When does a fractional CISO make sense?
Three typical situations:
1. You are a 30-150-person scale-up that needs to demonstrate cybersecurity maturity to enterprise clients, investors, or insurers — without the workload justifying a full-time CISO (total loaded cost: €120-180K/year).
2. You are starting an ISO 27001 or SOC 2 Type II certification and need a senior pilot to structure the ISMS, run the steering committee, prepare for audit, and hold the roadmap.
3. You are a SaaS subject to NIS2 (50+ employees, strategic sector) and need a recognized referent to achieve compliance before October 2026 and respond to incidents.
What the fractional CISO actually does
Typical scope of a WeeSec fractional CISO engagement:
- Strategy and governance: annual risk analysis, security policy, quarterly steering committee, executive/board reporting.
- Compliance and certifications: ISO 27001 / SOC 2 / NIS2 / GDPR / DORA / EU AI Act steering depending on your context. Audit preparation and presence.
- Product security and DevSecOps: architecture review, security integration in SDLC, threat modeling on new features, code audit supervision.
- Incident management: runbooks, crisis exercises (tabletop exercises), real incident response — on-call availability if needed.
- Vendor management: tool selection (EDR, SIEM, GRC, scanner), security contract negotiation, SLA tracking, external pentest supervision.
- Client representation: responses to prospect security DDQ and questionnaires, support for client due diligence, presence in client meetings if necessary.
- Awareness: simulated phishing campaigns, team training, security onboarding for new hires.
Format and cadence
Discovery package (2 days/month — €4K/month): for an early-stage scale-up, focus on roadmap and 1-2 critical projects. Monthly committee + traceability.
Standard package (4 days/month — €7K/month): the most common. Roadmap steering, quarterly steering committee, project tracking, product support, non-critical incident management.
Certification package (6 to 8 days/month — €10-13K/month): for the active phase of ISO 27001 or SOC 2 Type II certification. Documentation, internal audit, certifier audit preparation and presence.
Extended package (10+ days/month): half-time equivalent. For organizations with multiple challenges (multi-entity, regulated sectors). On quote.
All packages include: direct on-call hotline, unlimited email support, full traceability (Notion or shared tool), monthly reviews.
Comparison with an in-house CISO
| Criterion | In-house CISO | WeeSec fractional CISO |
|---|---|---|
| Annual loaded cost | €120-180K | €48-120K |
| Time to deployment | 4-9 months (recruiting + onboarding) | 2 weeks |
| Seniority level | Variable (often less experienced in AI security) | 15+ years grand-comptes experience |
| Vendor independence | Variable | Total — no partnerships |
| Multi-framework | Often single-framework | ISO 27001, ISO 42001, SOC 2, NIS2, DORA, EU AI Act, CRA |
| Vacancy / leave | Risk of grey zone | Contractual, backup planned |
The fractional CISO is not a stopgap. It is the most cost-effective and operational option as long as the organization doesn't have CISO-justifying volume (typically >150 people or heavily regulated sector).
What you get after 6 months
After 6 months of typical fractional CISO support:
- Operational ISMS: security policy, risk management, incident management, access management — all documented and applied.
- Tracked compliance: NIS2 achieved, or ISO 27001 stage 2 ready, or SOC 2 Type II under observation.
- Client-ready documentation: standardized DDQ responses, public security factsheet, auditable traceability.
- Indicators in place: monthly security dashboard (open vulnerabilities, MFA coverage, training, incidents).
- Trained team: developers aware, sysadmins equipped, executives up to date on obligations.