A customer sends you a 200-question security questionnaire and your CTO spends two weeks on it instead of shipping product.
You or your board asks “what’s our cyber risk exposure?” but nobody in the room has a coherent answer. The conversation moves on, but the question doesn’t go away.
A prospect worth £500k in annual revenue wants to see your security posture before signing. The review takes eight weeks, the deal slips a quarter, and your competitor, who had their answers ready, closes instead.
You hire a security person. Six months later they’re drowning in a backlog that grew faster than they could work through it, and you’re not sure whether the problem is them or the job you gave them.
If any of this sounds familiar, you’re in the right place. This guide will help you figure out whether fractional security leadership is the right move, or whether something else makes more sense for where you are right now.
The options you’re actually choosing between
Before we talk about fractional CISOs specifically, let’s be honest about the full set of choices. There are five, and none of them is perfect.
Do nothing and keep muddling through. This works until it doesn’t. The cost is invisible: you can’t easily measure deals you didn’t win, risks you didn’t see, or the slow erosion of confidence when your board asks about security and gets a shrug. Generally acceptable if you’re pre-product-market-fit, but increasingly dangerous after Series A.
Hire a full-time CISO. The right move eventually, but probably premature for most companies under 300 people, and the fully loaded cost runs £150-250k per year. The real risk is less about the money than about role definition: you likely can’t scope the job well enough yet to hire well, so you’ll end up with someone too senior who’s bored, or too junior who’s overwhelmed. Either way, they’ll typically leave within 18 months and you’ll have to start again.
A Chief Information Security Officer is the executive accountable for an organisation’s security strategy, operations, risk management, and compliance. At a large company, they typically manage a team of 15-50+ people.
At a small startup, they’re often an individual contributor called an information security officer or a junior manager titled head of security with a very small team. They won’t automatically bring executive experience to the table, and are likely to be bogged down with operational activities.
Hire a security consultancy. Good for a point-in-time assessment or a specific compliance project, but quite bad for ongoing decision-making because they give you a report and leave. Nobody owns the outcomes or drives the work after the engagement ends. The report sits in mailboxes and rots, and the recommendations, however sensible, go unimplemented because nobody has the context, authority or responsibility to carry them through.
Use a compliance platform. Vanta, Drata, Secureframe: these are good tools for SOC2 mechanics, but they’re not a substitute for someone making strategic security decisions. The platform tells you what controls to implement, but nobody’s deciding whether you need them yet, or which ones matter most at your stage, or how to talk about your security posture to a sceptical enterprise buyer.
Bring in a fractional CISO. Ongoing security leadership without the full-time commitment, which tends to work well when you need strategic decisions and direction more than hands-on implementation. That’s what the rest of this guide covers.
These aren't mutually exclusive
A fractional CISO often works alongside a compliance platform. They might help you hire your first security person and then mentor them. Eventually, they help you hire their own full-time replacement, and make sure the role is defined well enough that the hire succeeds.Is this the right fit for your stage?
The honest answer is: it depends on where you are. This is how we advise you to think about it.
Series A (15-150 people)
You’ve got product-market fit and revenue is growing. Customers are starting to ask security questions, and your CTO is probably handling security on the side, which means it’s getting roughly zero strategic attention.
At this stage, you generally need someone 1-2 days per month to make the foundational decisions: what’s your actual risk appetite, where are the real exposures versus the theoretical ones, and how should you respond to customer security questions without panic?
The work is mostly strategic: deciding what to do now, what to deliberately defer, and what to stop worrying about entirely. Supporting product and engineering teams to avoid making decisions that will be very expensive to reverse.
Your customers may be asking for SOC2. That doesn’t necessarily mean you need it yet, but you do need clarity about what matters and a credible answer for why you’re on the right path.
Series B/C (100-500 people)
This is where the pressure compounds, because your board wants regular risk reporting and a proper compliance programme is probably on the horizon. You might have one or two security people already, or you’re about to hire one and you’re not sure what role to define. Product and engineering teams are running pretty hot, and security issues just aren’t being addressed organically.
If you’re B2B, enterprise customers are sending long security questionnaires, and they’re getting more extensive with each funding round.
At this stage, you may need 2-4 days per month of decision-making, customer-facing security leadership, and help building the foundations of a security function. A fractional CISO is making decisions alongside your leadership team, not writing policies in isolation. They’re collaborating closely with different teams throughout the business.
Pre-IPO (Series D+, 200+ people)
Fractional still works here, but the engagement looks different. The focus shifts to due diligence preparation, security programme maturity assessment, and board-level reporting. This is often a bridge engagement: getting your security posture credible enough for scrutiny while you grow or hire a full-time CISO with a clear brief and realistic expectations.
