Information security, cyber security, and privacy are starting to receive the attention they need for unfortunate reasons: Companies are facing a steep increase in the number of cyber-attacks, which are getting more effective and damaging. The consequences can be dire and affect companies' finances, reputations, and customers.
Company leaders need to equip themselves with adequate resources and skills to manage this increasing risk. Just like a COO handles operations and a CFO for finance, a CISO handles leading the company’s information security practices. This includes information and data protection, privacy, and cyber security.
Not all companies have the resources or the need to create a new full-time position for this role. Several options exist, so let’s go through them.
| CISO | Interim CISO | Fractional CISO | Virtual CISO | Advisor | Consultant | |
|---|---|---|---|---|---|---|
| Scenario | Large companies typically use it. However, it can be justified for medium companies with significant risks linked to Infosec, cyber, and/or privacy. | Cover someone who is not available for a while (e.g., parental leave), or temporary fill the gap until a permanent CISO is found. | Perfect for small to medium companies. | Excellent choice to augment another C-level executive who might have the formal CISO role but lacks the time or expertise. | Excellent value for boards or C-level executives wanting an independent opinion. | Good options for a well-defined project are defined, such as writing cyber security policies or helping mitigate a specific risk. |
| Contract type | Full-time | Full-time, fixed term | Part-time on set days | Part-time on set days | Typically, on-retainer | Project-based |
| Scope of CISO responsibilities | Full | Full | Full | Depends on agreed scope | Depends on agreed scope | Project-based |
| Accountable | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Responsible | ✅ | ✅ | ✅ | ✅ (based on scope) | ❌ | ❌ |
| Embedded with teams | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Lead teams | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Full time | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Open-ended | ✅ | ❌ | ✅ | ✅ | ✅ | ❌ |
| Pros | They come with all the bells and whistles. This is a must for large companies. For best results, the CISO should report to the CEO. | They can help bridge a temporary gap while waiting for the CISO to return or looking for the right CISO. | All the benefits of a CISO for a fraction of the cost. This is a great solution for medium-sized companies. | Excellent value if another executive is already covering part of the work but needs an extra pair of hands or skills to get the job done | Perfect for quick access to an expert who knows your company and can give tailored independent advice. | Good for well-defined projects with clear deliverables |
There will be variations in the terminology and details, and the lines are blurred, but the contract should clarify this. This table should give you an idea of your options and their typical characteristics.
⚠️ Shameful plug: I do offer Fractional CISO, Virtual CISO, advisory and consultancy services.