation. A vCISO provides the senior accountability structure that supports this requirement, working alongside a separately appointed Data Protection Officer where one is required.
POJK 11/2022, OJK's regulation on IT implementation by commercial banks, requires clear governance structures and senior accountability for information security risk. For regulated financial institutions, this means a named person at leadership level who can be held accountable for the security programme, not a diffuse responsibility spread across IT and compliance. A vCISO fills that role directly.
What a vCISO is not
A vCISO is not a compliance checklist provider. Producing documentation without owning the programme is a different service and should not be confused with security leadership.
A vCISO is also not a substitute for an operational security team. They provide strategic direction and senior oversight. They rely on your internal team, your managed SOC, and your other security providers to execute. The combination of capable leadership and operational resources is the point, not a solo executive trying to run everything alone.
At Alpha Code, the vCISO engagement is deliberately connected to our SOC, GRC, and incident response services. Your vCISO can draw on those teams directly, which means the leadership function is backed by operational capacity rather than standing alone.
References
- 1.IANS and Artico Search. 2026 State of the CISO Benchmark Report. Data from 662 CISOs, collected April-November 2025.
- 2.Cynomi. State of the Virtual CISO Report 2024. GlobeNewswire, September 2024.
- 3.Republic of Indonesia. Law No. 27 of 2022 on Personal Data Protection (UU PDP). State Gazette of the Republic of Indonesia, 2022.
- 4.Otoritas Jasa Keuangan. POJK No. 11/POJK.03/2022 on Implementation of Information Technology by Commercial Banks.
- 5.Mahkamah Konstitusi RI. Ruling on Article 53(1)(b) UU PDP: conditional interpretation of 'and' as 'and/or'. Constitutional Court of the Republic of Indonesia.
Reviewed by Naren Krishnan, Cybersecurity Manager
Frequently asked questions
A GRC consultant delivers a project, hands over a report, and leaves. A vCISO takes ongoing ownership of your security programme. They chair steering committees, manage vendors, oversee the SOC, sign off on risk decisions, and report to your board month after month. The accountability stays; it is not finished when the document is delivered.
Related
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.