Fractional CISO vs Full-Time CISO: A Decision Framework for Mid-Market

A fractional CISO is a senior security executive engaged on a part-time basis — typically ten to thirty hours per month — to provide executive-level security leadership to organizations that need strategic security oversight but do not have the scope (or the budget) to justify a full-time hire. A full-time CISO is the same role in-house, priced at a total compensation package that usually lands between $250K and $500K+ depending on geography and company stage. The decision between the two is often framed as a cost question, but cost is the last variable to consider. The first question is whether the scope of the work actually requires full-time attention.

TL;DR

  • The decision is about scope, not cost. Most mid-market companies do not have full-time CISO scope.
  • Fractional CISO is the right choice for mid-market companies with meaningful security needs but fewer than roughly 500-1000 employees and without heavy regulatory complexity.
  • Full-time CISO becomes the right choice when the role shifts from strategy and governance to operational leadership of a dedicated security team.
  • The common mistake on the fractional side: underestimating the hours needed, treating the CISO as an on-call advisor rather than an embedded leader.
  • The common mistake on the full-time side: hiring too early, which locks in compensation and narrows the candidate pool to mid-level practitioners willing to take the title rather than experienced CISOs.

What a CISO actually does

Worth getting specific before the fractional vs full-time question, because both terms get used imprecisely.

A CISO (Chief Information Security Officer) is responsible for the organization’s security strategy, security program governance, and executive communication about security risk. The scope of the role at most companies includes:

  • Strategy. What security investments the company should make, in what order, against what risk.
  • Program governance. Ensuring controls are implemented, measured, and reviewed. Policy ownership.
  • Board and leadership communication. Reporting security posture to the board, executive team, and relevant committees. Translating technical risk into business language.
  • Vendor risk. Oversight of third-party security posture, business associate agreements, due-diligence processes.
  • Incident response leadership. Executive-level response to significant incidents. Coordination with legal, PR, regulators, law enforcement.
  • Regulatory and compliance engagement. Working with auditors, regulators, and customer security reviews.
  • Recruiting and developing the security team. If there is a team.

A CISO does not typically do:

  • Day-to-day security engineering (implementing firewalls, configuring SIEM, writing detection rules).
  • SOC operations (monitoring alerts, responding to routine incidents).
  • Technical penetration testing or vulnerability assessment.

Those are done by security engineers, SOC analysts, and specialized consultants. The CISO leads the function that employs or contracts those roles.

Fractional CISO: what the engagement looks like

A fractional CISO engagement typically runs as a monthly retainer with a committed number of hours. Common patterns:

  • Light-touch advisory (ten to fifteen hours per month). Monthly strategy session, periodic board-ready reports, availability for specific questions. Suitable for small organizations with low regulatory complexity that need a senior perspective on security but do not have active incidents or programs requiring close oversight.

  • Embedded leadership (twenty to thirty hours per month). Weekly leadership check-ins, monthly risk reviews, quarterly board reporting, ongoing vendor oversight, program management for specific initiatives. Suitable for mid-market organizations with real security scope that do not yet warrant full-time leadership.

  • Heavy engagement (forty-plus hours per month). At this level, the fractional pattern is often a bridge to a full-time hire or a signal that the fractional model is no longer fitting. A fractional engagement can run at this level for short periods — through an audit, through an incident response, during a leadership transition — but usually the right call is either to scale back the engagement scope or to start the full-time CISO search.

A fractional CISO engagement usually includes:

  • A designated senior security leader who is the primary point of contact, with supporting team members available for specific technical work as needed.
  • A monthly cadence of scheduled engagement time (not purely on-demand).
  • Quarterly or annual strategic planning cycles.
  • Incident response availability, with defined escalation paths.
  • Documentation outputs: policies, board reports, risk assessments, vendor reviews.

Full-time CISO: what the role requires

A full-time CISO is typically justified when:

  • The organization has a dedicated security team of at least two to three full-time-equivalents who need management and direction.
  • Regulatory scope is heavy enough to require continuous attention — multiple overlapping frameworks, ongoing examination by regulators, or a significant regulated data footprint.
  • The company has reached a scale where security is genuinely a board-level concern with monthly or more frequent reporting cadence.
  • Operational leadership is needed, not just strategic oversight. When the CISO needs to be making operational decisions daily rather than weekly or monthly.

Full-time CISO compensation in mid-market companies typically runs $225K to $350K base plus equity, bonus, and other components. For companies at the scale where a full-time hire makes sense, this is a defensible cost. For companies below that scale, it often either locks in a junior practitioner willing to take the title at a lower comp (and not delivering full-CISO value) or stretches the budget in ways that crowd out other security spending.

The decision framework

Four questions to work through in order.

1. Is there a team to lead?

If the organization has two or more full-time security staff (excluding the CISO), full-time is often the right call. A dedicated team needs dedicated leadership.

If there are zero or one dedicated security staff, fractional leadership makes more sense. One part-time security engineer plus a fractional CISO is usually better than one full-time mid-level security hire trying to be both practitioner and leader.

2. What is the regulatory scope?

Heavy regulatory scope — multiple frameworks active (HIPAA plus SOC 2 plus PCI, for example), material public-company security obligations, or active regulatory examination — tilts toward full-time. The attention these require exceeds what a fractional engagement can sustainably provide.

