Fractional CISO working on laptop
Strategy

CISO, fCISO, vCISO, or CISO to the CISO: What's the Difference?

3 April 202610 min read

The title "CISO" no longer describes a single type of role. Over the past decade, the market has fragmented to meet organisations that need senior security leadership but cannot support - or do not require - a full-time executive salary.

If you are evaluating security leadership options, you will encounter four overlapping but distinct labels: CISO, fCISO (fractional CISO), vCISO (virtual CISO), and CISO to the CISO. Understanding the differences matters because each delivers a different kind of value, requires a different commitment, and suits a different organisational maturity.

CISO: The Full-Time Executive

The traditional Chief Information Security Officer is a permanent member of the executive team. They own the security strategy, the budget, the hiring, the board reporting, and the operational outcomes of the security function. In well-structured organisations, they report to the CEO or COO, not the CIO, and have a direct line to the board.

What you get

  • Complete ownership of the security programme
  • Day-to-day availability for incidents, escalations, and strategic decisions
  • Deep institutional knowledge built over years
  • A single throat to choke for security outcomes

    • What it costs

  • A six-figure base salary, plus bonus, equity, benefits, and overhead
  • Recruitment lead time of three to six months
  • The risk of a short tenure if expectations or support are misaligned

    • Best fit

    Large enterprises, highly regulated industries, and organisations where security is a continuous, complex operational requirement. If you process sensitive data at scale, operate critical infrastructure, or face persistent advanced threats, a full-time CISO is usually non-negotiable.

    fCISO: The Embedded Part-Time Executive

    A fractional CISO is an experienced security leader who works with your organisation on a part-time basis - typically one to three days a week. Despite the reduced hours, they are embedded in your leadership team. They attend board meetings, mentor your security staff, set strategy, and hold accountability for outcomes. They are not consultants dropping in for projects; they are executives with a stake in your success.

    What you get

  • Senior security leadership at a fraction of the cost of a full-time hire
  • Strategic continuity without the overhead of a permanent executive
  • Hands-on involvement in hiring, vendor selection, incident response, and board communication
  • Flexibility to scale up or down as the organisation grows

    • What it costs

  • Typically a monthly fee, usually a small fraction of a full-time CISO salary
  • No recruitment fees, equity, or pension burden
  • Lower risk if the engagement needs to evolve

    • Best fit

    Growing businesses - typically £2m+ revenue - that need top-tier security leadership but cannot justify a £150,000+ permanent hire. This is the model we operate at The CISO Network: world-class CISOs who embed within UK businesses on a fractional basis, providing the leadership necessary without the full-time cost.

    vCISO: The Remote Advisor

    A virtual CISO is often a service rather than an embedded executive. Many managed security service providers (MSSPs) and consultancies offer vCISO services as part of a broader package. The vCISO may be remote, may support many clients simultaneously, and may focus more on compliance checklists, policy templates, and quarterly reviews than on day-to-day strategic leadership.

    What you get

  • Access to security expertise without any on-site presence
  • Policy and compliance support, often templated
  • A lower price point than a fractional or full-time CISO

    • What you do not get

  • Deep cultural embedding or change management
  • Consistent board-level presence and accountability
  • Hands-on involvement in operational decisions, hiring, or incident response

    • Best fit

    Small organisations with basic compliance needs, startups preparing for a first audit, or companies that already have a strong internal security team and just need occasional external validation. If your primary need is a gap analysis or a policy refresh, a vCISO can be sufficient. If you need someone to lead, influence, and deliver, the model often falls short.

    CISO to the CISO: The Peer Mentor

    This is the least understood of the four roles. A CISO to the CISO - sometimes called a CISO advisor or executive coach - does not run your security programme. Instead, they provide peer-level guidance to an existing CISO, particularly one who is new to the role, operating in isolation, or navigating a complex transformation.

    What you get

  • An experienced sounding board for strategy, board presentation, and stakeholder management
  • Guidance on building or restructuring the security team
  • Support through incidents, audits, and career transitions
  • Confidential advice that an internal employee cannot provide

    • What it costs

  • Typically an hourly or monthly advisory fee
  • No operational responsibility or delivery burden on the advisor

    • Best fit

    Organisations that already have a CISO in place but recognise that the individual would benefit from senior mentorship. This is especially valuable for first-time CISOs, CISOs in industries outside their prior experience, or leaders whose board relationships need strengthening. It is coaching, not outsourcing.

    How to Choose

    The right model depends on three questions:

    1. Do you already have a CISO?

  • If yes, but they need support, consider a CISO to the CISO.
  • If yes, and they are effective, you probably need neither.

    • 2. Do you need strategic leadership and accountability, or just compliance advice?

  • If you need leadership, board presence, and operational impact, choose a CISO or fCISO.
  • If you need policies, checklists, and remote guidance, a vCISO may suffice.

    • 3. Can you justify a full-time executive salary?

  • If yes, and the complexity demands it, and you're confident that your security needs are consistent for the coming years, hire a CISO.
  • Otherwise, if the risk profile requires senior cybersecurity leadership, engage a fCISO.

    • Summary

    RoleCommitmentEmbeddingPrimary ValueBest For
    CISOFull-time, permanentDeep executive integrationEnd-to-end ownershipLarge enterprises, complex regulated environments
    fCISOPart-time, ongoingDeep leadership integrationStrategic leadership at fractional costGrowing businesses needing senior security direction
    vCISOVariable, often remoteLight, advisoryCompliance and policy supportSmall orgs with basic audit or policy needs
    CISO to the CISOAd hoc or scheduledExternal peer relationshipMentorship and executive coachingExisting CISOs needing independent guidance

    Final Thought

    There is no universally correct answer. A Series A startup has different needs from a mid-market manufacturer, which has different needs from a FTSE 250 financial services firm. The mistakes we see most often are hiring a full-time CISO too early or engaging a remote vCISO and expecting them to behave like an executive.

    Match the model to the need, the culture, and the risk profile. When you do, security leadership stops being a cost centre and becomes a genuine business enabler. If you need any help with choosing the right model, we're always happy to take your call.

    Share this article

    Seeking Security Insights for Your Business?

    Our fractional CISOs can help you implement the strategies discussed in this article. Book a call to discuss your security needs.

    Book a Call