· ·
CISO vs vCISO vs fractional CISO
CISO, vCISO, fractional CISO and more options to lead your information security practice.
You need someone owning information security, privacy, and cyber risk. You may not need a full-time hire on day one.
Labels blur. The contract decides accountability. Rough shapes:
| CISO | Fractional CISO | Virtual CISO | Advisor | Consultant | |
|---|---|---|---|---|---|
| Fit | Large orgs; mid-size with heavy infosec / privacy risk | SME that needs the full role part-time | Augment an exec who holds the title but lacks time or depth | Board / C-level wanting an independent read | Defined project (policies, one risk, one audit) |
| Contract | Full-time | Part-time, set days | Part-time, set days | Retainer | Project |
| Accountable | Yes | Yes | No | No | No |
| Responsible | Yes | Yes | Within scope | No | Delivery only |
| Embedded / leads teams | Yes | Yes | Often embedded; rarely owns the team | No | No |
Names vary by market - read the statement of work.
What I push founders on:
- Large company - full-time CISO, preferably reporting to the CEO. Part-time ownership of enterprise risk is how things fall through.
- Growing SME - fractional CISO is usually the sweet spot: accountable, embedded, not a permanent payroll line yet.
- vCISO - useful when someone already owns the mandate and needs depth, not when you want to avoid naming an owner.
- Advisor / consultant - opinions and deliverables. Fine. Not a substitute for accountability when the breach email arrives.
I dug into the accountability split after the Uber CISO case in Fractional CISO vs vCISO: accountability vs responsibility. If you want help picking a model, get in touch.
Related
- Fractional CISO vs vCISO: accountability vs responsibility for who owns the outcome
- When do you need to think about security and privacy? for staging security help as you grow
Olivier Reuland