Somewhere between 50 and 200 employees, most companies hit the same inflection point: the threats are real, the regulatory requirements are real, and the budget for a full-time Chief Information Security Officer — $200,000 to $350,000 per year in total comp — is not.
This is exactly the problem the fractional CISO model was designed to solve.
A fractional CISO, sometimes called a virtual CISO or vCISO, provides senior security leadership on a part-time or retainer basis. Instead of one company getting one CISO full-time, a vCISO serves multiple companies part-time — typically four to eight clients simultaneously. The cost to each client is a fraction of full-time employment. The expertise is the same.
If you’re a founder, COO, or IT lead considering this arrangement for the first time, here’s what you should actually understand about what a vCISO does, what makes a good one, and what to look for before you sign.
What a vCISO actually does week to week
The job description sounds abstract — “provides security leadership” — but the actual weekly work is concrete.
A good vCISO will spend time in your environment every week, not just for the monthly call. They will review your access controls: who has admin rights, who has accounts that are no longer active, where your most sensitive data sits and who can reach it. They will track your open security findings and push for resolution. They will manage your compliance program if you have ISO 27001, SOC2, or HIPAA obligations. When something goes wrong — a phishing incident, a suspected breach, a vendor asking for your security posture documentation — they are the person who handles it.
The monthly or quarterly board presentation is the visible output. The weekly operational work is what produces it.
The cost math
A mid-market fractional CISO typically charges between $5,000 and $15,000 per month depending on scope, client portfolio size, and geography. For that range, you get roughly 20 to 40 hours of senior security attention per month.
Compare that to a full-time hire:
- Base salary: $180,000–$280,000
- Benefits and employer costs: add 30–40%
- Total cost: $235,000–$390,000 per year
A fractional arrangement at $8,000 per month is $96,000 per year — roughly one-third the cost of the lower end of a full-time hire, with no recruiting overhead, no equity dilution, and no risk if the hire doesn’t work out.
The arithmetic works at most company sizes below 500 employees. Above that, the operational scope typically justifies a full-time role — or at least a fractional arrangement that scales up toward full-time hours.
What makes a good vCISO
Not all fractional CISOs are the same. The credential matters less than the operating model. Here is what separates a strong fractional engagement from a disappointing one.
They have a system, not just expertise. A vCISO who runs their practice from a combination of client-specific spreadsheets and email is operationally constrained. They can serve two or three clients before the coordination overhead limits their capacity. A vCISO with a real portfolio management system — a unified dashboard, consistent reporting, systematic access review tracking — can serve more clients at higher quality. That matters to you because it means your engagement is part of a professional operation, not a side project.
They report consistently, not heroically. A board pack that arrives at 11pm the night before a board meeting, personally written from scratch every month, is a sign of a practice that hasn’t scaled. Consistent, structured reporting — same format, predictable timing, delivered professionally — is a sign that the vCISO is running a system. That system protects you when something urgent happens, because the routine work doesn’t fall apart.
They bring cross-portfolio signal. One of the genuine advantages of a fractional arrangement is that your vCISO has seen the same problem at a dozen other companies. They should be telling you things like “three of my other clients saw this configuration drift last quarter — here’s what it means and how we addressed it.” That cross-portfolio perspective is something an in-house team can never offer. If your vCISO is not surfacing these patterns, they are probably siloing their clients rather than synthesizing across them.
They use tooling that makes you an informed client, not a passive one. You should be able to see your own security posture at any time — not just when the monthly report arrives. Good vCISOs operate from platforms that give the client real-time visibility into their own risk. You should know your current posture score, your open findings, and the status of your access reviews without having to ask.
The 5 questions to ask any vCISO before signing
These questions are designed to surface how a vCISO actually operates, not just what they claim to do.
1. What does your Monday morning look like?
You want to hear something specific and systematic — not “I check in on all my clients.” Ask them to describe exactly how they triage across their portfolio at the start of the week. A vCISO with a real operating system will describe a specific workflow. One who is improvising will give you a vague answer about staying organized.
2. How do you produce our monthly board report?
The red flag answer is “I write it fresh each month based on what happened.” That’s a sign that reporting is a heroic individual effort, not a system — and that you will be competing with four other clients for writing time. The good answer describes a structured process: data is pulled from a consistent source, a structured draft is generated, the vCISO reviews and adjusts, and delivery happens systematically.
3. Can you show me a sanitized example of your reporting format?
If the answer is “I customize it for each client,” that’s fine as a starting point — but ask to see the underlying template. Consistency of format is what allows a board to build intuition over time about how to read a security report. Changing the format every month makes it harder for your board to track trends.
4. How will I see my own security posture between our calls?
You should have access to a live view of your own security status — not just a monthly PDF. Ask what platform or dashboard you will have access to and what it shows. If the answer is “you can ask me anytime,” that’s a dependency, not an answer.
5. How many clients do you currently serve, and what is your capacity?
A fractional CISO with 15 clients and no infrastructure is stretched thin. A fractional CISO with 8 clients and strong tooling may have more effective capacity than one with 4 clients and no system. The number itself matters less than the ratio of clients to operational infrastructure. Follow up by asking how they track cross-client patterns and what happens when two clients have urgent issues in the same week.
What AutoCISO changes for the vCISO relationship
When a vCISO uses AutoCISO’s Partner Portal, the client relationship changes in a specific way: you can see your own posture in real time, not just in the monthly report.
Your security score, open findings, access review status, and risk trends are visible to you at any time in the client portal. The board pack your vCISO delivers is generated from that same data — so the narrative reflects what actually happened, and you can verify it against what you’ve been watching all month.
For you as a client, this means you are an informed participant in your own security program, not a passive recipient of a monthly presentation. For the vCISO, it means less time explaining what happened and more time discussing what to do next.
The combination of a strong practitioner and the right tooling is what makes a fractional engagement work at its best. The questions above will help you find the practitioner. The tooling question is worth asking explicitly.