CISO vs vCISO vs fractional CISO

CISO, vCISO, fractional CISO and more options to lead your information security practice.

privacy
security
risk

Reading time: 2 minutes - 457 words

Information security, cyber security, and privacy are starting to receive the attention they need for unfortunate reasons: Companies are facing a steep increase in the number of cyber-attacks, which are getting more effective and damaging. The consequences can be dire and affect companies' finances, reputations, and customers.

Company leaders need to equip themselves with adequate resources and skills to manage this increasing risk. Just like a COO handles operations and a CFO for finance, a CISO handles leading the company’s information security practices. This includes information and data protection, privacy, and cyber security.

Not all companies have the resources or the need to create a new full-time position for this role. Several options exist, so let’s go through them.

CISOInterim CISOFractional CISOVirtual CISOAdvisorConsultant
ScenarioLarge companies typically use it. However, it can be justified for medium companies with significant risks linked to Infosec, cyber, and/or privacy.Cover someone who is not available for a while (e.g., parental leave), or temporary fill the gap until a permanent CISO is found.Perfect for small to medium companies.Excellent choice to augment another C-level executive who might have the formal CISO role but lacks the time or expertise.Excellent value for boards or C-level executives wanting an independent opinion.Good options for a well-defined project are defined, such as writing cyber security policies or helping mitigate a specific risk.
Contract typeFull-timeFull-time, fixed termPart-time on set daysPart-time on set daysTypically, on-retainerProject-based
Scope of CISO responsibilitiesFullFullFullDepends on agreed scopeDepends on agreed scopeProject-based
Accountable
Responsible✅ (based on scope)
Embedded with teams✅ 
Lead teams
Full time
Open-ended
ProsThey come with all the bells and whistles. This is a must for large companies. For best results, the CISO should report to the CEO.They can help bridge a temporary gap while waiting for the CISO to return or looking for the right CISO.All the benefits of a CISO for a fraction of the cost. This is a great solution for medium-sized companies.Excellent value if another executive is already covering part of the work but needs an extra pair of hands or skills to get the job donePerfect for quick access to an expert who knows your company and can give tailored independent advice.Good for well-defined projects with clear deliverables

There will be variations in the terminology and details, and the lines are blurred, but the contract should clarify this. This table should give you an idea of your options and their typical characteristics.

⚠️ Shameful plug: I do offer Fractional CISO, Virtual CISO, advisory and consultancy services.

Related