The case for fractional
A full-time CISO makes sense at a certain company size. A fractional one fits at every other size. The difference is worth understanding before you decide which you need.
Most companies do not have steady-state security work all year. They have a quarter of intensive activity: an audit, a customer-driven security review, a board report due, an incident response plan that needs to actually exist. The rest of the year is maintenance. A full-time CISO at $400K base, plus equity, plus a team, is the right answer when the steady-state demand justifies it. For companies that have not reached that point, fractional fits because the work is concentrated, not constant.
The trade-off is intensity, not continuity. A fractional CISO is usually a long-term relationship, not a project that ends. The cadence flexes around the company's cycle, and the same CISO tends to come back across the years because the work compounds.
What the work looks like
The first engagement usually looks like this: the company has a security program that exists in some form (maybe policies, maybe not; maybe an incident response plan, maybe a Slack thread), and the next six months are dominated by an external pressure (a customer due diligence review, a SOC 2 audit, a board ask, an incident that just happened). The work is to take what exists, fill in what is missing, and produce something the next person can pick up and run. The deliverable is a program that is real, not a document that says there is a program.
The second phase usually looks different: the program is in place, the audit passed, the customer is signed, and the question becomes how to keep it that way as the company grows. That is the steady-state work, and it is more about decision support and architecture review than it is about building. A few hours a week, focused on the questions that would otherwise be answered by gut feel. The same CISO tends to come back: the next audit window, the next board report, the next customer security review. The compounding comes from knowing the company, the team, the controls, and the audit history.
What the work is not
Fractional is not a one-off project that ends with no continuity. It is a long-term relationship that flexes around the company's cycle. The typical pattern is a recurring commitment that scales up during the busy parts of the year (audit prep, board reporting, customer due diligence) and settles into a steady-state cadence (often around 10 hours a week) between them. The quiet stretches are not a gap in the relationship; they are part of it, and the same CISO picks up the next arc without a long ramp-up.
It is also not a discount CISO. The hourly or daily cost of a fractional engagement can match or exceed the loaded cost of a full-time executive, because the work is concentrated and the overhead is not amortized across a team. What you save is the package: salary, benefits, equity, recruiting time. What you keep is the long-term context. The CISO who shows up for the next audit window is the one who wrote the controls the first time around, and that compounding is the value.
How relationships are structured
Most relationships begin with a 30-minute call to establish fit, followed by a deeper assessment (often two to three weeks) where the current state, the gap, and the proposed arc are written down. The arc is the deliverable of the assessment. If it makes sense to proceed, the relationship starts on the terms in the arc; if it does not, the assessment is the artifact and the relationship does not start.
Inside the relationship, the cadence is whatever the company needs at the moment. During a key business cycle (an audit window, a board reporting cycle, a customer due diligence push), the commitment might scale to three or four days a week. Between those, it usually settles into a steady state (around 10 hours a week is common, with most weeks running lower and some higher). During quieter periods, periodic check-ins (a monthly call, a quarterly written update) keep the relationship warm without burning hours. The work is documented as it is done, so when the next busy stretch arrives, the CISO picks it up with full context.
What the work teaches
Two things, repeated across relationships. First, the companies that get the most out of fractional security work are the ones that integrate it early, before external pressure forces their hand. The work is more useful when it shapes the architecture than when it audits the architecture. Second, the value of a fractional CISO compounds across the relationship. The CISO who knows the audit history, the team's strengths, the customers' security reviewers, and the board's questions is not interchangeable with a fresh CISO each cycle, and that compounding is the part that is hard to get from a full-time hire at the same stage.
Fractional is a tool, not a category. It fits when the work is concentrated in time, when the company is still building, when the full-time package is more than the work justifies, and when the value of long-term context matters. It is a different shape of relationship, with a different cost structure and a different cadence than a full-time executive. The question is whether the shape fits the company you are running, and that is something worth figuring out before you sign anything.