C-level tech leadership without the C-level salary
You need someone who can challenge vendors, spot security gaps before they become breaches, and build technology roadmaps that scale with your business. We provide strategic oversight, vendor accountability, and security governance, without the full-time commitment.
Who answers the strategic questions when there's no CTO?
You've built a successful business with a mix of SaaS apps and on-premise servers, and maybe an MSP handling day-to-day support. Everything runs smoothly, until the board or leadership team asks the questions that matter: Are we actually secure? Should we move to the cloud? Is this vendor delivering value? What does the Privacy Act actually require from us?
Your MSP keeps the lights on, but they're focused on operations, not strategy. Your internal IT person is stretched thin with helpdesk tickets and daily fires. Your accountant understands the numbers, but not the technology behind them. There's no one with the time, independence, and expertise to own these decisions.
This is where we come in
We act as your Virtual CTO, CIO, or CSO—providing strategic oversight, security governance, vendor accountability, and compliance guidance on a part-time basis. You get C-level technology leadership without C-level salary expectations.
What we actually do
We're not here to write reports that collect dust. We're here to make decisions, build roadmaps, challenge vendors, and ensure your technology serves your business—not the other way around.
Security Posture Assessment & Roadmap
Most SMBs we talk to have no idea whether their security is adequate—or even where to start. We audit your current state, identify the highest-risk gaps, and build a practical roadmap prioritised by business impact and cost.
What you get
- Clear visibility into your current security posture and regulatory compliance status
- Prioritised remediation plan with timelines and budget estimates
- Regular posture reviews to track improvement and adapt to new threats
- Board-ready reporting that translates technical risk into business impact
Vendor Evaluation & Technology Selection
Every vendor promises the world. We cut through the marketing noise and help you choose tools that actually fit your needs, budget, and team capabilities—not what a sales rep is incentivised to sell you.
What you get
- Independent vendor comparisons based on your requirements, not our commissions
- Total cost of ownership analysis including hidden costs and lock-in risks
- Procurement negotiation support to secure better terms and pricing
- Implementation oversight to ensure vendors deliver on their promises
Compliance & Risk Management
From Privacy Act 2020 to ISO 27001, compliance requirements can be overwhelming for SMBs without dedicated legal or risk teams. We translate regulations into practical, achievable controls that satisfy auditors without crippling productivity.
What you get
- Gap analysis against Privacy Act 2020, PCI DSS, ISO 27001, or industry-specific requirements
- Policy and procedure documentation that auditors actually accept
- Risk register and treatment plans aligned with business priorities
- Ongoing compliance monitoring and audit preparation support
IT Budgeting & Cost Optimisation
IT spending is often the second or third-largest operational expense for SMBs—yet most have limited visibility into whether they are overspending, underspending, or spending on the wrong things.
What you get
- Multi-year IT budget planning aligned with business growth and strategic goals
- Cost optimisation reviews to identify waste, redundancy, and better-value alternatives
- Licensing audits to ensure compliance and eliminate shelfware
- Capital vs operational expense planning for tax and cash flow purposes
Team Capability Building
Your internal IT team or MSP knows how to keep things running—but may lack strategic thinking, security awareness, or vendor management skills. We mentor and upskill teams so they can grow alongside your organisation.
What you get
- Structured knowledge transfer on security, architecture, and vendor management
- Mentoring for junior or mid-level IT staff to build strategic capabilities
- Documentation standards and runbooks to reduce key-person dependency
- Quarterly strategy sessions with your IT team to align on priorities and roadmap
Incident Response Planning
Hope is not a strategy. When—not if—a security incident or outage occurs, having a tested plan is the difference between controlled recovery and chaotic panic. We design incident response frameworks and run tabletop exercises so your team is prepared.
What you get
- Incident response plan covering ransomware, data breach, outages, and supply chain attacks
- Tabletop exercises to test your plan and identify gaps before a real incident
- Communication templates for customers, regulators, and stakeholders
- On-call escalation support during actual incidents (optional retainer add-on)
Why magnumit, not a full-time hire or generic consultant?
You have options. Here is why clients choose us over hiring internally or working with traditional consulting firms.
C-level thinking without C-level salary
A full-time CTO in New Zealand costs $180k-$280k annually plus benefits, equity, and onboarding. Our Virtual CTO service starts at $2,500 per month—delivering strategic oversight at a fraction of the cost. For most SMBs, that's 10-20 hours per month of focused leadership, not 40 hours of seat-warming.
We're operators, not PowerPoint consultants
We've built, secured, and scaled real production environments—not just written reports about them. When we recommend a technology or approach, it's based on hands-on experience deploying it for clients like you, not regurgitated vendor marketing.
No vendor lock-in or hidden commissions
Many consultancies earn commissions from vendors they recommend. We don't. Our recommendations are based solely on what serves your business—even if that means open-source tools with zero margin for us. Independence is part of the value we provide.
We know the NZ SMB context
Privacy Act 2020, Essential Eight, local MSP landscape, NZ-based SaaS vendors, and the unique challenges of operating 12+ hours ahead of most vendor support teams. We understand the constraints and opportunities specific to running IT in New Zealand.
How a typical engagement works
Every organisation is different, but most Virtual CTO engagements follow this general pattern.
