Leadership · Service 08

Fractional CISO & Information Security Manager

Every business reaches the point where security needs an owner. Almost none of them need one full-time. Senior leadership and hands-on delivery, a few days a month, from someone who has held the accountability for real.

What this is

Right now, who answers for your security? Be honest.

In most growing businesses the answer is: whoever is nearest. The managing director signs the Cyber Essentials declaration. The finance director fills in the insurer's questionnaire. The operations lead fields the customer's security questions, badly, at 5pm on a Friday. None of them chose the job. All of them carry it, on top of the job they actually have, and every one of those documents now has their name on it.

Hiring the role properly costs six figures for a good Chief Information Security Officer, and a serious information security manager is not far behind. For a business of twenty, fifty, even a hundred people, that is the wrong spend. Fractional is the right one: the same accountability and the same experience, delivered one to four days a month by someone who has run security inside defence and regulated industry, where the audiences included the Ministry of Defence and the answers had to survive scrutiny.

The two roles

Strategic, operational, or both.

01

Fractional Chief Information Security Officer

The strategic seat. Security risk owned by name and reported to the board in language the board can act on: what we are protecting, what we have decided to accept, what the next pound buys. The strategy and the budget case behind it. And the representation duties that come with the title: when a major customer, insurer, regulator or investor asks to speak to your security lead, someone answers who has carried that accountability before, and it shows.

Risk owned by name at board levelStrategy and the budget caseAnswers that survive scrutiny
02

Fractional Information Security Manager

The engine room. The security programme run month after month: policies people actually follow because someone maintains and enforces them, certifications kept alive between assessments instead of resuscitated before them, supplier assurance completed, customer questionnaires answered the day they arrive, incident response kept ready rather than theoretical. The hundred small security decisions get made by someone whose job they are.

Programme run, not written and shelvedCertifications alive between assessmentsQuestionnaires answered same day
03

Blended engagements

Most businesses at this stage need a slice of both: board-level ownership one day a month, operational delivery the rest. We set the blend to fit the business and change it as the business changes. A scale-up walking into due diligence needs a different mix from a defence supplier holding three certifications, and both need something different a year later. Same person throughout, either way.

Blend set to fit, rebalanced as you growDue diligence to defence supply chainOne named person throughout
04

What it looks like in practice

One to four days per month, retained. A standing rhythm: leadership or board reporting, a programme review, and time held for whatever the month throws up, from a customer security questionnaire to an incident scare at nine on a Tuesday. Between visits you have a direct line to the same person, not a ticket queue. Scale up for audits and due diligence, scale back down after. No lock-in, no minimum term theatre.

1-4 days per month, retainedDirect line, same personScale up or down, no lock-in
The honest bit

What you are actually buying.

i

Experience that transfers

British Army, then years inside private defence companies running cyber security, operational technology and information security where the requirements were non-negotiable. The habits that environment builds, evidence over assurance, accountability by name, reporting in plain language, are precisely what a growing business needs from its first security leader.

ii

The person on this page

Fractional providers love a bench: a senior face for the pitch, a rotating cast for the delivery. We do not have a bench. The person you scope with is the person in your board meetings and the person answering the direct line. Your business gets known once, properly, by the one who stays.

iii

We work ourselves out of the job

Fractional has a ceiling and we will tell you when you hit it. When the business genuinely needs a full-time hire, we say so, help you write the role, sit on the interviews, and hand over properly. The goal is your security function standing on its own, not our permanent line on your invoice.

Is this right for you?

When to consider fractional leadership.

The trigger is rarely an incident. It is a question: from a customer, a tender, an insurer or your own board, that nobody in the business can answer with authority. If what you actually need is a defined piece of work rather than an ongoing role, our security consulting covers that, and an independent audit is often the honest place to start: it tells the incoming security lead, fractional or otherwise, exactly what they are inheriting.

Common triggers

  • A customer, tender or regulator has asked who is responsible for your security, and the silence was noticeable
  • You hold certifications that nobody clearly owns between assessments
  • Security decisions keep landing on people whose actual job is something else
  • You need the leadership now but cannot justify the full-time salary yet
  • Your board wants security reporting it can understand and act on