Amidst the current scrabble for cybersecurity talent, one entity stands alone, rising in relevance from the rubble, the dust, and the chaos of online corporate risk.

A leader to spearhead the fight against our current, more realistic Skynet-level threat – increasingly sophisticated and AI-driven cyber threats.

Someone to champion the security of their organisation and combat cyber bad guys and gals in the face of a worryingly cyber-insecure future.

They’re any organisation’s own Sarah Connor (or T1000 from the second movie onwards). The CISO. After all, this is the world now. logged on, plugged in, all the time.

However, many smaller organisations don’t have the resources to tap into full-time CISO talent – leading many to rely on the likes of fractional and virtual CISOs. These are individuals with CISO experience and skill sets, but who share their time and expertise between numerous organisations. Own clothes and boots preferred – motorcycle optional.

Yet the title of “fractional CISO” and “virtual CISO” can semantically refer to two very different things. So how exactly is the fractional CISO different to the more popular virtual CISO title? And why do I feel that the fractional CISO is the future of SME cybersecurity?

Before we go any further, we need to consider a few definitions, pros, and cons.

What’s the Difference Between a Virtual CISO and a Fractional CISO?

Both fractional and virtual CISO functions can be an essential addition to any organisation, especially SMEs who may not have the resources to hire a full time, on-site, payrolled CISO. But the two terms can refer to two different concepts.

What is a Virtual CISO?

A virtual CISO (sometimes shortened to a vCISO) is a cybersecurity professional with executive-level IT/cyber security expertise who can provide the same support and leadership as an in-house CISO. However, the term is also used to describe a service provided by consultancies, MSPs, and MSSPs that gives access to a team of such professionals on a sort of “CISO-as-a-service” basis.

What is a Fractional CISO?

A fractional CISO is a cybersecurity professional with executive-level IT/cyber security expertise who provides the same level of leadership as an in-house CISO, but does so on a part-time, freelance, and/or contract basis.

Please note that these definitions are not set in stone, and some people who would fall under our definition of “fractional CISO” actually brand themselves as virtual CISOs. In this article, when we refer to virtual CISOs or vCISOs, we’re largely referring to the service model.

 

The concept of the “fractional chief something officer” might ring a few bells to those in other disciplines. Fractional CMOs and CFOs have been increasing in visibility over the past few years, with Google Trends indicating a steady rise in attention for both terms since 2020.

From my perspective, the concept of the fractional CISO is a pretty new one in the UK, though virtual CISO services have been around for some time. Both concepts seem a little more mature in the USA, but the “true” fractional CISO is still a relatively rare creature.

The Pros & Cons of Virtual CISO Services

Pros of Virtual CISO Services

● Provides an outsourced “CISO-as-a-service” which is often more affordable than employing a full-time CISO.
● Service can easily be scaled up and down as CISO support is often spread throughout a whole team rather than sitting squarely on one person’s shoulders.
● Access to a totally remote executive level cybersecurity advisor – or advisory team with a blend of expertise.
● Often the most cost effective way of outsourcing cybersecurity management and steering.
● Provides all of the potential cost containment and flexibility of an outsourced service.
● Lower cost makes vCISO services often the most accessible to the widest pool of organisations.

Cons of Virtual CISO Services

● When offered as a service, your “CISO” won’t necessarily be one person, so you might not have that personal, one on one relationship with any individual on the virtual CISO team.
● Because you are potentially dealing with a whole team, there is the possibility of less accountability and more blame-sharing. In short, there’s no one, single neck to throttle if things go wrong!
● vCISO expertise is typically never on-site, which may lead to the CISO talent being too removed from your day-to-day practices and processes. They may therefore struggle to forge practical guidance and practices that your internal teams are able to use and apply seamlessly.
● As you’re dealing with a whole team on something as critical and varied as IT security, different members of that team may have different ideas about what you need in terms of application, implementation, or strategy. Not great for a function that requires precise strategic cohesion.
● As virtual CISO services are generally not provided on-site, they can’t be present within critical board meetings and essential stakeholder conversations that may benefit from a cyber-aware chief in the room.
● This “arms length” approach may not come with the same level of autonomy as someone more present – their suggestions and decisions may require a bit more sign-off or escalation.

The Pros & Cons of Fractional CISOs

Pros of Fractional CISOs

● Provides an on-site, though not full-time, security chief who can take part in important board-level and stakeholder conversations.
● More affordable than a full-time (or maybe even part-time) payrolled CISO.
● Effectively an outsourced, freelance resource, so provides all of the cost containment and flexibility present in such an arrangement.
● A single individual working on multiple projects may have a more nuanced, independent view of the wider security space than a team of specialists contained within an MSP.
● Fractional CISOs are better set up to potentially focus on and specialise in different industries with particular risk profiles (e.g., critical infrastructure).
● A single individual is able to provide an objective, personal approach to your security because they are present as actual “boots on the ground” – just like an employed CISO would be.
● There’s the potential for more accountability when things go wrong as they are actually present and answerable to the board in person. The buck stops with them – just as it does with an employed CISO.

Cons of Fractional CISOs

● You’re contracting with just one person and their one-person-perspective rather than a whole team who may bring multiple ways of thinking around threats and problems.
● Fractional CISOs will contract with other firms too, so they may not be able to scale up their commitment to you due to other client capacity. Something to be mindful of in an emergency!
● They are a single person with a single person’s physicality too, so if they are ill or unavailable on personal grounds, there’s not necessarily going to be someone in the wings, ready and briefed to swoop in.

