● UK · EU — Regulated fintech & energy Certifications delivered: ISO 27001 · PCI DSS v4 · DORA
Written for: CISO CTO COO Board director Head of Security

vCISO vs Fractional CISO vs BISO

Compare vCISO, fractional CISO, and BISO roles with a practical decision matrix covering engagement model, pricing shape, and transition timing.

By Giovanni Salvador · · 12 min read

Why this pillar exists

T he terms vCISO, fractional CISO, and BISO are used interchangeably in LinkedIn job ads and consultancy decks — and the mismatch costs firms months of lost progress when they hire the wrong shape for their size, regulator, or lifecycle stage.

This pillar disambiguates them, locks definitions, and gives a Decision Matrix you can use to choose the right one for your firm.

The three roles, sharply defined

What this means: The vCISO is the translator layer between Board cadence (monthly briefings) and Engineering cadence (weekly working sessions). The role lives in the middle band; the BISO variant pushes the same translation work down into a single business line.

vCISO — Virtual CISO

A senior security leader who acts as your CISO inside your environment, on a fractional cadence — typically 1.5 days/week with monthly board attendance. The vCISO holds the role’s external relationships (regulators, auditors, key vendors), owns the ISMS, and writes the board paper. The role is a fractional substitute for a full-time CISO.

Fractional CISO

A full-time security leader engaged for a defined window — typically 3-12 months — to bridge a permanent hire, lead a transformation, or parachute in for a regulatory programme. Pricing typically reflects full-time-equivalent rates; the time commitment matches.

The line between vCISO and fractional CISO is the time commitment: vCISO is fractional-by-design (1-2 days/week, indefinite); fractional CISO is full-time-by-design (5 days/week, defined window).

BISO — Business Information Security Officer

A senior security leader embedded inside a single business unit (payments, lending, AI platform, customer ops). Reports up to the central CISO function. Acts as the security translator for that business unit’s leadership; owns the unit’s risk posture; brings issues that need central CISO attention.

A BISO is additive to a central CISO function, not a substitute for one.

The vCISO Decision Matrix

Three axes. Pick the cell that matches your firm. Read the recommended shape.

Axis 1 — Size

  • <50 staff — vCISO almost always (the cost of full-time CISO is hard to justify under this size unless regulator-driven)
  • 50-300 staff — vCISO usually; fractional CISO if you have a named transformation with a hard end date
  • 300-1000 staff — fractional CISO leading toward a permanent hire; vCISO continues post-hire as a senior advisor in some cases
  • 1000+ staff — permanent CISO; BISOs in business units; vCISO rarely (only for very specific advisory windows)

Axis 2 — Regulator

  • No regulator — vCISO if you have any security obligation at all (B2B customers will require evidence)
  • One regulator (e.g. ICO under GDPR) — vCISO comfortable
  • Multiple regulators (e.g. FCA + ICO + PCI SSC) — vCISO at smaller end; fractional CISO leaning toward permanent hire as the number of regulators grows
  • Critical-infrastructure operator / NIS2 in scope — permanent CISO; BISOs in business units; fractional CISO only as bridge

Axis 3 — Lifecycle stage

  • Pre-launch — vCISO; you need senior thinking on architecture before you build the wrong thing
  • Series A / B fundraise — vCISO usually; fractional CISO if due-diligence-driven
  • Pre-IPO / pre-acquisition — fractional CISO bridging to permanent; high diligence scrutiny
  • Post-incident — fractional CISO almost always; the role needs full-time presence for 3-6 months
  • Steady state with regulator obligations — vCISO

Engagement model — what a vCISO actually does

A vCISO engagement runs to a recognisable shape. We’ve delivered this across CV-listed sectors (fintech, energy, consumer finance, crypto custody) and the rhythm holds:

Week-1 to Week-8 (initial scope)

  • ISMS skeleton (scope, risk register, Statement of Applicability)
  • 90-day plan with named owners
  • Board pack template (3 pages, 12 bullets, 1 recommendation)
  • Vendor / ICT third-party register baseline
  • First board attendance with the new shape

Monthly retainer (post-week-8)

  • Two board / risk-committee attendances per month
  • Weekly sync with engineering and operations leaders
  • Quarterly strategic refresh of the 90-day plan
  • Quarterly third-party / regulator landscape update
  • Annual ISMS recertification cycle (when ISO 27001 in scope)

Exit ramp (when permanent CISO hired)

  • 4-week shadowing period with the permanent hire
  • Exit pack: ISMS artefacts, contact register, decisions log, outstanding work
  • Optional 12-week post-exit advisory (1-2 hours/week) for the new CISO

Pricing — what the shape costs

Indicative ranges for the UK market. Negotiable based on scope, regulator complexity, and seniority required.

  • vCISO retainer — £6,000-£15,000/month for typical fintech engagement (1.5 days/week, board cadence)
  • Fractional CISO — £900-£1,500/day equivalent; full-time over the engagement window
  • BISO — typically a permanent hire (£100k-£180k base in UK fintech); fractional BISO sometimes available at vCISO rates

The temptation is to compare these to the loaded cost of a permanent CISO (£200k-£400k all-in for senior fintech in the UK). The more useful comparison is to the cost of NOT having one: the regulatory finding that didn’t happen, the audit-driven sales cycle that closed three months earlier, the customer who didn’t churn after an incident.

