Skip to content

CISO vs vCISO vs fractional CISO

CISO, vCISO, fractional CISO and more options to lead your information security practice.

You need someone owning information security, privacy, and cyber risk. You may not need a full-time hire on day one.

Labels blur. The contract decides accountability. Rough shapes:

CISOFractional CISOVirtual CISOAdvisorConsultant
FitLarge orgs; mid-size with heavy infosec / privacy riskSME that needs the full role part-timeAugment an exec who holds the title but lacks time or depthBoard / C-level wanting an independent readDefined project (policies, one risk, one audit)
ContractFull-timePart-time, set daysPart-time, set daysRetainerProject
AccountableYesYesNoNoNo
ResponsibleYesYesWithin scopeNoDelivery only
Embedded / leads teamsYesYesOften embedded; rarely owns the teamNoNo

Names vary by market - read the statement of work.

What I push founders on:

  • Large company - full-time CISO, preferably reporting to the CEO. Part-time ownership of enterprise risk is how things fall through.
  • Growing SME - fractional CISO is usually the sweet spot: accountable, embedded, not a permanent payroll line yet.
  • vCISO - useful when someone already owns the mandate and needs depth, not when you want to avoid naming an owner.
  • Advisor / consultant - opinions and deliverables. Fine. Not a substitute for accountability when the breach email arrives.

I dug into the accountability split after the Uber CISO case in Fractional CISO vs vCISO: accountability vs responsibility. If you want help picking a model, get in touch.

Olivier Reuland