Where it’s not a fit
Be honest with yourself. Fractional security leadership is perhaps the wrong answer if:
You’re pre-product-market-fit, and your money and attention are better spent elsewhere. Basic hygiene (MFA, patching, don’t put credentials in your code) is enough for now.
Security as a product capability
Where security is key to your product-market fit due to the nature of your target market or the product characteristics, you may still want to engage an experienced business and security expert to help you make sure you haven’t missed something important.You already have a competent full-time security leader who is coping well operationally and is experienced at the strategic level. You don’t need two people making strategic security decisions.
Growing security leaders
One scenario where bringing in a fractional CISO does make sense is where you already have a head of security who you want to grow into your future CISO, but they’ve never done that work before. A highly experienced leader who can mentor that growth can make a significant difference, and make sure the transition from junior management to senior or executive leadership goes relatively painlessly.You just want someone to get you a SOC2 certificate with no strategic input; in that case, hire a compliance consultant because it’ll be cheaper and faster.
The decisions are still yours. A fractional CISO helps you make better ones, with better information, clearer framing, and the benefit of having seen this play out at multiple companies. But they’re not a substitute for your own judgement, and they’re not there to absorb blame if something goes wrong. If you need a scapegoat, this isn’t the right arrangement.
What the work actually looks like
This is where most guides get vague. Let me be specific about what a fractional CISO actually does week to week.
The common thread across all of it is judgement: knowing which things matter, which can wait, and how to communicate the difference to people who aren’t security specialists, which is the gap between a security engineer who’s been given a leadership title and someone who’s done this at the executive level across multiple companies.
Customer-facing security work
This is often the trigger that brings companies to fractional security leadership in the first place. A big deal is stuck because the prospect wants security assurance and nobody on your team can provide it credibly.
The immediate work is responding to security questionnaires in hours rather than weeks, joining customer calls to discuss your security posture with the confidence that comes from actually knowing the answers, and preparing for third-party security assessments so they don’t derail your quarter.
Enterprise buyers typically send security questionnaires of 100-300 questions covering everything from access control to incident response. The first time takes weeks if you’re starting from scratch. With good foundations, subsequent ones take hours.
See my post on some approaches to dealing with Security Questionnaires
Beyond the immediate firefighting, the strategic work is making sure that customer and regulatory asks get factored into roadmaps with minimal impact on other deliverables. Working with sales and marketing to understand what role security capabilities play in your go-to-market story. Turning security from a cost of doing business into something that differentiates you in competitive deals.
I’ve watched companies go from eight-week security reviews to closing deals their competitors couldn’t, and the difference was rarely about having more controls but about knowing their own posture well enough that anyone on the team could answer questions credibly, not just the one person who’d prepared.
Board and investor communication
Your board cares about security risk, or they will soon.
The problem is that most security people communicate in technical language that makes non-technical board members’ eyes glaze over, or worse, triggers anxiety without providing useful information for anyone to act on.
The work starts with getting on top of the actual threats and risks your business faces and putting together a coherent story about progress, including forward-looking risk indicators that give the board something to track over time. Making sure that security initiatives are folded into broader planning in a way that demonstrably decreases risk on a week-to-week basis.
Then it’s about translation: building board reporting that covers risk exposure, compliance status, and security investment rationale, in terms the board can actually act on. Preparing materials for investor due diligence that tell a coherent and consistent story over multiple reporting cycles. Being able to engage with board members directly, answer questions that purely technical people might find perplexing, and provide narratives that support your business goals.
Security strategy
This is the core of the role and in many ways the hardest thing to hire for.
The decisions look like this: what does “good enough” security look like at your specific stage and in your specific market? Is that £80k-per-year tool your vendor is pushing actually worth it, or does a £5k alternative cover 90% of the risk? When should you pursue SOC2 or ISO27001, and how do you scope the effort so it doesn’t consume your engineering team for six months? What do you deliberately choose not to do, and how do you make that a conscious decision rather than a blind spot?
Less visible but equally important is making sure those decisions actually translate into results: engaging with vendors to keep effort aligned with outcomes, following up across teams to confirm that the money and time being invested are producing what was promised, and catching the drift between “we agreed to do X” and “X quietly stopped being a priority three weeks ago,” which happens constantly in fast-moving companies where everyone has six competing demands on their attention.
Prioritisation is probably the hardest part of all of this. At your stage you can’t do everything, and doing the wrong things in the wrong order is often worse than doing nothing. A security strategy that tries to cover every base will collapse under its own weight. The value of experienced security leadership is knowing which three things matter now, which five can wait six months, and which ten you can ignore entirely without meaningful risk.
In practice, the three strategic priorities get most of the deliberate attention, but I’ll typically identify 200 smaller things over a year and get them into the right hands: half-day items in areas where investment has been deferred and a few hours of someone’s focused work shifts more risk than anybody would reasonably expect. That throughput is what pattern recognition across multiple companies actually buys you.
