CISO as a Service: A Governance Decision, Not an IT Purchase
What Boards Actually Need to Understand About Fractional Cybersecurity Leadership
Micro insights….macro implications. Every company has a general counsel. Not every company employs one full-time.
The logic is familiar. You retain outside counsel for specialized matters — M&A, regulatory inquiries, IP disputes — while in-house legal handles the daily work. Nobody questions the model. Nobody asks whether the outside attorney is “really committed” because they’re not sitting in your office five days a week. The question is whether they bring the judgment and experience the situation demands.
CISO-as-a-service follows the same structural logic. And yet, boards that would never blink at retaining outside counsel still hesitate when someone proposes the same model for cybersecurity leadership.
That hesitation is worth examining. What’s underneath it is usually a misunderstanding of what the role actually requires.
This Is a Governance Question, Not an IT Decision
Let’s start with the uncomfortable reality. The SEC now requires public companies to disclose material cybersecurity incidents within four business days of determining materiality. Regulation S-P imposes incident response and notification obligations on covered financial institutions. The SEC’s governance disclosure rules require companies to describe the board’s oversight of cybersecurity risk — including whether any board member has specific cybersecurity expertise.
That changes the calculus. “Who is our CISO?” is no longer an HR question. It’s a governance question with regulatory, legal, and fiduciary implications.
A fractional CISO doesn’t diminish board oversight. It’s done correctly —it strengthens it. The board gets a security executive whose entire engagement is structured around what boards actually need: risk posture reporting, regulatory alignment, incident governance, and strategic direction. Not ticket queues. Not firewall rules. Not help desk escalations.
Think of it this way. In medicine, the specialist you see twice a year for a complex condition often knows more about your situation than the internist you see every month. Frequency of contact is not the same thing as depth of judgment. The same principle applies here.
What a CISO as a Service Engagement Actually Looks Like
Most of the confusion about this model stems from conflating it with managed security services. They’re fundamentally different functions. An MSSP handles technical operations — monitoring your environment, managing tools, triaging alerts, and executing incident response at the technical layer. A CISO-as-a-service provider operates at the executive and governance layer: setting strategy, managing portfolio-level risk, reporting to the board, and making decisions that shape how the security program evolves.
The legal analogy: the MSSP is your paralegal team handling the day-to-day work. The CISO-as-a-service provider is your general counsel — setting direction, advising the board, making judgment calls.
Strategic leadership, not technical execution
A fractional CISO operates at the executive layer. They own the cybersecurity strategy, the risk narrative to the board, the regulatory posture, and the relationship between security investments and business outcomes. They don’t configure your SIEM. They make sure someone competent is configuring your SIEM — and that the data it produces translates into decisions your leadership team can act on.
I spent fifteen years as Chief Security Officer at Silicon Valley Bank, defending the bank of the innovation economy against nation-state adversaries, navigating regulators across four continents, and presenting to a board that expected depth, not theater. I had a team executing daily operational work. My job was to set direction, manage risk at the portfolio level, align with regulators, and make the hard calls under pressure. That executive function is exactly what a fractional CISO engagement delivers — without the overhead, the recruiting timeline, or the retention risk of a full-time hire.
Board reporting that isn’t theater
This is where operators separate from consultants. Board reporting shouldn’t be a compliance exercise. It shouldn’t be a forty-slide deck full of red-yellow-green matrices that nobody trusts. A CISO-as-a-service engagement should include a defined reporting cadence — at least quarterly — with materials calibrated to the board’s level of sophistication. Real risk posture, measured and communicated in terms that connect to business value.
Doug Hubbard’s work on measuring anything in cybersecurity has influenced how I think about this: if you can’t quantify it, you can’t govern it. Most boards are being handed qualitative risk theater instead of actual measurement. That’s a structural failure, and it’s one a good fractional CISO should fix on day one.
Incident governance and crisis readiness
Here’s a question most boards can’t answer cleanly: if you had a material cybersecurity incident at 2 AM tonight, who convenes the decision team, and what’s the process for determining materiality?
