Fractional CSO

Price: £6,500 per month (excl. VAT)

By the time an organisation reaches a certain size, its worst exposure is often no longer in its IT at all. It is in the seams between domains that each answer to a different owner - between the network and the building, between your staff and your suppliers, between what a policy says and what people actually do. Information security, however good, stops at the edge of the network.

Employing a full-time Chief Security Officer is often impractical for SMEs and mid-sized organisations. Our Fractional CSO service provides organisations with experienced strategic security leadership across both digital and physical domains without the financial and operational overhead of building a large in-house executive security function. A Fractional CSO extends security leadership across the whole organisation - digital, physical, personnel, and operational - and includes everything in the Fractional CISO role beneath it.

The Seams Between Domains

Consider what happens when an employee leaves. IT disables their accounts and reclaims their laptop; facilities deactivates their building pass; HR handles the paperwork. Each department does its job correctly. But the contractor keyfob they were once lent, the personal phone still enrolled to collect company mail, the shared team password they knew by heart, the administrator account created for a one-off project two years ago and never removed - these fall between the three, because they belong cleanly to none of them. Every domain is covered, and the departed employee still has a way in. This is the same failure as the uncoordinated suppliers described under our Security Advisor service, now inside your own walls: security lives in the interactions between domains, and the interactions are exactly what no single departmental owner is responsible for. The same pattern runs through physical security - an intruder who follows a colleague through a controlled door, sits down at an unlocked workstation, and finds its disk unencrypted has quietly defeated three separate controls that three separate people each believed were sufficient on their own. A CSO owns those seams, and we test them the way an attacker would: end to end, across the boundaries your organisation chart draws.

The Fifty-Pound Foothold

The devices that watch your premises are computers, and they are usually the worst-secured computers you own. A door-access controller, a CCTV recorder, a badge reader - these are installed by whoever fitted the physical security, run firmware that is rarely if ever updated, ship with default credentials nobody changed, and, most dangerously, sit on the same flat internal network as everything else because putting them there was simplest. To an attacker that is an open invitation: a fifty-pound camera with a known vulnerability is not a minor concern about a camera, it is a foothold onto the network the camera shares with your servers. This is the cyber-physical seam in its purest form - a device that the people managing your IT think of as facilities' problem, and that the people managing your building think of as IT's, exposed to the internet or bridged to your core systems, and owned by neither. A CSO treats your physical security devices as the networked computers they are, and insists they be segmented, credentialed, and maintained accordingly - because the cheapest way onto a well-defended network is often the appliance nobody thought of as a way in at all.

What A CSO Adds

On top of the CISO role, a Fractional CSO takes on physical and personnel security, insider risk, operational resilience, and crisis response, along with the coordination between them. Because much of this cannot be judged from a distance, the role includes recurring on-site review on a schedule that suits how you operate. The annual Threat Modelling extends beyond the purely technical to physical, cyber-physical, and operational-disruption scenarios, and we run resilience workshops that walk your leadership through a realistic crisis - how it would escalate, who would have the authority to decide what - before one has to happen for real. This tier includes a 20% discount on security testing and priority scheduling. It is built for organisations with real premises, meaningful physical-access complexity, valuable intellectual property, or operations in higher-risk sectors, where treating security as an IT function leaves the largest holes exactly where no one is looking.