• One Good Read
  • Pages
  • Fractional, virtual, advisor... what are they all?

Fractional, virtual, advisor... what are they all?

Here is a table summarising how I see the different flavours of Chief Information Security Officer (CISO) you have on the menu. It’s not definitive, and other verticals and countries use slightly different terms, but hopefully, this gives you an idea of what to consider.

Difference between different types of engagements.

Interim CISO

An Interim CISO is simply what it says. Maybe your current CISO left. Or perhaps you went through a security incident, and your regulator or board finally forced you to create a CISO position to get this under control. In either case, you needed someone accountable immediately and gave the title to someone internally while looking for someone for the role.

Fractional CISO

A Fractional CISO is someone with extensive CISO expertise. They are a full organisation member (even if they are not full-time) and are usually on-site. They have a team that they manage to help deliver the information security objectives of the organisation.

They are like a CISO but “more efficient”. Or, rather, laser-focused on high-value objectives. This is especially useful for organisations that can’t afford a full-time CISO.

Pros

  • Expertise of a CISO for a fraction of the cost

  • Can be accountable

  • Can manage your whole information security programme

Cons

  • Will need to delegate more to their team.

Virtual CISO

A Virtual CISO also has extensive CISO expertise as well. But unlike the previous categories, they are usually outside the organisation, possibly outsourced as a service. A vCISO also typically doesn’t manage a team and might be less integrated with the teams. it’s

The vCISO role typically doesn’t have the same accountability. This will still be held by the other executive holding the actual “CISO” title. I look at the virtual CISO and the right-hand person of the CISO (well, or left-hand person, for left-handed CISOs, I suppose).

Pros

  • Expertise of a CISO for a fraction of the cost

  • Can manage your whole information security programme

Cons

  • Won’t be accountable on behalf of the organisation

  • Will need to delegate more to other teams

  • Relations with other teams can sometimes be a bit murky

Advisor

An Advisor, in this CISO context, is more like someone available to the board/leadership team to provide independent advice on specific situations. For example, this can be of great value for a board that might need more expertise.

Pros

  • Readily available to answer questions

  • Great for boards requiring expertise

Cons

  • Usually limited to advice

Consultant

In this CISO context, a Consultant is someone working on a specific project. They could assist you with defining an information security or risk management framework.

☕️ I help my clients with all these options.

Would you be interested in talking about how you can benefit as well?

Don’t hesitate to reach out. I’m always keen for an excuse to have a good coffee!