Back to blog

What is a Fractional CISO?

5 min readBy Richard Ham

What is a Fractional CISO?
Published: March 17, 2026

If you’ve started looking at your cyber risk and realised you need someone senior in the room — but a full-time CISO at £120,000–£180,000 a year isn’t on the cards — a Fractional CISO is probably what you’re looking for.

The term gets used loosely. Let me give you a straight answer about what it actually means, what a Fractional CISO does day-to-day, and how to tell whether you need one.

The Short Version

A Fractional CISO is a senior security leader who works with your organisation on a part-time or interim basis — typically one to three days a week, often on a fixed-term engagement. You get the strategic judgement and hands-on experience of someone who has run security at enterprise level, without hiring them full-time.

The “fractional” model exists because most SMEs and growing businesses don’t need a full-time CISO. What they need is serious security leadership a few days a week — someone who can set the direction, own the risk, talk to the board, and make sure the technical team is pointed the right way.

What a Fractional CISO Actually Does

This varies by engagement, but in practice the work falls into a few consistent areas:

Security strategy and governance — defining your security posture, setting policy, building a roadmap that’s proportionate to your risk and your budget. Not a 200-page document nobody reads. A working plan the business can execute.
Risk and compliance — owning your risk register, preparing for Cyber Essentials or Cyber Essentials Plus, supporting ISO 27001 if that’s relevant, making sure you’re meeting your contractual and regulatory obligations. For many UK businesses this increasingly means GDPR accountability as well.
Incident readiness — making sure you have a plan before something goes wrong, not after. Running tabletop exercises, reviewing your backup and recovery position, knowing who calls who at 2am.
Board and leadership communication — translating technical risk into business language. A board doesn’t need to understand CVE scores. They need to understand what they’re liable for and what it would cost if something went wrong. That’s a skill most technical security people don’t have, and it’s where a good CISO earns their fee.
Vendor and supplier oversight — reviewing what your MSP is actually doing, checking your cloud configuration, making sure the security tooling you’re paying for is configured correctly. In my experience, most SMEs have the right tools and the wrong settings.

What a Fractional CISO Is Not

They’re not a one-off consultant who delivers a report and disappears. That’s a security audit. Useful, but different.

They’re not a managed security service (MSSP). An MSSP monitors your environment and responds to alerts. A Fractional CISO sets the strategy that determines what you’re monitoring and why.

They’re not a replacement for a good IT team or MSP. They work alongside your existing technical resource, not instead of it.

Who Needs a Fractional CISO?

The businesses I typically work with fit one of a few patterns:

Growing SMEs (50–500 people) who have outgrown “IT does security” but aren’t ready to hire a full-time CISO. Often triggered by a new enterprise customer asking about your security posture, or a cyber insurance renewal that suddenly requires evidence.
PE-backed portfolio companies where the fund needs consistent security governance across multiple portfolio businesses. One fractional CISO across two or three companies is far more cost-effective than three separate hires.
Businesses going through change — acquisition, cloud migration, rapid headcount growth. Security debt accumulates fast in these moments. A fractional engagement through the transition prevents problems that are very expensive to fix later.
Businesses post-incident who need someone to come in, stabilise, and build something better. This is the most urgent version of the engagement and usually the most intensive.

What It Costs

Engagement structures vary, but a typical fractional CISO arrangement in the UK runs between £3,000 and £8,000 per month depending on days committed and scope. Compare that to the fully-loaded cost of a permanent hire — salary, NI, benefits, pension, recruitment fees — and the economics are usually straightforward.

For most SMEs, the right entry point is a Discovery Audit: a structured review of your current security posture that produces a prioritised roadmap. It gives you a clear picture of where you stand and what to fix first, and it’s the starting point for any ongoing engagement.

The Question Worth Asking

Most businesses don’t call a Fractional CISO until something prompts them — a near-miss, a contract requirement, a board conversation. The ones that get the most value engage before that moment, when there’s time to build something properly rather than fix something broken.

If you’re not sure whether your business is in a good position, the honest answer is: you probably don’t know, and that’s worth finding out.

Book a 30-minute call to talk through your situation — no pitch, just a frank conversation.