Fractional CISO: The UK Business Guide

Cybersecurity has moved from an IT concern to a board-level risk. Regulators expect it, insurers require it, clients ask about it in procurement questionnaires, and investors scrutinise it during due diligence.

The problem for most mid-market UK businesses is that a full-time Chief Information Security Officer costs £100,000-£300,000 in salary alone, before you add employer costs. And even if you could afford one, the global shortage of experienced cybersecurity leaders means the hiring market is brutally competitive.

A fractional CISO gives you senior cybersecurity leadership on a retained, part-time basis. Not an outsourced security operations centre. Not a consultant who runs a penetration test and leaves. A genuine security leader who understands your business, sits in your leadership meetings, and takes ownership of your security posture.

This guide explains what a fractional CISO does, what it costs, when you need one, and how to get real value from the engagement.

What Is a Fractional CISO?

A fractional CISO is an experienced cybersecurity executive who provides strategic security leadership to your business on a part-time, ongoing basis. They typically work with two to four organisations simultaneously, dedicating one to three days per week to each.

You may also hear the terms "virtual CISO" (vCISO) or "CISO as a Service." There are subtle differences in practice. A virtual CISO is often more remote and advisory. A fractional CISO tends to be more embedded, attending your meetings, engaging with your team, and taking genuine ownership of outcomes. The terms are used interchangeably in the market, but the level of involvement matters.

A good fractional CISO is not a security technician. They are a strategic leader who happens to specialise in cybersecurity. They understand risk in business terms, they can present to a board without drowning people in jargon, and they know how to build a proportionate security programme that protects the business without paralysing it.

What Does a Fractional CISO Do?

The role covers several interconnected areas.

Security strategy and governance. Developing a cybersecurity strategy that aligns with your business objectives and risk appetite. This means understanding what assets matter most, where the real threats are, and what level of security investment is proportionate to your risk. It is not about achieving perfection; it is about making informed trade-offs.

Risk assessment and management. Identifying vulnerabilities, assessing their business impact, and building a prioritised plan to address them. This includes technical risks (unpatched systems, misconfigured cloud environments) and operational risks (staff awareness, supplier security, incident response readiness).

Compliance and regulatory alignment. Navigating the frameworks that apply to your business. In the UK, this commonly includes UK GDPR (Data Protection Act 2018), Cyber Essentials and Cyber Essentials Plus, ISO 27001, PCI DSS for businesses handling card payments, NIS2 for organisations in essential and important sectors, and sector-specific requirements like FCA regulations for financial services or NHS DSPT for healthtech.

Incident response planning. Building the playbooks, processes, and team readiness to respond effectively when (not if) a security incident occurs. This includes tabletop exercises, communication plans, and relationships with external incident response providers.

Vendor and supply chain security. Assessing third-party risks, managing security requirements in procurement, and ensuring your suppliers are not your weakest link. This has become significantly more important as supply chain attacks have increased.

Security culture and awareness. Training is only part of this. A good CISO builds a culture where people understand why security matters and feel empowered to flag concerns. This is about behaviour change, not just annual e-learning modules.

Board and stakeholder communication. Translating technical security posture into language that board members, investors, and clients can understand and act on. This includes reporting on risk levels, the effectiveness of security investments, and emerging threats relevant to the business.

How Much Does a Fractional CISO Cost in the UK?

UK fractional CISO pricing typically falls into these ranges:

Day rates: £1,000-£3,000 per day. CISOs with deep regulatory experience (FCA, ISO 27001 lead auditor, CREST certifications) tend to be at the higher end.

Monthly retainers: £3,000-£10,000 per month, depending on the time commitment and scope of work. Most mid-market businesses find that one to two days per week (£4,000-£7,000/month) gives them meaningful coverage.

Annual cost comparison: A fractional CISO at £5,000/month costs £60,000 per year. A full-time CISO costs £100,000-£300,000 when you include salary, employer costs, and recruitment fees. For most businesses in the £8-30 million revenue range, the fractional model delivers 80% of the value at 30-40% of the cost.

Pricing is influenced by your industry (regulated sectors cost more), the maturity of your existing security programme (starting from scratch takes more initial effort), and whether the engagement includes hands-on work like policy writing and compliance preparation, or is primarily strategic oversight.

When Do You Need a Fractional CISO?

Several triggers indicate it is time to bring in senior security leadership.