A CISO as a service engagement should include incident governance design — not just an incident response plan (your MSSP handles technical response), but the governance layer: who decides materiality, who briefs the board, who coordinates with legal counsel on disclosure posture, and who owns the evidence pack that regulators and auditors will eventually review.
The time to design your incident governance is before the crisis, not during it. This is where pre-mortem thinking earns its keep. You imagine the failure, you walk backward through the chain of decisions that led to it, and you build the structure before the pressure arrives. A good fractional CISO brings that discipline because they’ve lived it — they’ve been the person on the other end of the phone at 2 AM making the call.
The Board’s Diagnostic
If you’re a board member evaluating cybersecurity leadership — whether full-time, fractional, or outsourced — I’d ask you to sit with a sequence of questions. Not as a checklist. As a conversation with yourself.
Start here: Who is accountable for cybersecurity risk at your organization? Not who manages the tools. Who owns the risk narrative for this board? If you hesitated, that’s your first answer.
Now: ask that person to describe your top five cyber risks in business terms. No slides. No deck. Just a conversation. Can they do it? If the answer requires a thirty-page presentation, you don’t have a security leader. You have a security narrator. And narrators don’t make decisions under pressure.
Next question, and it builds on the last: when did you last test that person’s judgment under realistic conditions? Not a tabletop exercise where everyone knows the script. A scenario involving conflicting information, incomplete data, time pressure, and a board-notification decision point. If your last exercise felt comfortable, it wasn’t a test. It was a theater.
This one gets harder: does your security leader talk directly to your external auditors and regulators? Or does everything filter through the CIO or CFO first? Because if your CISO only reaches the board through management, you’ve built a structural conflict into the one function that requires independence. You wouldn’t let your general counsel report exclusively through your CFO. Why would you accept that structure for the person defending your digital assets?
Now the question that separates governance from hope: what is your documented process for determining whether a cybersecurity incident is material? The SEC gives you four business days from that determination. Four days. If your honest answer is “we’d figure it out when it happens,” then you’re not disclosure-ready. And the time to discover that is not during the incident.
And the last question — the one that tends to produce the longest silence in the boardroom: can you explain, quantitatively, how your security investments connect to your risk posture? Not a feeling. Not a color on a heat map. An actual measurement. If the connection between what you’re spending and how much risk you’re reducing is a gut sense, you’re governing by intuition. And intuition, as Daniel Kahneman taught us, is a beautiful servant and a dangerous master.
If those questions created discomfort, good. Discomfort is the precondition for better governance. A fractional CISO should be the person who helps you sit with that discomfort and convert it into structure, measurement, and confidence.
When the Model Fits — and When It Doesn’t
The model works best for a specific profile: companies between two hundred and two thousand employees that need experienced cybersecurity leadership but can’t justify — or can’t recruit — a full-time CISO. That includes community banks, mid-market companies navigating their first cybersecurity audit, PE portfolio companies under governance pressure, and growth-stage firms approaching regulatory thresholds.
The economics are straightforward. A seasoned CISO commands $350K–$500K in total compensation plus the opportunity cost of a four-to-six-month search. A fractional engagement provides equivalent strategic leadership at a fraction of that cost, with no recruiting risk and faster time to value.
Where it doesn’t fit: organizations that need a full-time operator embedded in daily technical decisions, companies with mature security programs that need execution management rather than strategic direction, or situations where regulatory or contractual requirements explicitly mandate a named, full-time CISO.
Even in those cases, there’s often a transitional use case. An interim CISO engagement can bridge the gap during executive search, M&A due diligence, or pre-IPO readiness. And a fractional CISO can serve as a strategic advisor to a newly placed full-time hire who needs a sounding board. The right horses for the right courses at the right time.
Governing the Engagement: What Boards Should Require
Define the reporting line
The fractional CISO should have a defined reporting relationship to senior management and a direct communication channel to the board or audit committee. This isn’t optional. It’s the structural independence that makes the role effective. Without it, you have an expensive consultant. With it, you have cybersecurity leadership that is accountable, independent, and aligned with the board’s oversight obligations.
