Fractional CISOs aren’t just for the little guys anymore

Today, we’re going to be talking about fractions. For those already breaking out into cold sweats, don’t worry; it’s not the math kind.

Fractional CISOs, also known as virtual CISOs (vCISOs), have long been viewed in the industry as a cost-effective alternative for companies unable to hire a full-time executive to bolster their cybersecurity posture.

However, Fractional CISO founder and CEO Rob Black told IT Brew that small organizations aren’t the only entities that can gain something from the outsourced services. IT Brew caught up with Black to discuss the changes the fractional CISO provider is seeing in demand from the industry these days.

The conversation below has been edited for length and clarity.

Is it still true that fractional CISOs usually work with smaller companies who don’t have the budget to afford a full-time CISO?

We have some, I would say, pretty large clients. Usually, the larger the client, it might be more of an interim situation. So, basically, the CISO left for whatever reason. You’re probably not hiring someone right away. You need someone to fill the role…Where maybe they have a team, but they have a CISO and five employees, and none of those five employees are senior enough to step up. They might hire us or someone like us to bridge the gap as an interim basis.

Then you have the folks that I would say are mid-market and it may not be a price consideration. Let’s just imagine you have a 250 person company. You could hire a full-time CISO. You could hire a virtual CISO. If you hire a full-time CISO, that person probably needs a team. So, now it’s not just the CISO, it’s the team. So, there’s that. A lot of times, someone who gets the first CISO role for a company like that is there for 18 months, and then is going to step out of it. And then, I guess the third part of it is that person might not have 40 hours of work to do a week. So basically, those three things: They need a team, they are there as a stepping stone, and they don’t have enough work to do. So, it’s sometimes hard to hire a full-time CISO for those reasons.

And then at the lower-end of the market, absolutely, it’s a cost issue. Or just obviously, if you’re a 20-person company, you’re not hiring a full time CISO, [it] just would not make sense.

What do you think about the criticism that there is no clear line of accountability to a fractional CISO in the case of a security oversight?

I think that is a fair criticism. Anytime you’re hiring an outside party, signing off on behalf of the company is a little challenging. A lot of the time, for instance, when folks need to sign certain documents, it might be [that] whoever the CISO is reporting to at the company is actually signing off. So, I think that may be true literally for sign-off.

For accountability, just like any employee, if you’re unhappy with someone’s work, you get fired. So, I think there’s that kind of accountability. That kind of accountability seems universal, really, for any role, whether it’s a consultant or full-time employee. So, I don’t 100% buy that. I buy it for maybe literally the signing-off for certain papers, that sort of thing. But otherwise, no, I don’t see that.

Do you think the term “fractional CISO” downplays the impact that vCISOs are able to provide?

I think any term is going to be imperfect because for instance, we may be a virtual CISO, but sometimes we show up on-site, especially if we’re doing a physical security review. We might be virtual, but we also sometimes are there. Fractional I think is a pretty good term in the sense that you might have a fractional CFO or fractional chief marketing officer or any other fractional role, people kind of get that understanding, which is, you get a senior cybersecurity leader, but you don’t get 100% of their time. So, I do think that’s pretty descriptive. I think both are fine.