Christophe H pushed a useful distinction on LinkedIn. I land in the same place - and I see founders blur the labels until a breach makes the difference expensive.
As I wrote in CISO vs vCISO vs fractional CISO:
- A fractional CISO is accountable, like a full-time CISO, on a part-time contract
- A vCISO can be responsible within scope; accountability stays with the CxO they augment
Part-time vs full-time is fine either way when expectations match the hours. What is not fine is calling someone "virtual" while pretending they own the outcome in court or with the regulator.
If the title is on your LinkedIn, ask who is accountable when the notification letter goes out. If the answer is fuzzy, fix the contract before the incident.
Find this on LinkedIn and give it a thumbs up: Fractional CISO vs vCISO: accountability vs responsibility
Related