Moderate regulatory scope — one framework, annual audit cycles, periodic customer reviews — is well-served by fractional.

3. What is the board and executive expectation?

Some boards, particularly those with security-experienced members or those at public or pre-IPO companies, expect a named, in-house CISO with a direct reporting relationship. If this is the expectation, fractional engagement can still serve during a transition but will be pushed to convert to full-time.

Other boards are comfortable with fractional leadership as long as security competency is demonstrably present. The specific expectation matters more than the generic answer.

4. What is the incident and threat pressure?

Organizations experiencing active threat pressure — recent incidents, active nation-state interest, ongoing threat actor engagement, sector-wide attack campaigns — need leadership capacity that a fractional engagement may not sustainably provide. In these situations, full-time CISO hiring is often accelerated, sometimes through an interim CISO arrangement bridging to the permanent hire.

Organizations with routine threat exposure (phishing, commodity malware, the normal baseline) can usually be led well by a fractional CISO with appropriate operational support.

Where the framework lands for most mid-market companies

Mid-market companies without dedicated security teams, operating under one or two compliance frameworks, reporting to boards that accept fractional expertise, without active threat pressure — the fractional CISO is almost always the right answer. That description fits most mid-market companies.

The decision tilts toward full-time as the company scales through the upper mid-market, adds security team members, takes on regulatory complexity, or approaches a capital event (IPO, major acquisition, regulatory licensure) that expects full-time security leadership.

Common mistakes

Treating fractional CISO as pure advisory. The difference between a useful fractional CISO engagement and a wasted one is usually whether the CISO is embedded in the organization or treated as an occasional advisor. Embedded means they know your team, your vendors, your incidents, your board. Advisory-only means they show up to monthly calls with generic perspectives. Ask prospective fractional CISOs how they structure embedded engagements, and structure the engagement that way.

Hiring a full-time CISO before the role requires it. Full-time hiring at mid-market companies often pulls from a candidate pool that is heavier on title-seekers than on operators. A mid-level security engineer hired as CISO will deliver mid-level work with CISO compensation. Better to work with a seasoned fractional leader until the scope genuinely warrants full-time and the compensation offered will attract a seasoned full-time candidate.

Splitting the difference with a “director of security.” Some companies try to avoid both the fractional cost and the full-time cost by hiring a director-level security role without CISO authority. This sometimes works but often produces an expensive hire who lacks the executive authority to drive the program. If the scope genuinely requires executive-level leadership, the cost of diluted authority usually exceeds the savings.

Not transitioning out of fractional at the right moment. Some companies stay in the fractional model past the point where full-time would be better. The signs: the fractional CISO is consistently over the hour budget, scope that falls outside the retainer is slipping, the board is asking questions that require in-house presence. Recognize when the model needs to change and plan the transition deliberately.

Transition patterns

Moving between the two models is less disruptive than it sounds if planned in advance.

Fractional to full-time. The fractional CISO engagement often includes a defined off-ramp — the fractional firm helps recruit and onboard the full-time hire, transfers institutional knowledge, and winds down over sixty to ninety days. Some fractional CISOs transition into the full-time role themselves if the fit is right.

Full-time to fractional. Less common but does happen, typically when a company’s security program has matured to the point where day-to-day operations are handled well by the team and the executive leadership layer can scale back. This is usually a considered decision tied to a leadership transition, not a cost-cutting move.

Frequently asked questions

What’s the difference between “fractional CISO” and “virtual CISO” and “vCISO”?

In practice, nothing consistent. The terms describe the same engagement model. Some firms prefer “virtual” to emphasize remote delivery. Some prefer “fractional” to emphasize the part-time nature. We use “fractional” internally because it more accurately describes the engagement — a share of a senior leader’s time, not a fully virtual substitute for a CISO role.

How much does a fractional CISO cost?

Highly variable by firm, scope, and hours. Light-touch advisory engagements can run a few thousand dollars per month. Embedded leadership engagements (twenty-plus hours per month) usually run eight to twenty thousand per month depending on the seniority level and the firm’s rate structure. Compared to full-time CISO compensation (all-in cost often $300K to $500K per year at mid-market), the fractional model is significantly less expensive at every scope except the highest.

Can we use a fractional CISO to help us hire a full-time CISO later?

Yes. This is a common pattern. A fractional CISO can scope the full-time role, participate in hiring, onboard the successful candidate, and hand off cleanly. Some fractional engagements are explicitly structured as bridge-to-full-time.

Can a fractional CISO sign off on regulatory compliance statements?

Usually yes, subject to the specific regulation and the contract structure. Most frameworks allow delegated authority where the fractional executive is named in the engagement contract. Specific regulations — particularly in financial services — may require in-house officers; check the specific framework.

How do we evaluate fractional CISO candidates?

Ask for recent engagement descriptions at similar-size companies. Ask specifically about embedded versus advisory engagement structure. Ask how they handle incidents that fall outside scheduled hours. Ask how they handle board communication. Get references from clients whose engagements ended at least six months ago, not current-retainer clients whose perspective may be biased by ongoing relationship.

Working through whether a fractional or full-time CISO is right for your organization? Book a discovery call, or see the security practice page for more on how we scope fractional CISO engagements.