How to know it’s working

Five signals to put on the same dashboard the board reads:

  • Board confidence — measured by the question count per board paper. High at start (good — board is engaging); trending down as the format becomes recognisable (good — board is comfortable).
  • Regulator engagement — number of unprompted regulator conversations should fall (your firm becomes well-understood).
  • ISMS audit findings — trending down across cycles.
  • Incident time-to-board — incidents reach the board paper within the same quarter (not buried, not over-shared).
  • Permanent hire readiness — when the time comes, the spec writes itself; the candidate has artefacts to inherit.

When to switch

The vCISO → fractional CISO transition typically happens when:

  • The firm crosses 300-500 staff
  • A named transformation needs full-time presence
  • Funding is secured for a permanent CISO and a 6-12 month bridge is needed
  • A regulatory programme requires day-to-day presence (DORA, PCI DSS v4 first cycle, ISO 27001 greenfield)

The fractional CISO → permanent CISO transition typically happens when:

  • The firm reaches 1000+ staff
  • The CISO role is itself adding direct reports (i.e. you’re hiring Security Engineering / SOC / GRC under the CISO)
  • The board is ready for the role to be a fixture, not a project

The vCISO → BISO transition is rare; usually the central CISO function is built first, then BISOs are added inside business units that need dedicated security attention.

We needed AI guardrails that the board could understand and the engineering team could ship. Salvador Cloud delivered both.

CISO, global fintech (verbatim, anonymised pending consent refresh)

Common ways firms get this wrong

  • Hiring a permanent CISO too early. A 50-staff fintech with no regulator pressure rarely justifies the £250k+ all-in cost; the vCISO buys you 2 years of leadership with budget left for actual controls.
  • Using a fractional CISO indefinitely. If the engagement runs past 18 months without a permanent-hire transition plan, the firm is paying full-time rates for what should be a vCISO retainer.
  • Mistaking BISO for fractional CISO. A BISO without a central CISO function above them ends up running unfunded escalations.
  • Choosing on price alone. The £3k/month “vCISO” is usually one hour per week of someone reading your runbooks; not the role you thought you were buying.
  • Re-litigating the choice every quarter. If the shape works, let it run. Re-evaluation lives in the annual board cycle.

Operating model — the small print

A few things every vCISO engagement should make explicit before signing:

  • Conflict of interest disclosure. The vCISO should disclose every other current engagement; you have the right to know if your competitors are on the same person’s roster.
  • Indemnity and insurance. Professional indemnity insurance at a level appropriate for the regulatory exposure (typically £5M+ for fintech).
  • Data handling. What data the vCISO holds about your firm, where it lives, how it’s destroyed at engagement end.
  • Notice and exit. 30-90 day notice both ways; documented exit pack obligation.
  • IP ownership. Anything created during the engagement is your IP, with a non-exclusive licence to the vCISO firm to reuse generic patterns.

What to do tomorrow morning

If your firm is in the market for security leadership, four hours of work this week:

  • Hour 1: Score yourself on the three Decision Matrix axes (size, regulator, lifecycle stage). Pick the recommended shape.
  • Hour 2: Write a one-page brief for the role: outcomes (not activities), board cadence, key relationships, regulator obligations.
  • Hour 3: Identify the top two decisions the role will need to make in month 1. (If you can’t, you may not need the role yet.)
  • Hour 4: Talk to two firms offering the shape you chose; ask for references from clients in your sector.

By the end of the week you have a clear shape, a clear brief, and a shortlist.

Frequently asked

  • What's the practical difference between vCISO, fractional CISO, and BISO?
    vCISO and fractional CISO are largely synonymous in UK usage — a named senior leader on a part-time cadence, accountable to the board. BISO (Business Information Security Officer) sits inside a business line, translating between security strategy and product delivery. Most regulated fintechs need at least one of each; the pillar maps where each fits.
  • Is a vCISO a real CISO under FCA / PRA expectations?
    Yes, provided the named individual carries the accountability and attends the relevant board / committee sessions. Regulators care about the substance of the role (decisions, evidence, escalation paths), not the contract under which it's delivered.
  • When is a permanent in-house CISO the right answer?
    Generally when the firm reaches a sustained ~£100M revenue / 250+ headcount / multiple regulated jurisdictions threshold, or when a named CISO becomes a regulatory expectation. Below that, a vCISO delivers the same function more affordably and with deeper cross-firm pattern recognition. The pillar covers the transition criteria in detail.
  • How do reporting lines work?
    vCISO typically reports into the CEO or Chief Risk Officer and attends the board / risk / audit committee on the cadence the firm sets. BISO reports into the relevant business-line leader with dotted-line accountability to the vCISO. Both lines should be documented in the security operating model.
  • Can the same person do both?
    Smaller firms sometimes start with one named individual covering both vCISO and BISO duties. As the business scales, the BISO function naturally splits out into the business line and the vCISO concentrates on board-level strategy and external engagement.

If you're working on this right now — Book a discovery call

Get the monthly briefing

One Friday a month: what's shifting in board-level security, what to do about it, one link worth your time. No spam, no upsell.

We'll use your email only to send the monthly briefing. We won't share with third parties. One-click unsubscribe in every email. See our privacy policy.