Team and capability building
If you have a security person, the fractional CISO mentors and directs them, giving them the strategic context they need to make good day-to-day decisions without escalating everything. If you don’t have one yet, the fractional CISO defines the role for when you’re ready to hire, so you’re less likely to end up with the wrong profile in the wrong job.
Beyond the security team, the real capability building is cultural. Helping your engineers think about security as part of how they build, not as an obstacle imposed on them. Helping your leadership team understand enough about security risk to make informed business decisions without needing to become security specialists themselves.
Incident readiness
Nobody thinks about incident response until something goes wrong, and by then it’s generally too late to build the capability.
The work means defining your incident response plan: not a 60-page document nobody reads, but a practical playbook your team can actually follow at 2am when something goes badly wrong. Running tabletop exercises so people know their roles before a real incident. And if something does go wrong, being the calm, experienced person who coordinates the response while everyone else is panicking.
What it's not
A fractional CISO is not a part-time employee. They’re not writing every policy document, configuring your firewall, or running your vulnerability scanner. They set direction and make decisions. Your team, or contractors they recommend, does the implementation.What it costs and how to think about the money
Let’s talk about this directly.
Typical range for a real, experienced fractional CISO is £5-10k per month for 2-4 days. Where you fall in that range depends on your stage, the complexity of your environment, and whether you’re in a regulated sector like fintech or insurtech.
That’s a significant number. Here’s how to think about whether it’s justified.
The full-time CISO comparison. The headline cost difference is real: £60-120k per year versus £150-250k fully loaded, but that’s probably the weakest argument for fractional. The stronger argument is decision density. A fractional CISO who’s built security programmes at five or ten companies brings a density of relevant experience that a full-time hire, who’s usually seen one or two environments, simply can’t match. They’ve seen what works at your stage, what fails, and what’s a waste of time. You’re paying for decisions that would take someone less experienced months to arrive at, and at your stage the cost of slow or wrong decisions compounds fast.
The cost of delay. A single enterprise deal delayed three months by a failed security review can represent far more in lost or deferred revenue than a year of fractional security leadership. If you’re selling six-figure enterprise contracts and security reviews are your bottleneck, the maths is straightforward.
A bad first hire. Recruiting, onboarding, and then losing a mis-scoped security hire in 8-12 months tends to cost £100k or more in direct costs and 12+ months of lost momentum. A fractional CISO helps you avoid this by defining the role properly before you commit to a full-time hire.
An under-functioning security team. You’ve got a small team, but they’re not functioning at the level you need, and you may not have confidence in your head of security. How much do they cost a month, and how much would it cost to re-hire and get back to level? That’s going to be at least £200k and probably a lot more. A fractional CISO helps you avoid this by evaluating the team and getting them onto the right track, helping hire for gaps and making sure that progress is sustained and structural.
The ROI framing
This isn’t a cost centre. The measurable returns are in sales acceleration (deals closing faster because security reviews don’t stall), risk reduction (fewer surprises that cost real money), and hiring efficiency (when you do hire full-time, the role is well-defined and the hire succeeds).The companies that get the most value from fractional security leadership are generally the ones where security is already creating visible friction: in their sales cycle, their board conversations, or their own confidence in their risk posture. If none of those apply yet, you probably don’t need this yet, and that’s fine. Focus your energies on making sure that your operational security posture is solid.
What happens when you engage
If you’re considering this, here’s what the process generally looks like.
First conversation. Thirty minutes where you describe where you are, what’s creating friction, and what’s keeping you up at night. No pitch, no proposal, just an honest assessment of whether this makes sense for your situation. Sometimes the answer is “not yet” or “you need something different,” and that’s a useful answer too.
Scoping. If there’s a fit, one more conversation to agree on priorities, cadence, and how we’ll work together. This is a practical conversation about what matters most in your first three months, not a lengthy proposal process.
First month. Typically focused on understanding your current state: what are you doing well, where are the real gaps versus the theoretical ones, and what do your customers and board actually need to see? This assessment produces a clear picture of your actual risk posture and a prioritised set of decisions for the next quarter, and it shapes everything that follows. In most cases, the first month also surfaces a few things that can be addressed immediately with minimal effort, which builds confidence that the engagement is producing tangible results.
Ongoing. A rhythm of regular check-ins, priority decisions, and customer or board-facing work, where the specific mix depends on your stage and what’s pressing. Some months will be heavy on customer security reviews; others are focused on compliance preparation or helping your team think through architecture decisions. The constant is someone making informed security decisions with your leadership team, not in isolation.
The goal, always, is to get you to the point where you don’t need fractional support anymore, either because you’ve hired well and built the internal capability, or because your security posture is mature enough to maintain with lighter-touch oversight.