vCISO vs Fractional CISO - What’s the difference?

Let’s define the vCISO role a bit and go into the different types that are out there

vCISO vs Fractional CISO - What’s the difference?

🗣️ I’m Speaking Tuesday LIVE w/Hacker Valley

I’m speaking this Tuesday LIVE with Ron Eddings from Hacker Valley. We’re going to talk about the life of a vCISO and how to start off as a vCISO on your own. It’s a pre-cursor to my upcoming course for those trying to transition.

I’ll be talking about the life of a vCISO, how and why I got into it, and answering questions live so check it out and kindly repost/share with your networks. I would really appreciate.

❓What Is A vCISO or Fractional CISO?

Definition: Someone with the knowledge or experience to build (or advise) on the building of a security program for a company, but does not have the full accountability or liability of security as part of their role.

In the most basic form, a vCISO or Fractional CISO is a Deputy CISO. In a large organization, you have a Deputy CISO that functions similar to a chief of staff and helps run point on various projects. Sometimes they are PMing, sometimes they are doing the actual work. 

Sometimes they’re doing ALL the security work and the CISO is just the figurehead and public/board facing persona. Yes, it’s true. They also work on board decks. The amount of work they do or are responsible for depends on the size of the organization.

A vCISO does or can do:

  • Board Decks & Reporting

  • Security Program Management

    • Governance, Risk, and Compliance

      • Policies

      • Gap Assessments (SOC 2, ISO, PCI, HIPAA, etc)

      • Remediation work

    • Vendor Security

    • Enterprise Security 

    • Infrastructure Security

    • Security Awareness Campaigns

  • Security Team Management

    • Hiring

    • Mentoring

  • Incident Response & Tabletop Exercises

  • Sales Enablement

    • Security Questionnaires

    • Sales Meetings

As you can see it’s a big list, and it’s not a complete list.

🤔 What’s the difference between a vCISO and a Fractional CISO?

None really, but I’ll explain. 

Many people out there feel like the term vCISO has been watered down over the years. It’s become a catch all phrase for all forms of security consulting. Everything from security analyst/engineering work to compliance prep to cloud security work and so forth.

Additionally and probably somewhat related, many MSP’s and MSSP’s have added the vCISO service as well and bundled it into their offerings. This makes sense as most companies that don’t have room for a full-time CISO may not have any security people or IT people for that matter. 

However, it can become a gray area as they sell services and products directly or indirectly. Really depends on the relationship and transparency involved.

Hypothesis: I think the term vCISO may allude that you can do more than just advisory. That you could do more than just advisory or that you may be technically inclined. Like a swiss army knife CISO.

Many purists like the term Fractional CISO because it’s clear. Just like fractional CFO, CTO, and CMO.

This is my preferred term.

A client told me once, “So you’re basically a CISO” and it made me think, yeah, I am just part-time and without the liability/responsibility.

Oh and they actually listen to me too!

The Interim CISO

An honorable mention here is the Interim CISO or in some cases “Named CISO”. In this case, the CISO is functioning as close as possible to a real CISO as they are publicly facing and not behind the scenes. This could include a sales enablement role or responsibility to build out a security team and operations and present directly to the board. Of course this is a well regarded role in the vCISO space.

🌴 Why Does The vCISO Exist?

It’s simple economics and math really: demand. It’s hard or expensive to have an FTE security person. They’re challenged with policy and compliance woes, or are facing SOC 2 deadlines and need someone to “fix” their security.

In other cases, they actually do want to improve their security and are willing to do the work, but just need guidance on prioritization and strategy, especially if the company is small. As the company grows, then they are ready to make a commitment to a full-time CISO or Director of Security.

It really comes down to the leadership of the company understanding they need security (vs. checkbox security) and want a professional to help.

On the other side, the lifetime of a CISO is sometimes limited or they’re looking for something to do from their burnout, so they look into becoming a vCISO.

📈 What Is The State of the vCISO Market Today?

Ah, now let’s get into the heart of it. The vCISO market has exploded in the past few years. Let’s go over a few things.

Anecdotally I did a search for various title on LinkedIN, here is what I found:

  • vCISO = 859 results

  • Fractional = 89 results (just 10%!)

  • CISO = 30k results

I also noticed a few things. Many fractional CIO’s tacked on CISO  to their titles in some form or fashion as well.

In the fractional market, the more you can do, the better, so it makes sense that fractional CIO’s and CTO’s are adding security to their marketing game. However, the breadth of experience is probably not as broad as an experienced vCISO or Fractional CISO.

So to recap, you have a few different types of vCISO’s:

Individual vCISO’s

These are individual practitioners that may have been CISO, Deputy CISO’s, or other types of security leaders that work with a handful of companies at a time in a fractional capacity. It can be anywhere from 25-75% of the time with each client, depending on the type of work required. They typically don’t have staff but maybe they have a virtual assistant helping them.

vCISO Firms

These are firms that only do vCISO. 

It may be a straight marketplace or agency model where they simply get clients and go find vCISO contractors to fill the role each time.

Other vCISO firms have a more established delivery model where they have senior security people and advisors on staff, but also junior folks in-house that help with aspects of program management and delivery. Let’s face it, you don’t need to be a rocket scientist to do everything in SOC 2. So for the lower level compliance items you just need an experienced program manager. For other things like ISO Internal Audits, Exception handling, or working with auditors, then you definitely need an experienced vCISO.

MSSPs

I alluded to MSSP’s before. These are IT or MSSP’s that provided services like IT, Helpdesk, Security Operations Center (SOC), Penetration Testing, and more as well as sell a plethora of security products. So in this case they are already security adjacent, why not add vCISO Advisory to the mix.

In this case, there may not be a hard delineation between sales and security advisory, really depends on the firm. They could be offering a solution with some bias.

I have a list of all the vCISO firms out there. Reply to this email if you’re interested. If I get enough emails, I’ll publish it.

🎯 Conclusion

The vCISO market is an interesting space.

Many CISO’s poo poo on vCISO’s saying that are not real CISO’s.

Others are fascinated at the concept. The ability to help multiple companies with their security and be in a position of authority and welcome arms.

Whatever the opinion of the day, there is definitely a need for them, which is why they exist. Pure market dynamics.

Thanks for reading!!

ps. Don’t forget to check out and kindly repost/share with your networks. I would really appreciate. 🙏🏼

Reply

or to participate.