Fractional CISO

Price: £4,500 per month (excl. VAT)

Information security is among the most significant operational risks many modern SMEs face. For security-conscious SMEs, elevating information security to the leadership level is wise. Yet including a Chief Information Security Officer in their organisation is often impractical. An effective solution is to hire external professionals on a fractional basis to fill this role, which both reduces costs and also avoids the difficult challenge of getting security talent in-house.

For SMEs Taking The Next Step

There comes a point where advice you seek out occasionally is no longer enough - where security has grown past isolated fixes into something that has to be governed. Expanding infrastructure, increasing staff count, customer security requirements, supplier relationships, and compliance obligations all increase the complexity of security requirements. The distinction that matters at this stage is a simple one: advice arrives after a decision has been made, but a Chief Information Security Officer is in the room before it. A Fractional CISO gives you that embedded ownership - the whole of the Security Advisor service and a great deal more - without the cost or the hiring difficulty of a full-time appointment. This service is particularly suitable for growing SMEs scaling their infrastructure, organisations preparing for compliance requirements, and businesses that wish for security structures and decision-making processes that remain effective as the business scales and changes over time.

In The Room Before The Decision

The decisions that most shape an organisation's security are made early and quietly, usually by whoever is building the thing, on the basis of whatever is simplest at the time. A flat internal network in which everything can reach everything is easy to stand up and painful to segment later, once a hundred dependencies have grown to assume the flatness. A broad grant of database access handed to an application "to make it work" becomes load-bearing, and nobody dares tighten it afterwards. These choices are nearly free to get right at design time and ruinously expensive to unpick once the business runs on them. This is the core of what a CISO adds over occasional advice: not better answers after the fact, but presence at the moment the decision is made, when getting it right costs almost nothing. We take part in your leadership and technical decisions, own your security policies, processes, and incident-response plans, and hold your security architecture and roadmap, so that security is built in rather than bolted on once something has already broken. Our Fractional CISO role remains advisory rather than a managed service: we still do not run your systems or watch them around the clock, but we make sure the people who do are pointed in the right direction.

Compliance Is A Floor, Not A Ceiling

While we help you achieve the certifications your customers and insurers may increasingly demand - Cyber Essentials, ISO 27001, and the rest - we treat them as exactly what they are: a floor to clear, not a finish line to celebrate. We will also tell you the difference, which much of the industry will not. Cyber Essentials asks whether you have multi-factor authentication; it does not ask whether that authentication can be defeated by an attacker relaying your login through a proxy in real time, which the most common kinds can be. An organisation can hold the certificate and still be wide open to the single most common way accounts are compromised today. Passing the audit and being secure are related, but they are not the same, and our job is to make sure you are the second thing and not merely the first.

Connections To Other Services

Where the Security Advisor service helps you manage the suppliers you already depend on, a CISO gets ahead of the problem. We assess a prospective vendor, MSP, or SaaS platform before you tie your business to it, using the same investigative work as our Supply Chain Security and Reconnaissance services - because the over-permissioned integration you wave through on day one is far harder to walk back on day five hundred. Alongside this, the role includes annual Threat Modelling workshops that keep your picture of who would attack you, and how, current as the business changes. It further carries a 15% discount on all our security testing.