Why More Companies Need a CISO Than Can Afford One
The average CISO salary in is $275,000 to $400,000. Add equity, benefits, and recruiting costs, and you're looking at $400,000 to $600,000 per year for one role. That's out of reach for most mid-market companies. But the need for security leadership keeps growing: ransomware attacks increased 68% year-over-year, SOC 2 requirements are becoming table stakes for B2B sales, and one breach can cost a mid-market company $2.5 million to $4.5 million on average.
A fractional CISO gives you senior security leadership at 20-40% of the full-time cost. This guide covers what they do, what they cost, and how to evaluate whether you need one.
What a Fractional CISO Does
Risk Assessment and Management
The foundational responsibility. A fractional CISO evaluates your current security posture and prioritizes improvements based on actual risk, not fear:
- Asset inventory. What systems, data, and applications do you have? You can not protect what you don't know exists.
- Threat modeling. What are the realistic threats to your business? A fintech startup faces different threats than a marketing agency. Prioritize accordingly.
- Vulnerability assessment. Identify weaknesses in your infrastructure, applications, and processes. This ranges from automated scanning to manual penetration testing.
- Risk register. A prioritized list of risks with likelihood, impact, and mitigation plans. The board and CEO need this to make informed investment decisions about security.
Compliance and Governance
For many companies, compliance is the trigger that creates the CISO need:
- SOC 2. The most common compliance framework for B2B SaaS. A fractional CISO leads the readiness process, manages the audit relationship, and maintains ongoing compliance. SOC 2 readiness typically takes 4-8 months and costs $30,000-$80,000 including the audit.
- HIPAA. Required for companies handling healthcare data. A CISO ensures technical safeguards, access controls, encryption standards, and breach notification procedures are in place.
- PCI DSS. Required for companies processing payment card data. The CISO manages the compliance program and coordinates with payment processors.
- GDPR/CCPA. Privacy regulations that require specific technical and organizational measures. The CISO coordinates with legal to ensure data handling practices comply.
- ISO 27001. International security standard increasingly required by enterprise customers. More rigorous than SOC 2 and requires a formal information security management system (ISMS).
Security Architecture
- Review and improve network architecture (segmentation, firewalls, access controls)
- Evaluate cloud security configuration (AWS, GCP, Azure security best practices)
- Implement identity and access management (SSO, MFA, least-privilege access)
- Design data protection strategy (encryption at rest and in transit, backup procedures)
- Evaluate and select security tools (SIEM, EDR, vulnerability scanning, WAF)
Incident Response
Every company needs an incident response plan. Most don't have one until something goes wrong:
- Incident response plan. A documented procedure for detecting, containing, and recovering from security incidents. Includes roles, communication chains, and technical steps.
- Tabletop exercises. Simulated incident scenarios where the team walks through their response. Run quarterly. These exercises reveal gaps that documents alone can not find.
- Breach notification procedures. Legal requirements vary by jurisdiction. The plan needs to specify who gets notified, when, and how.
- Forensics capability. Either internal skills or pre-negotiated contracts with forensics firms so you're not scrambling during an actual incident.
Security Awareness
People are the largest attack surface:
- Implement security awareness training (phishing simulations, password hygiene, social engineering education)
- Establish acceptable use policies for devices and data
- Create secure development training for engineering teams
- Run periodic phishing campaigns to test and reinforce awareness
Vendor Security Management
- Evaluate third-party vendor security posture before onboarding
- Maintain a vendor security assessment questionnaire
- Review vendor SOC 2 reports and security certifications
- Monitor critical vendor security incidents
- Manage the vendor security risk register
What It Costs
| Engagement Level | Hours/Week | Monthly Cost | Best For |
|---|---|---|---|
| Advisory | 5-10 | $5,000 - $8,000 | Companies starting compliance journey |
| Strategic | 10-15 | $8,000 - $14,000 | Active SOC 2/HIPAA programs |
| Operational | 15-25 | $14,000 - $22,000 | Complex environments, ongoing security ops |
Compared to a full-time CISO at $400,000-$600,000/year, a fractional CISO saves $200,000-$400,000 annually. The value calculation also includes avoided breach costs: the average mid-market data breach costs $2.5 million to $4.5 million when you include investigation, remediation, legal fees, customer notification, and reputation damage.
When You Need a Fractional CISO
- Enterprise customers are asking for SOC 2. This is the most common trigger. You're losing deals because you can not show a SOC 2 report. A fractional CISO leads the readiness process and manages the audit.
