The gap that nobody wants to talk about

There is a point in every growing organisation's journey where cybersecurity stops being something the IT manager handles on the side and starts requiring dedicated senior leadership. The triggers are predictable: a major client asks about your security posture during due diligence, a regulator sends a letter requesting evidence of governance, your insurer asks who owns cyber risk at board level, or an incident happens and nobody is sure who is in charge.

At that point, the obvious answer seems to be "hire a CISO." But for many organisations - particularly those in the 200 to 2,000 employee range - a full-time CISO does not make sense. The salary expectations for experienced CISOs in the UK start at around 150,000 pounds and go significantly higher. The role requires a breadth of experience that is hard to find. And in many cases, the volume of strategic security work does not fill five days a week, even if the need for senior oversight is constant.

So the role goes unfilled. Security decisions get made by committee, by the CTO who has other priorities, or by an outsourced provider who does not have the context to advise on risk at a business level. This is how organisations end up with technical security controls that are reasonable but governance that is non-existent.

What a fractional CISO actually does

A fractional CISO provides the same strategic leadership as a full-time hire, but on a structured part-time basis. In practice, this typically means two to four days per month of senior engagement covering the areas that require experienced judgment and cannot be delegated to a managed service provider.

This includes owning the cyber risk register and ensuring it reflects real risk rather than a theoretical exercise. It means preparing and presenting board-level reporting that translates technical findings into business decisions. It covers regulatory engagement - making sure the organisation understands what is expected of it under frameworks like DORA, NIS2, or sector-specific requirements, and can demonstrate compliance with evidence rather than assertions.

A fractional CISO also provides oversight of the security programme as a whole. Are the managed service providers delivering what was promised? Is the vulnerability management programme actually reducing risk or just generating reports? Are identity controls keeping pace with how the organisation uses cloud services? These are questions that require experience to answer and that most operational teams are too close to the detail to assess objectively.

When it works and when it does not

Fractional CISO arrangements work well when the organisation has operational security covered - whether through an internal team, an MSP, or a combination - but lacks the strategic layer. The fractional CISO is not there to manage the firewall. They are there to ensure the firewall is part of a coherent security strategy that addresses the organisation's actual risk profile.

It does not work when the organisation expects a fractional CISO to also be the security operations team. Two days a month of senior leadership cannot replace the need for day-to-day operational security. If the organisation has nobody handling patching, monitoring, or incident response, a fractional CISO will spend all their time firefighting instead of building governance.

The most effective engagements we have delivered are ones where the fractional CISO works alongside an existing IT or security team, providing the strategic direction and board-level communication that the team cannot deliver on its own. The team gets better at their jobs because someone is setting clear priorities. The board gets better reporting because someone is translating risk into language they understand.

The cost comparison

A full-time CISO in London costs between 150,000 and 250,000 pounds per year in salary alone, before benefits, recruitment costs, and the time it takes to find the right person. A fractional CISO engagement typically costs between 2,000 and 6,000 pounds per month depending on scope. For organisations that need senior leadership but not five days a week of it, the economics are straightforward.

More importantly, a fractional model means the organisation gets access to someone who has done this before, across multiple sectors and environments. A full-time hire brings one person's experience. A fractional CISO brings pattern recognition from working across financial services, technology, healthcare, government, and regulated industries simultaneously.

The question to ask

If your board cannot name the person who owns cyber risk in your organisation, you have a gap. If the answer is "the IT director" or "the CTO" and that person does not have security governance experience, you have a gap. If your last board report on cyber risk was a traffic light dashboard with no context, you have a gap. Filling it does not require a six-figure hire. It requires the right person, at the right level, with the right amount of time.