Fractional vs. full-time CISO: Finding the right fit for your company
In this Help Net Security interview, Nikoloz Kokhreidze, Fractional CISO at Mandos, discusses why many early- and growth-stage B2B companies hire full-time CISOs before it’s needed. He breaks down common founder misconceptions, explains the right approach to security leadership, and shares when a full-time CISO makes sense.
What trends are you seeing in early-stage or growth-stage B2B companies that lead them to prematurely hire a full-time CISO?
We need to differentiate between the two, as they have slightly different requirements for their stage.
Early-stage B2B companies are focusing on securing their first few large enterprise customers to establish a foothold in the market. However, these enterprises are at a higher level of security maturity, often have proper security programs in place, and are led by a CISO.
Therefore, B2B customers require strong security controls from third parties before engaging in a business relationship with them. This, of course, is coming from supply chain security risks and regulatory compliance requirements.
I have built third-party risk management programs and have often requested assurances from my B2B suppliers in the form of ISO 27001 certification and/or SOC 2 Type II reports. This is a common practice for the initial filtering of vendors, indicating if the vendor has basics covered.
However, in my experience, the early-stage B2B companies might not necessarily have those assurances or even a well-documented ISMS. This often leads to a failure to sell the product or service to an enterprise customer, as prospects choose competitors holding these assurances.
And this is exactly the pain that triggers an early-stage B2B company to go hunt for a full-time CISO to “fix security”.
There is nothing wrong about hiring a CISO, but at this stage, a full-time CISO doesn’t have 40+ hr per week of work. The work in this case is mostly an organizational alignment and a mix of strategic and tactical work, which does not require 40+ hr.
As a result, this premature CISO hiring leads to two major problems:
The first is what I would call CISO scope creep. To justify their full-time position, a CISO starts building security programs that the company doesn’t even need yet. For example, I have seen a CISO start thinking about threat management in a 50-person company when they don’t even have basic monitoring in place. So there is a big gap between what the company needs now and what the CISO has to supply.
Now the second problem is the cost burden of a six-figure executive hire. It drains budget from actual business priorities and creates a potential cultural friction when a senior executive starts pushing for enterprise-grade processes in a startup culture. Often, the friction arises between the CISO and the engineering teams as they are now pushed to work and report on security issues while this time could be spent on shipping features.
The growth-stage companies, on the other hand, face a bit of a different challenge. They are scaling rapidly, maybe growing from 100 to 300 employees in 12 months, and they suddenly realize that ad-hoc security approaches and controls built by engineers are no longer enough. One of the good indicators of this is when technical teams start spending an increasing amount of time on security issues and incidents. Or when new investors and board members start raising security-related questions and concerns.
This is when founders realize they can’t continue having CTO to cover security topics, while enterprise prospects keep asking about the CISO they don’t have.
So as a result, the growth-stage B2B company rushes to hire a full-time CISO when they need a fractional strategic security expert to prepare for a stage when they have a need for a full-time executive.
What are the common misconceptions founders have about what a CISO should be doing at their stage?
In my experience misconceptions usually depend on the background of the founder, whether they have a more technical or business background.
Nonetheless, the biggest misconception I have encountered is that CISO is a one-man solution. Founders often expect that they will hire a CISO who will individually fix all the security issues, and after some time, these issues will magically disappear. But the truth is that working towards security is an organization-wide decision and commitment. Security affects almost every aspect of the business and requires founders to ensure that each head of department is adequately prepared to work towards this goal.
Another common misconception is that a senior security leader will be finding vulnerabilities, doing pentests, and reviewing cloud deployments. I must admit I was asked this kind of question a few years ago by a founder who wanted to hire me for the “CISO” role. Of course, this did not go well. Founders and business executives often assume that security is just a technical problem that a technical security expert will solve if they work hard enough on it. But that cannot be further from the truth, because security is a fundamentally business enablement function at this stage. And a CISO’s job in a growing B2B company is to translate business and customer requirements into security controls that close deals and build customer trust.
Is there a particular stage of growth, revenue, or customer profile that typically signals it’s time to consider a full-time CISO?
There are a few triggers that should make B2B companies consider a full-time CISO, but based on my experience it’s less about specific numbers and more about organizational changes and security workload.
One of the good indicators I noticed is when a B2B company starts selling to multiple, highly regulated industries like financial services or healthcare and starts processing their sensitive data. In this case, you might need a full-time security leadership to handle intense, ongoing compliance requirements and customer negotiations.
Another one is an increase in major security incidents that affected enterprise customers, and where the company failed to properly represent security controls to reassure those affected. At this stage, the B2B company realizes that something is fundamentally wrong and needs to change, triggering a search for a full-time CISO who can, together with other leaders, dedicate full effort to figuring this out.
Also, M&A activity could be a strong indicator. For example, if you are acquiring another company or being acquired yourself, the security integration work becomes massive and time-consuming. A CISO has to deal with different security programs, systems, compliance frameworks, and cultures that need harmonization. As someone who has participated in M&A, I can confidently say that this requires a full-time dedication of technical, business, and political skills over many months.
Sometimes investors and VCs will also start asking about dedicated security leadership and raise concerns before investing money into the company. This often comes up around Series-C funding, but it depends on the type of company, industry, and region.
What would an ideal security leadership structure look like for a B2B company with fewer than 200 employees?
With fewer than 200 employees, I believe a fractional CISO is the best way to go because the person can start building the foundation for the company, unblock the sales cycles, and work on the roadmap without the overhead and cultural disruption of a full-time executive hire.
Ideally, this would mean a fractional CISO working 1-2 days per week, supported by the existing engineering team for implementation of security controls and processes. In this case, the fractional CISO handles the strategic work of customer security conversations, working on compliance, helping with major security incidents, reporting to the board and investors, while guiding engineers to handle tactical execution.
This structure will immediately unblock business while saving costs and building towards the stage where the company will be ready to work with a full-time security leader.
The optimal approach is all about finding the balance through the right-sized solution that fits the company’s immediate needs.
If a founder came to you today saying, “We think we need a CISO,” what diagnostic questions would you ask them first?
For me, it’s very important to understand where this question comes from and what the actual pain points the founder wants to solve.
So the first question I ask is “Why makes now the right time for a CISO for you?”. This would give me information on whether it’s a reactive decision driven by external pressure or a strategic decision.
Then I would ask, “What specific problems do you expect a CISO to solve in the first 90 days?”. This way, I will try to understand if they are looking for someone to do hands-on technical work or are more strategic business enablement. The answer could also showcase whether the founder has misconceptions about the CISO role, as we discussed before.
Next, it would be helpful to understand the expected workload, so I would ask, “How much time per week does your team currently spend on security-related tasks?”. This will tell me if there is enough security work for a fractional or a full-time CISO is a better option.
The final question would be “How do you think your company will look like in the next 12 months if you don’t hire a CISO?”. This gives me an opportunity to more deeply understand the current health of the organization and the fears and concerns of the founder.
These questions should reveal if the B2B company needs a full-time CISO, a fractional CISO, or perhaps having a technical security expert would be enough for their stage.