I agree with Brian Blakley that the CISO role is a key governance function rather than a service, for all the reasons he rightly pointed to. However, I view the vCISO as a service. I differentiate the roles as follows:
- CISO: A full-time executive-level role.
- Fractional CISO: A part-time executive-level role for organisations that do not yet require a full-time position.
- vCISO: A service that augments an existing executive role with specialised skills.
Having served as a CISO several times, I now support clients in both vCISO and Fractional CISO capacities. In my experience, companies serious about security often follow this progression:
- First, vCISO (or similar form of security consultant): providing advice and support to founders.
- Then Fractional CISO: taking ownership of Information Security (beyond just cybersecurity).
- Finally, Full-time CISO: established when company size and risk profile justify the role.