Buyer's Guide

How to Choose a Fractional CISO

The right fractional CISO can compound across your security program for years. The wrong one will burn 12 months and leave you in the same position. Here's the framework I'd use to make the decision — based on having sat on both sides of the table.

By Nick Shevelyov 9 min read

The five questions to ask every candidate

These questions are the diagnostic. They distinguish operators who've actually carried the role from advisors who've consulted to others doing it.

1. "Walk me through the worst incident you've personally responded to."

A real operator can describe a specific event in detail: the timeline, the decisions, what they got right, what they got wrong. They'll mention the legal team, the cyber insurance carrier, the federal liaison, and the customer-comms posture. Vague answers ("I've handled many incidents") are a tell — they advise rather than respond. Press for specifics: the hour-by-hour of the first 48 hours, the call to the CEO, the regulatory notification decisions.

2. "How do you report to a board? Show me a sample."

A good fractional CISO has a board-reporting template they actually use. Ask to see it (anonymized). Look for: risk stated in dollars and business outcomes, not heat maps; explicit residual risk acknowledgment; a clear ask or decision the board needs to make. If the sample is full of CVE counts and kill-chain diagrams, the candidate talks to engineers, not directors.

3. "What's your view on our specific industry's regulatory landscape?"

Don't ask "do you have fintech experience" — every candidate will say yes. Ask them to talk through the three regulatory pressures they'd expect a company at your stage in your industry to face in the next 18 months. A candidate with real industry experience answers in seconds. A generalist hesitates and pivots to general advice.

4. "What does the first 90 days look like, and what does month 6 look like?"

A real operator has a phased plan: month 1 is inventory and gap analysis, months 2-3 are remediation and policy work, months 4-6 are operational cadence and board reporting. If the answer is the same across all three windows ("we'd do an assessment, then implement"), the candidate doesn't have a stage-aware plan.

5. "When and how does this engagement end?"

The right answer is: "When you hire a full-time CISO, or when you no longer need security leadership at this intensity." A fractional engagement that's structured to continue forever has the wrong incentives. Ask explicitly what the transition looks like and whether the firm helps source and onboard your full-time hire.

Red flags to watch for

Six patterns that distinguish weak engagements from strong ones:

  • "I've advised CISOs" instead of "I've been the CISO." There's a real difference. Advisors are useful for specific projects. Carrying a program through real operator pressure — board meetings, regulator audits, live incidents — is a different skillset.
  • Vague incident response answers. If the candidate can't walk you through a specific incident in detail, they probably haven't run one.
  • Big discount with no scope change. A fractional CISO who'll cut their price 50% to win the deal — without reducing hours or scope — is either padding the original quote or planning to staff you with someone less senior than they implied.
  • No board-reporting plan. Boards care about cyber. If the engagement doesn't include a board-reporting cadence, the engagement isn't operating at the right altitude.
  • Generic deliverable list. If the proposal could be sent to any company at any stage in any industry, the firm hasn't thought about your specific needs. Custom scope is a sign of senior advisory; generic scope is a sign of productized delivery (which can still work, but you should know what you're buying).
  • Auto-renewing engagement with no review cadence. The right structure has a quarterly check-in where both sides explicitly evaluate whether the engagement is working. Auto-renew without review means the firm is optimizing for revenue continuity, not your outcomes.

The interview process

A working interview cadence for a fractional CISO hire:

  1. Initial screen (CEO/founder, 30 min). Vibe check. Does this person speak business, not just security? Can they explain things to a non-technical audience? If you'd be uncomfortable putting them in front of your board, stop here.
  2. Deep working session (CEO + technical lead, 60 min). Walk them through your business, your security posture, your customers' expectations. Ask the five diagnostic questions above. They should be asking good questions back — about your business model, your customers, your threat model, your risk appetite.
  3. CTO/engineering working session (CTO + candidate, 30 min). Test technical fluency and working relationship. The fractional CISO will spend most hours working with engineering. If your CTO doesn't trust them, it won't work.
  4. Reference calls (you, 30 min each, two references). Don't skip this. Ask the diagnostic question: "Would you hire them again at scale?"
  5. Engagement letter review (legal, async). The contract terms below.

How to check references

Three calls, three questions each. Ask the first reference to refer you to a second one (a "back-channel" reference, someone the candidate didn't list).

The questions:

  1. What did this person actually do for you? Cross-check against what the candidate told you they did. Discrepancies tell you about the candidate's self-presentation.
  2. What did they not do well? Every operator has weaknesses. References who can articulate them give you the most reliable signal.
  3. Would you hire them again, and at what scale? The diagnostic. "Yes, at any company stage" is the strong answer. "Yes, at our stage" is fine. "Probably" or hesitation is informative.

Contract terms that matter

Six terms to read carefully and negotiate. Most boilerplate engagement letters cover these — the question is whether the language protects you or the firm.

1. Named operator clause

Your engagement letter should name the specific person leading the engagement. It should require written notification if they leave the firm or are reassigned, with the right to terminate without penalty if you don't accept the replacement. Without this clause, you signed up for a brand and the firm can rotate operators freely.

2. IP and work-product ownership

Anything produced for you — policies, runbooks, board reports, risk registers — should be your property to use, modify, and retain after the engagement ends. Some firms try to keep IP rights on "their methodology"; that's fine for the methodology itself, but the artifacts produced for you are yours.

