Fractional CISO & Information Security Manager
Every business reaches the point where security needs an owner. Almost none of them need one full-time. Senior leadership and hands-on delivery, a few days a month, from someone who has held the accountability for real.
Right now, who answers for your security? Be honest.
In most growing businesses the answer is: whoever is nearest. The managing director signs the Cyber Essentials declaration. The finance director fills in the insurer's questionnaire. The operations lead fields the customer's security questions, badly, at 5pm on a Friday. None of them chose the job. All of them carry it, on top of the job they actually have, and every one of those documents now has their name on it.
Hiring the role properly costs six figures for a good Chief Information Security Officer, and a serious information security manager is not far behind. For a business of twenty, fifty, even a hundred people, that is the wrong spend. Fractional is the right one: the same accountability and the same experience, delivered one to four days a month by someone who has run security inside defence and regulated industry, where the audiences included the Ministry of Defence and the answers had to survive scrutiny.
Strategic, operational, or both.
Fractional Chief Information Security Officer
The strategic seat. Security risk owned by name and reported to the board in language the board can act on: what we are protecting, what we have decided to accept, what the next pound buys. The strategy and the budget case behind it. And the representation duties that come with the title: when a major customer, insurer, regulator or investor asks to speak to your security lead, someone answers who has carried that accountability before, and it shows.
Fractional Information Security Manager
The engine room. The security programme run month after month: policies people actually follow because someone maintains and enforces them, certifications kept alive between assessments instead of resuscitated before them, supplier assurance completed, customer questionnaires answered the day they arrive, incident response kept ready rather than theoretical. The hundred small security decisions get made by someone whose job they are.
Blended engagements
Most businesses at this stage need a slice of both: board-level ownership one day a month, operational delivery the rest. We set the blend to fit the business and change it as the business changes. A scale-up walking into due diligence needs a different mix from a defence supplier holding three certifications, and both need something different a year later. Same person throughout, either way.
What it looks like in practice
One to four days per month, retained. A standing rhythm: leadership or board reporting, a programme review, and time held for whatever the month throws up, from a customer security questionnaire to an incident scare at nine on a Tuesday. Between visits you have a direct line to the same person, not a ticket queue. Scale up for audits and due diligence, scale back down after. No lock-in, no minimum term theatre.
What you are actually buying.
Experience that transfers
British Army, then years inside private defence companies running cyber security, operational technology and information security where the requirements were non-negotiable. The habits that environment builds, evidence over assurance, accountability by name, reporting in plain language, are precisely what a growing business needs from its first security leader.
The person on this page
Fractional providers love a bench: a senior face for the pitch, a rotating cast for the delivery. We do not have a bench. The person you scope with is the person in your board meetings and the person answering the direct line. Your business gets known once, properly, by the one who stays.
We work ourselves out of the job
Fractional has a ceiling and we will tell you when you hit it. When the business genuinely needs a full-time hire, we say so, help you write the role, sit on the interviews, and hand over properly. The goal is your security function standing on its own, not our permanent line on your invoice.
When to consider fractional leadership.
The trigger is rarely an incident. It is a question: from a customer, a tender, an insurer or your own board, that nobody in the business can answer with authority. If what you actually need is a defined piece of work rather than an ongoing role, our security consulting covers that, and an independent audit is often the honest place to start: it tells the incoming security lead, fractional or otherwise, exactly what they are inheriting.
Related capabilities
Penetration Testing
A penetration test answers one question: could a determined attacker do real harm to this business? Everything else (checklists, …
Read moreVulnerability Management
Penetration testing tells you what an attacker could do today. Vulnerability management tells you what’s changing, every …
Read moreISO 27001 Consultancy
ISO 27001 is the international standard for information security management, and it usually arrives as a deadline: a tender that …
Read more