Cybersecurity SMB

Fractional CISO vs hiring an in-house CISO: when does each make sense?

When does a fractional CISO make economic and operational sense vs hiring an in-house CISO full-time? The decision is rarely obvious — and the wrong choice costs more than the salary differential.

8 min

For a scale-up between 30 and 200 people facing increasing cybersecurity pressure (enterprise client demands, certification project, NIS2 compliance, post-incident response), the question arises: hire an in-house CISO or engage a fractional CISO?

Both are legitimate options. The wrong choice for the wrong size and timing costs more than the salary differential.

The hidden costs of an in-house CISO

Hiring an in-house senior CISO in 2026 in Europe carries:

  • Total loaded annual cost: €120-180K (salary + social charges + benefits + tools).
  • Recruitment time: 4-9 months from search to onboarding completion. Recruitment fees: 25-30% of first-year salary.
  • Onboarding cost: 3-6 months before the CISO is fully productive. During this period, the rest of the team is consulted, mapped, briefed.
  • Vacancy risk: leave, sickness, departure. Senior CISO turnover in scale-ups is 15-25% per year.
  • Profile risk: an experienced senior CISO is rare. Many scale-ups end up hiring junior or mid-level profiles, which limits the strategic value.

The fractional CISO model

A fractional CISO is a senior CISO who works part-time across 2-4 organizations. Typical engagement:

  • Cadence: 2 to 10 days per month, depending on need.
  • Scope: strategy, governance, certification preparation, incident response, supplier oversight, board reporting.
  • Cost: €4-13K per month depending on cadence (€800-1500/day standard rate for a senior CISO).
  • Time to deploy: 2-4 weeks (vs 4-9 months for hiring).

The 4 decision criteria

Criterion 1: Operational volume

How many days per month does cybersecurity actually consume?

  • Less than 4 days/month: ad-hoc external support is sufficient. CISO is overkill.
  • 4-10 days/month: fractional CISO is the optimum. Senior expertise without the full-time cost.
  • 10-15 days/month: extended fractional CISO (10+ days) or hire a junior in-house CISO supported by a fractional senior.
  • More than 15 days/month: in-house CISO is justified.

Criterion 2: Organization size

Empirical thresholds in 2026:

  • Under 30 people: ad-hoc + fractional in critical phases.
  • 30-150 people: fractional CISO is the dominant pattern. ROI clearly positive vs in-house.
  • 150-300 people: hybrid model (fractional senior + junior in-house) or in-house senior CISO.
  • 300+ people: in-house senior CISO + dedicated team.

Criterion 3: Regulatory regime

Some sectors require an in-house CISO regardless of size:

  • NIS2 Essential Entity: in-house CISO often required by national authorities for accountability reasons.
  • DORA financial entity: dedicated function explicitly required.
  • OIV (France): dedicated security manager required.
  • Healthcare (HDS in France): security referent required.

Outside these regulated regimes, the choice is operational, not regulatory.

Criterion 4: Strategic horizon

If the company plans:

  • Series B / Series C in the next 12-18 months: investors will look for evidence of cyber maturity. Fractional CISO is sufficient and demonstrably cost-effective.
  • IPO in the next 24-36 months: in-house CISO becomes mandatory at some point in the runway. Plan the transition from fractional to in-house in the IPO preparation timeline.
  • Acquisition target: fractional CISO supports due diligence elegantly. Acquirers do their own integration.

The transition path

The smart approach is rarely "in-house CISO immediately." It is:

  1. Phase 1 (months 0-6): fractional CISO 2-4 days/month. Bootstrap ISMS, mapping, baseline.
  2. Phase 2 (months 6-12): fractional CISO 4-8 days/month. ISO 27001 / SOC 2 certification, NIS2 compliance.
  3. Phase 3 (months 12-18): extended fractional CISO 8-12 days/month if growth justifies. Or in-house CISO transition planned.
  4. Phase 4 (month 18+): in-house CISO if size justifies. Fractional CISO ensures 1-3 month transition, transferring institutional memory.

This staged approach avoids the trap of premature in-house hiring (€120-180K for someone who has nothing structured to inherit) and the opposite trap of insufficient leadership at scale.

Common mistakes to avoid

Mistake 1: hiring a senior in-house CISO too early

A senior CISO arriving at a 30-person scale-up with no existing ISMS spends 6+ months on mapping. €60-90K of salary for paint on cardboard. Fractional CISO does the same mapping in 2 months for €15-25K.

Mistake 2: extending too long with the fractional model

Beyond 200 people or in regulated sectors, the fractional model becomes operationally constrained. Daily availability is needed for incident response, supplier negotiation, internal escalation. Plan the transition to in-house when growth justifies it.

Mistake 3: choosing the cheapest fractional CISO

The fractional CISO market in 2026 has wide pricing dispersion (€500-1500/day). The cheapest are often junior consultants or generalists. The 3x price differential reflects 10x experience differential. For a CISO function — strategic, exposed, accountable — seniority matters.

Frequently asked questions

When is a fractional CISO sufficient and when is an in-house CISO needed?

Empirically: under 150 people, fractional is dominant (4-13K€/month vs 120-180K€/year in-house). 150-300: hybrid or junior in-house. 300+: in-house senior. Some regulated sectors (NIS2 Essential Entity, DORA, OIV) require in-house regardless of size.

What is the cost difference between fractional and in-house CISO?

An in-house senior CISO in Europe costs €120-180K/year loaded (salary + benefits + tools). A fractional CISO costs €4-13K/month depending on cadence (typically €800-1500/day standard rate). Saving: 40-60% when fractional is sufficient.

How fast can a fractional CISO be deployed?

Typical deployment: 2-4 weeks (signing engagement letter, scope-call, kick-off). For an in-house CISO, count 4-9 months between the start of recruitment and full onboarding completion.

Can a fractional CISO sign for the company?

No, by principle. The fractional CISO advises, operates, animates — but legal commitments (regulatory notifications, contractual signatures) remain those of the company executives. The fractional CISO prepares documents and secures them technically; the executives sign. This is also a NIS2 directive requirement on management body responsibility.

How does the transition from fractional to in-house CISO work?

When growth justifies an in-house CISO (typically 18-24 months after start of fractional engagement), the fractional CISO actively prepares the transition: documentation transferred, operational ISMS, up-to-date runbooks. Once the in-house CISO is recruited, the fractional ensures 1-3 months of transition to transfer institutional memory.

A connected topic at your company?

A 20-minute scope call. No cold commercial pitch.

Book on Calendly