Month 1: Discovery & Assessment
- Stakeholder interviews with leadership, IT team, and key users
- Technical assessment of infrastructure, security posture, and operational maturity
- Risk and compliance gap analysis
- Draft strategic roadmap and initial quick-win recommendations
Month 2-3: Roadmap Execution & Oversight
- Prioritised project planning and vendor selection
- Oversight of implementation work (done by your team, MSP, or our delivery team)
- Policy and documentation development
- Monthly strategy sessions and progress reporting to leadership
Month 4+: Ongoing Strategic Partnership
- Quarterly technology roadmap reviews and updates
- Vendor performance reviews and contract renewals
- Security posture monitoring and compliance maintenance
- Team mentoring and capability building
- Incident escalation support and tabletop exercises
Flexible engagement models
We tailor the engagement to your needs. Some clients want ongoing strategic partnership (monthly retainer). Others need a one-time security assessment or compliance project (fixed-price deliverable). We will recommend what makes sense based on your situation—not what maximises our revenue.
What we don't do
Being clear about what is out of scope is just as important as what is included.
Full-time cybersecurity operations (SOC)
We design security frameworks and oversee implementation—but ongoing 24/7 monitoring, threat hunting, and incident response are specialist services typically handled by a managed security service provider (MSSP). We can help you select and manage the right MSSP if needed.
Day-to-day IT helpdesk or support
Our focus is strategic leadership and architecture. Day-to-day helpdesk and user support are best handled by your internal IT team or MSP. We work alongside them to provide direction, oversight, and ensure they're delivering value effectively.
Hands-on infrastructure implementation (by default)
Our core service is strategic oversight and architecture. Implementation can be done by your existing team, MSP, or our delivery team (as an additional engagement). We ensure it's done right, regardless of who holds the tools.
Legal or regulatory compliance advice
We help you implement technical and operational controls to meet compliance requirements—but we're not lawyers. For legal interpretation of the Privacy Act 2020, PCI DSS, or industry regulations, you'll still need legal counsel.
Our role: We provide strategic leadership and technical architecture to ensure the right capabilities are in place, whether delivered by your internal team, MSP, or specialist vendors. We guide decision-making, oversee implementation, and ensure accountability to business outcomes.
Pricing and engagement terms
Transparent pricing based on time commitment, not arbitrary tiers or hidden fees.
Approximately 10 hours per month. Suitable for ongoing strategic oversight, quarterly planning, and vendor accountability.
Approximately 18-20 hours per month. Covers active transformation projects, compliance initiatives, or security uplift programs.
For organisations with 100+ staff, complex multi-site infrastructure, or regulatory-heavy industries, we scope engagements individually.
What is included in the retainer?
Strategic planning, security governance, vendor evaluation, compliance oversight, team mentoring, quarterly roadmap reviews, and email/Slack access for questions. No nickel-and-diming for 15-minute calls or quick vendor reviews.
What costs extra?
Hands-on infrastructure implementation, penetration testing, incident response retainer, extensive policy documentation projects, or on-site workshops. These are scoped and quoted separately based on your needs.
Contract terms
Monthly retainers are billed in advance with 30 days notice for changes or cancellation. We do not lock you into 12-month contracts—if we are not delivering value, you should be able to leave. Project-based engagements are typically fixed-price with milestones.
Want a custom quote based on your specific needs?
Book a Strategy SessionFrequently asked questions
Common questions about working with magnumit
How much time commitment do you need from us?
How much time commitment do you need from us?
Typically 2-4 hours per month from leadership for strategy sessions, plus ad-hoc questions as needed. During the initial discovery phase (first 4-6 weeks), expect closer to 6-8 hours for interviews and assessment review. We're intentionally efficient—this is oversight and direction, not micromanagement.
How does pricing work, and what's included?
How does pricing work, and what's included?
Monthly retainers start at $2,500/month (excl. GST) for 10 hours of strategic oversight, including planning, vendor evaluation, security assessments, compliance guidance, budgeting, and team mentoring. Most SMBs (20-80 staff) find $2,500-$4,500/month sufficient. Hands-on implementation, incident response retainer, and penetration testing are quoted separately based on scope.
How do you work with our existing IT team or MSP?
How do you work with our existing IT team or MSP?
We collaborate, not compete. Your MSP continues handling day-to-day support and operations. We provide strategic direction, vendor oversight, security governance, and architecture—ensuring your MSP delivers value and operates efficiently. If your IT team or MSP is tactically strong but lacks strategic leadership or security expertise, we fill that gap. Many MSPs appreciate having a client-side technical leader to clarify priorities and reduce scope creep.
What happens if we want to bring this in-house later?
What happens if we want to bring this in-house later?
That's a successful outcome. Our goal is to build your capability, not create dependency. If you grow to where a full-time CTO or IT Director makes sense, we provide transition support, help with recruitment, and can stay on in an advisory capacity during onboarding. We want you to succeed, not stay reliant on us forever.
Can you help us during an active security incident?
Can you help us during an active security incident?
Yes, but incident response isn't included in the base retainer. If you experience a ransomware attack, data breach, or significant outage, we can provide emergency support on a time-and-materials basis or via an optional incident response retainer. For clients with higher risk profiles, we recommend adding incident response coverage upfront.
Do you offer project-based engagements instead of ongoing retainers?
Do you offer project-based engagements instead of ongoing retainers?
Yes. If you only need a one-time security assessment, compliance gap analysis, or vendor evaluation, we can scope that as a fixed-price project. However, most clients find ongoing value in the retainer model because technology, risk, and compliance aren't one-and-done activities—they require continuous oversight and adaptation.
When is this NOT a good fit?
When is this NOT a good fit?
If you have a capable full-time CTO or IT Director who's strategic, security-aware, and has time for governance—you probably don't need us. Also, if you're under 10 staff with simple SaaS-only IT, you likely don't have enough complexity to justify this level of oversight. We'll tell you honestly if you're not a good fit.
Ready to get strategic oversight without the executive salary?
Book a no-obligation discovery call to discuss your technology challenges, compliance requirements, and strategic priorities. We will tell you honestly whether this service is a good fit—and if not, point you in the right direction.