CISO vs vCISO vs fractional CISO
Information security, cybersecurity, and privacy are starting to receive the attention they need for unfortunate reasons: Companies are facing a steep increase in the number of cyber-attacks, which are getting more effective and damaging. The consequences can be dire and affect companies' finances, reputations, and customers.
Company leaders need to equip themselves with adequate resources and skills to manage this increasing risk. Just like a COO handles operations and a CFO for finance, a CISO handles leading the company’s information security practices. This includes information and data protection, privacy, and cybersecurity.
Not all companies have the resources or the need to create a new full-time position for this role. Several options exist, so let’s go through them.
| CISO | Fractional CISO | Virtual CISO | Advisor | Consultant | |
|---|---|---|---|---|---|
| Scenario | Most large companies now have one, with growing interest in medium-sized companies with significant risks linked to Infosec, cyber, and/or privacy. | Perfect for small to medium companies. | Excellent choice to augment another C-level executive who might have the formal CISO role but lacks the time or expertise. | Excellent value for boards or C-level executives wanting an independent opinion. | Suitable option for a well-defined set of requirements, such as writing cybersecurity policies or helping mitigate a specific risk. |
| Contract type | Full-time | Part-time on set days | Part-time on set days | Typically, on-retainer | Project-based |
| Scope | Full CISO | Full CISO | Depends on agreed scope | Depends on agreed scope | Project-based |
| Accountable | ✅ | ✅ | ❌ | ❌ | ❌ |
| Responsible | ✅ | ✅ | ✅ (based on scope) | ❌ | ❌ |
| Embedded with teams | ✅ | ✅ | ✅ | ❌ | ❌ |
| Lead teams | ✅ | ✅ | ❌ | ❌ | ❌ |
| Full time | ✅ | ❌ | ❌ | ❌ | ❌ |
| Open-ended | ✅ | ✅ | ✅ | ✅ | ❌ |
| Pros | They come with all the bells and whistles. This is a must for large companies. For best results, the CISO should report to the CEO. | All the benefits of a CISO for a fraction of the cost. This is a great solution for medium-sized companies. | Excellent value if another executive is already covering part of the work but needs an extra pair of hands or skills to get the job done | Perfect for quick access to an expert who knows your company and can give tailored independent advice. | Good for well-defined projects with clear deliverables |
There will be variations in the terminology and details, and the lines are blurred, but the contract should clarify this. This table should give you an idea of your options and their typical characteristics.