- You handle sensitive data. Healthcare data (HIPAA), financial data (PCI), or personal data (GDPR/CCPA). Regulatory requirements demand qualified security oversight.
- You're growing into the mid-market. At $5M-$50M revenue, you become a more attractive target for attackers and a more scrutinized partner by enterprise customers. Security maturity expectations increase.
- You've had a security incident. Whether it was a breach, a near-miss, or a customer audit finding, security incidents create urgency for professional oversight.
- Cyber insurance requirements. Insurers increasingly require documented security leadership, policies, and controls as a condition of coverage. A fractional CISO satisfies this requirement.
What a Fractional CISO Does Not Do
- Manage day-to-day IT operations. Help desk, laptop provisioning, and network maintenance are IT operations, not CISO work. If you need both, hire an MSP for IT and a fractional CISO for security.
- Write code or patch systems. The CISO identifies what needs to be fixed and prioritizes the work. Engineering or IT staff implement the fixes.
- Monitor security alerts 24/7. Real-time security monitoring requires a Security Operations Center (SOC) or managed detection and response (MDR) service. The CISO selects and oversees these services but doesn't sit in front of a SIEM dashboard all day.
Building Your Security Stack
A fractional CISO typically recommends and implements this security stack for mid-market companies:
| Category | Tool Type | Annual Cost |
|---|---|---|
| Endpoint protection | EDR (CrowdStrike, SentinelOne) | $5,000 - $15,000 |
| Identity management | SSO + MFA (Okta, Google Workspace) | $3,000 - $12,000 |
| Vulnerability scanning | Qualys, Tenable, or Rapid7 | $5,000 - $20,000 |
| Cloud security | CSPM (Wiz, Orca, Lacework) | $10,000 - $40,000 |
| Security awareness | KnowBe4 or Proofpoint | $2,000 - $8,000 |
| Managed detection | MDR service (Arctic Wolf, Expel) | $15,000 - $50,000 |
| Compliance platform | Vanta, Drata, or Secureframe | $10,000 - $30,000 |
Total security stack cost: $50,000 to $175,000/year depending on company size and compliance requirements. This is separate from the fractional CISO retainer and is a direct business expense.
The SOC 2 Timeline
Since SOC 2 readiness is the most common fractional CISO engagement trigger, here's what the timeline looks like:
- Months 1-2: Gap assessment. The CISO evaluates current controls against SOC 2 criteria and identifies gaps. Deliverable: gap analysis report with remediation plan.
- Months 2-4: Remediation. Implement missing controls: access reviews, change management, incident response, vendor management, encryption, monitoring. This is the most labor-intensive phase.
- Months 4-6: Evidence collection. Document that controls are operating effectively. Collect screenshots, logs, policy acknowledgments, and review records. A compliance platform (Vanta, Drata) automates much of this.
- Month 6-8: Audit. The external auditor (Schellman, BARR, Johanson) reviews evidence and conducts testing. The CISO manages the audit relationship and responds to auditor questions.
- Post-audit: Ongoing compliance. Controls need continuous monitoring and evidence collection. Annual re-certification.
FAQs
What is a fractional CISO?
A fractional CISO (Chief Information Security Officer) is a senior cybersecurity leader who works part-time with your company. They handle risk assessment, compliance management, security architecture, incident response planning, and vendor security evaluation without the cost of a full-time hire.
How much does a fractional CISO cost?
Monthly retainers range from $5,000 for advisory engagements to $22,000 for operational security leadership. Most mid-market companies pay $8,000 to $14,000 per month for 10 to 15 hours per week. This is 60 to 80 percent less than a full-time CISO at $400,000 to $600,000 annually.
Can a fractional CISO lead SOC 2 compliance?
Yes. SOC 2 readiness is the most common fractional CISO engagement type. They conduct the gap assessment, lead remediation, manage evidence collection, and coordinate with the external auditor. The typical timeline from start to SOC 2 Type I report is 6 to 8 months.
Do I need a fractional CISO or a managed security service?
You likely need both. A managed security service (MDR) provides 24/7 threat monitoring and response. A fractional CISO provides strategic security leadership: risk management, compliance, policy development, and security program oversight. The CISO selects and manages the MDR provider.
How quickly can a fractional CISO start?
Most fractional CISOs can begin within 1 to 2 weeks. The first month focuses on assessment: understanding your current security posture, identifying critical gaps, and developing a prioritized roadmap. Active remediation and compliance work begins in month 2.