Why I Believe Fractional CISOs are the Future of SME Information Security
Both virtual and fractional CISO services are a great solution for smaller organisations who are less likely to have the budget and capacity to hire a dedicated, payrolled CISO. Though personally, I think that the benefits of the fractional CISO vastly outweigh other options for many small to medium businesses.

SMEs account for 99.9% of UK and US businesses. Though nowhere near all of these businesses are going to be large or techy enough to need (or indeed afford) CISO-level support, there is definitely a sizable market out there.

In tech talent circles, we commonly see smaller organisations automatically tacking on the title of “CISO” to a role that is actually a “Head of IT”. IT functions and cyber leadership are two completely different concepts, and blending the title of “CISO” in with a head of IT function doesn’t exactly smack of taking the CISO’s lot seriously.

However, when you have a person you can point to who is dedicated to steering your security ship at board level, this is a much better look – to customers, stakeholders, and potential financiers alike.

In my opinion, if you’re in a particular industry with a highly unique risk profile, a fractional CISO might be a safer bet over a vCISO in some circumstances. You see, many (but not all) consultancies and MSSPs aim to serve as broad a range of organisations as possible, which results in them seeking out quite generalist talent. However, if you require particularly unique industry experience, there may be fewer MSPs scratching that itch; so seeking out a suitable individual with the right experience may be more realistic – and provide more accountability to boot.

Fractional CISOs are a dedicated, IT security resource that can sit in on board meetings, actively having the stakeholder conversations that matter – they’re not just a remote name on an email. Fractional CISOs are present, they’re accountable, and they’re an individual, knowledgeable person at the security helm.

And let’s not forget the current tech talent shortage – wherein leadership talent is amongst the most scarce. With this in mind, consider how a single fractional CISO can serve multiple companies at the same time. Because fractional CISOs can spread their reach in this way, they democratise their wisdom and render it more available to the market.

Will The Rise of the Fractional CISO Affect Employed CISOs?

Personally, I feel that the increased demand for CISO talent stands to benefit all CISOs out there, regardless of how organisations access that talent.

Those who have the capacity, budget, and workload present for a full-time CISO will likely be best served by a full-time CISO. Those who only need part-time support may be better served by a part-time CISO (or even a Cyber-NED!). Smaller organisations may be better suited to explore vCISO and fractional CISO options.

Yes, despite me singing their praises here, fractional CISOs aren’t going to be the most suitable option for every organisation out there, though I do see a rosy future for them within SME circles.

Taking a wider view, the more firms tapping into CISO-level expertise, the better. Access to such mature, strategic cybersecurity wisdom makes us all safer. With the personalised, in-person support that a fractional CISO can give, smaller companies are better set up to securely flourish and grow – potentially avoiding security flaws that could have otherwise harmed that growth. And with that support and security, they have a better chance to scale to a size where they wind up needing a full-time CISO.

Plus, fractional execs are already flourishing in roles like finance and marketing, only serving to bolster those industries, not detract from them. So could this be the dawn of the fractional CISO? My team and I are quite hopeful.

What do Employed CISOs, Fractional CISOs, and Virtual CISOs Have in Common?

Yes, this sounds like a set up for a punchline, but it’s important to establish one essential commonality too. Following my related poll on LinkedIn wherein I asked ”Is a virtual CISO (vCISO) truly a CISO?” one of my contacts hit me with an essential truth-bomb: whatever option you choose to cover your CISO functions, know that hiring a bad one will cost you – whether they’re dedicating 10 hours a week to you, or the full 40 (thanks Rob Wood!).

(Side note: Thank you to everyone who voted, commented and/or interacted with that post and the follow-up results post too!)

It’s also worth noting that my opinion is just one – admittedly non cyber-practitioner’s – opinion. Whichever option an organisation chooses needs to be led by their needs, the complexity of their IT estate, and their individual risk profile.

However, if you take anything away from today’s article, know that putting money aside for a costly, full-time CISO is far from the only way to tap into board-level security experience.

Just What Have Recruiters Got to Do with Any of This?

You may well be wondering what we as a recruitment agency have got to do with this debate at all.

Well, when an employer has a need for cyber leadership personnel, they come to companies like ours. After having a conversation with them, it may become apparent that they don’t have the budget or resources to justify a big hire like a CISO – but they’re still crying out for access to that talent.

Some employers broach this by considering a part-time CISO, and sometimes that is the best solution for them at that time. But other times, they may genuinely benefit from working with a fractional executive.

Our role isn’t always to place full time, payrolled personnel – it’s to solve firms’ personnel needs. And that absolutely includes pairing them with an outsourced, fractional CISO, a part-time CISO, or a vCISO if that’s the right approach for them.

But in that lesser known quote from the Terminator franchise, “The future has not been written. There is no fate but what we make for ourselves.” If you are a CISO looking for your next challenge and you feel that a move to becoming a fractional CISO is on the cards; if you are already a fractional CISO on the lookout for new contracts; or if your business needs CISO talent but doesn’t have the resources for a full time CISO – whether you’re in the UK or the US – get in touch with us. We’re always happy to talk and may be able to open a few doors.

Back to Publications

More Publications

A Recruitment Revolution? The Ethics of AI Tools in the Hiring Process

Read more

The Cybersecurity Community Comes Together to Raise £296,000 for Childline

Read more

Ghosted Again: Why Don’t I Get a Call Back After an Interview?

Read more