3. Termination

30 to 60 days written notice without penalty after the first 6 months. The first 6 months is reasonable for onboarding investment; after that, both sides should be free to walk if it's not working.

4. Confidentiality and conflict of interest

Mutual NDA covering both directions. Specific clause on competitor work — does the firm work with your direct competitors at the same time? Some firms do; that's not automatically bad, but you should know.

5. Liability cap

Standard practice is to cap liability at fees paid in the prior 12 months. Don't sign engagement letters with higher caps unless you're paying for that risk. Don't sign letters with no liability framework at all — that makes recovery on a real failure messy.

6. Reference and case-study rights

Most firms want to cite you as a client publicly (logo on website, named case studies). Negotiate the wording, not the right itself. A typical compromise: logo and unnamed quote with prior approval, no specific deliverable details published.

Firm vs. individual operator

A standalone fractional CISO (working independently, not through a firm) is cheaper and more direct. A firm-based operator costs more but brings infrastructure: backup if your primary operator is unavailable, specialist support (assessment, compliance, incident response), and proprietary tooling. Trade-offs:

Hire an individual when

  • Budget is tight and you can tolerate single-point-of-failure risk
  • Your scope is narrow and well-defined (advisory + board reporting, no incident-response coverage needed)
  • You have strong internal engineering depth that can handle execution
  • You value direct, unfiltered access to one operator

Hire a firm when

  • Security is mission-critical to your business and continuity matters
  • You need broader scope (assessments, compliance, vendor management, incident response, M&A support)
  • You're regulated and need bench depth for surge capacity (audits, regulator interactions)
  • You want proprietary tooling that compresses the operator's hours

vCSO.ai operates on the firm-with-named-operator model: Nick Shevelyov is the named CISO on every engagement, supported by specialists in assessment, compliance, and operations. The firm uses proprietary tooling (Theodolite) to compress what would otherwise be weeks of consultant work. See "What is a fractional CISO?" for the role definition, or "vCISO vs fractional CISO" for the terminology distinctions.

Questions & answers

What questions should I ask a fractional CISO candidate?
Ask five core questions: (1) Have you actually owned a security program at scale, with regulator exposure and incident responsibility? (2) Walk me through the worst incident you've personally responded to. (3) How do you report to a board — show me a sample? (4) What's your view on our specific industry's regulatory landscape? (5) What does the first 90 days look like, and what does month 6 look like? Vague answers to these questions are red flags.

How long should a fractional CISO engagement run?
Most retained engagements run 12-36 months. Anything shorter is usually a consulting project (assessment, SOC 2 readiness) wearing a fractional CISO label. Anything longer than 36 months without a transition plan suggests the firm hasn't been preparing you for a full-time hire — which is a red flag at growth-stage companies.

Should I hire an individual fractional CISO or a firm?
Both work; they have different failure modes. An individual is cheaper, more direct, and brings their full attention — but they're a single point of failure. If they get sick, accept a full-time role, or have a personal emergency, you have no backup. A firm has bench depth and infrastructure but can be less personal and more expensive. The right answer depends on how critical security is to your company and your tolerance for continuity risk.

What red flags should I watch for?
Six classic ones. (1) The candidate has never personally led a program — only advised. (2) Vague answers to incident-response questions. (3) Willingness to commit to a 50% reduction in cost without scope reduction (they're padding hours or you'll get juniors). (4) No proposal for board reporting cadence. (5) A pre-baked deliverable list that doesn't reference your industry. (6) An engagement structure that auto-renews without a quarterly review.

Should the fractional CISO write our security policies, or do we?
They should draft them; you should review and own them. Policies that the company didn't engage with don't get followed. A good fractional CISO uses policy drafting as a way to surface what your company actually does (vs. what the policy says) and turns the writing process into governance alignment. Don't sign on with a firm that hands you 30 pre-written policy templates and walks away.

What contract terms matter most?
Six terms to negotiate. (1) Named operator clause — the specific person who'll lead, with notification requirements if they change. (2) IP ownership — the work product (policies, runbooks, board materials) is yours, not the firm's. (3) Termination — 30-60 day notice without penalty after the first 6 months. (4) Confidentiality — mutual NDA covering both directions. (5) Liability cap — usually equal to fees paid in the prior 12 months. (6) Reference rights — whether the firm can cite you as a client (you'll usually grant this, but negotiate the wording).

How do I check references on a fractional CISO?
Ask the candidate for three references. Then call two of them and ask: (1) What did this person actually do for you? (2) What did they not do well? (3) Would you hire them again, and at what scale? The third question is the diagnostic — most people will say yes to 'would you recommend them' but pause on 'would you hire them again at scale.'

When should I bring our CTO/CIO into the interview process?
Right after the second interview, before the engagement letter. Your fractional CISO will spend most of their time working with the CTO, head of engineering, and head of IT — if those people don't trust the operator, the engagement will stall. A simple 30-minute working session between the candidate and your CTO surfaces fit issues fast.

Ready to talk to a fractional CISO?

Nick's team advises growth-stage companies, PE/VC sponsors, and cybersecurity product teams. First call is strategy, not vendor pitch. We reply within one business day.

Talk to Nick Explore services →