Your clients are asking security questions you cannot answer. Enterprise clients and public sector organisations increasingly require security assurance from their suppliers. If you are losing deals or delaying procurement because you cannot demonstrate your security posture, you have a commercial problem that a CISO can solve.

You are pursuing a certification (Cyber Essentials Plus, ISO 27001, SOC 2). These frameworks require someone to own the security programme. Your IT manager can support the technical implementation, but the strategic planning, policy development, and audit preparation need CISO-level oversight.

You have had a security incident, or a near miss. If a phishing attack, ransomware incident, or data breach has exposed gaps in your defences, bringing in a CISO is not optional. It is urgent.

You are preparing for investment, acquisition, or exit. Cybersecurity due diligence has become standard in M&A. Acquirers and investors want to see a mature security programme, clear risk management, and evidence of ongoing improvement. A fractional CISO can prepare your business for this scrutiny.

Your cyber insurance premiums are rising or your coverage is being restricted. Insurers are tightening their requirements. Demonstrating that you have a named CISO overseeing your security programme can improve both your premiums and your coverage.

You are in a regulated sector. Financial services (FCA), healthcare (NHS DSPT, MHRA), and critical infrastructure (NIS2) all have specific cybersecurity obligations that require senior, informed oversight.

You handle sensitive data. If your business processes personal data at scale, holds commercially sensitive intellectual property, or manages data on behalf of clients, the risk profile justifies dedicated security leadership.

How a Fractional CISO Differs from Other Security Services

It is important to understand what a fractional CISO is not.

Not a managed security service provider (MSSP). An MSSP monitors your systems and responds to alerts. They are a detection and response tool. A CISO is a strategic leader who decides what to monitor, how to respond, and where to invest. You may need both, but they serve different purposes.

Not a penetration tester. A pen test finds vulnerabilities at a point in time. A CISO builds the ongoing programme that prevents vulnerabilities from emerging and ensures findings are acted upon.

Not an IT manager wearing a security hat. Many mid-market businesses ask their IT manager to handle security as a secondary responsibility. This creates a conflict of interest (the person building systems is also the person assessing their security) and rarely results in strategic security management.

Not a compliance consultant. A compliance consultant helps you achieve a certificate. A CISO ensures the security programme behind the certificate is real, maintained, and effective. Certificates without substance are dangerous because they create a false sense of security.

UK Regulatory Landscape

UK businesses face an increasingly complex web of cybersecurity regulations and standards.

UK GDPR and the Data Protection Act 2018 require appropriate technical and organisational measures to protect personal data. The ICO can issue fines of up to £17.5 million or 4% of annual global turnover.

Cyber Essentials is the UK government-backed scheme that all businesses should consider as a baseline. Cyber Essentials Plus includes independent verification. Many government contracts now require Cyber Essentials certification as a minimum.

NIS2 (transposed as the Cyber Security and Resilience Bill in the UK) expands obligations for organisations in essential and important sectors, including managed service providers. This will bring many mid-market businesses into scope for the first time.

ISO 27001:2022 is the international standard for information security management systems. While voluntary, it is increasingly expected by enterprise clients, particularly in technology and professional services.

Sector-specific requirements add further layers. FCA-regulated firms must comply with operational resilience frameworks. Healthcare organisations must meet the NHS Data Security and Protection Toolkit. Payment processors must maintain PCI DSS compliance.

A fractional CISO helps you navigate this landscape proportionately, focusing your investment on the requirements that genuinely affect your business rather than pursuing every framework simultaneously.

Boardman's Fractional CISO Service

At Boardman, our fractional CISO engagements are designed for mid-market UK businesses that need real cybersecurity leadership, not just a compliance tick-box exercise.

Our CISOs are experienced security leaders who have held senior roles in relevant industries. They understand the technical landscape, the regulatory requirements, and the commercial realities of running a growing business. They are equally comfortable in a board meeting and a security operations review.

We structure engagements as retained relationships, typically 12-18 months, because building a mature security programme takes time. Quick wins exist and we pursue them aggressively in the early weeks. But lasting improvement comes from sustained, informed leadership.

If you are unsure whether your business needs a fractional CISO, we are happy to have a straightforward conversation about where you stand and what would actually make a difference. Sometimes the honest answer is that you need a Cyber Essentials certification and a better IT partner, not a CISO. We will tell you that.