Agree on deliverables and cadence
At minimum, expect quarterly board-ready risk reporting, an annual cybersecurity assessment or program review, incident governance documentation, and regulatory alignment updates. The engagement should also include ad hoc availability for emerging threats, incidents, and strategic decisions. Resilience is execution, held together by governance, and the cadence is what makes governance real rather than aspirational.
Measure outcomes, not activity
The trap is measuring a fractional CISO engagement by activity volume: meetings attended, policies reviewed, and emails sent. That’s input theater. Measure outcomes: reduction in critical risk items, time to detect and respond, audit finding closure rates, and board confidence in the security posture narrative. If you can’t measure the difference the engagement is making, you’re managing noise, not risk.
Ensure continuity and knowledge transfer
One legitimate concern with the model is continuity. What happens if the engagement ends? A well-structured arrangement includes documentation of the security program, relationships with key vendors and auditors, and a transition plan. The goal is that the organization’s security posture is captured in systems and documentation — not locked in one person’s head.
This is where the model can be stronger than a full-time hire. Full-time CISOs leave too — often without warning and rarely with a clean transition plan. A structured engagement forces the discipline of documentation from day one. The Monty Hall problem teaches us that as new information arrives, we should revisit our decisions. The same applies here: the documentation discipline that fractional models demand is the same discipline that makes any security program resilient to personnel changes.
The Cybersecurity Governance Maturity Curve
Most organizations move through a predictable maturity curve. In the early stages, security is owned by IT — the CIO or CTO handles it as a side responsibility, and the board receives a brief annual update that no one interrogates. In the middle stages, the board recognizes the gap and starts asking questions, which is usually when the search for a security executive begins.
CISO-as-a-service fits naturally at the inflection point between those stages. It’s the move a board makes when it recognizes the governance gap but isn’t ready — or doesn’t need — to commit to a full-time executive hire. It lets you leapfrog the six-month recruiting process and start operating with real cybersecurity leadership while you figure out the long-term structure.
Don’t lose sight of the broader picture by getting bogged down in checklists. Cybersecurity governance isn’t about checking a box. It’s about having a trusted advisor who brings judgment, experience, and independence to the decisions that protect your organization.
Frequently Asked Questions
Is CISO as a service appropriate for publicly traded companies?
Yes, with the right governance structure. The SEC’s cybersecurity governance disclosure rules require companies to describe management’s role in managing cyber risk and the board’s oversight posture — they don’t prescribe an employment model. A fractional CISO engagement with documented reporting lines, defined deliverables, and direct access to the board satisfies the governance intent. The key is documentation and independence, not headcount.
How does a fractional CISO report to the board?
The fractional CISO prepares quarterly board-ready materials — risk posture summary, key initiatives, emerging threats, regulatory updates, and metrics — and presents directly to the audit committee or full board, depending on the governance structure. Between quarterly sessions, there’s a defined escalation path for material events. The reporting relationship should mirror what you’d expect from a full-time CISO: independence, candor, and direct access. If the provider only reports through the CEO or CIO with no board interaction, that’s a structural weakness you should address before anything else.
What’s the difference between a fractional CISO and an MSSP?
They operate at entirely different layers. The MSSP handles technical operations: monitoring, tool management, alert triage, and technical incident response. The fractional CISO operates at the executive and governance layers: setting strategy, managing portfolio-level risk, reporting to the board, and making the decisions that shape how the program evolves. You need both, and they complement each other.
The Question Worth Sitting With
Every board eventually arrives at the same realization: the risk of not having experienced cybersecurity leadership isn’t theoretical. It shows up in audit findings, regulatory actions, insurance gaps, and incident response failures, turning manageable events into existential ones.
The question isn’t whether you need a CISO. It’s whether the model you choose actually delivers the judgment, independence, and accountability your organization requires.
CISO-as-a-service, when structured correctly, delivers all three.
And if it doesn’t — if the engagement feels like theater, if the reporting feels like checkbox compliance, if the person on the other end of the phone at 2 AM doesn’t pick up — then you don’t have a fractional CISO. You have a fractional problem.
Nick Shevelyov
Founder, vCSO.ai | Former Chief Security Officer, Silicon Valley Bank
Work cited by the Federal Reserve as the textbook response to SolarWinds.
