vCISO vs Fractional CISO vs BISO

Why this pillar exists

A COO called me in March with a problem most regulated fintechs hit between Series B and Series D. Their auditor had flagged a gap. No single named person owned information security. The board wanted a CISO. The budget allowed for roughly a quarter of one. The actual work in front of them was a regulator readiness programme, not a full-time empire-building hire.

They had been told to “get a CISO” by three different advisers. None had asked the question that mattered. A CISO to do what, exactly? A part-time leader who signs the board paper and owns the posture is one kind of purchase. A hands-on operator who runs the programme week to week is another. A security lead embedded inside one business line is a third. Three titles, three different jobs.

That confusion costs money and time. I have watched firms pay senior-leader rates for the wrong work while the real gap stayed open. This pillar is the map I wish that COO had been handed first. It covers the three buying models, the engagement shapes underneath each, and what they cost. And it shows how to make the case to a board in the language a board acts on, which is quantified risk reduction.

A word on honesty before we start. I run a vCISO practice, so I have skin in this game. The right model is sometimes a permanent hire and sometimes none of the three. Where I give a number, I label it illustrative. The shape of the reasoning matters more than any single figure.

Key decisions ahead

If your firm is regulated and growing, you face four decisions in sequence. Get them in the right order and the spend follows naturally. Get them out of order and you buy a title before you understand the job.

The first decision is whether you need accountable leadership or delivery capacity. These are not the same thing. Accountable leadership is the named person who owns the security posture. They sign the board paper and answer to the regulator. Delivery capacity is the pair of hands that runs the programme, writes the policies, and chases the remediation. One governs. The other builds.

A vCISO leans toward the first. A fractional CISO often covers both but bills more hours. A BISO sits inside a business line. They translate central security policy into shippable engineering work. Many firms need two of the three, not one. Naming which you need saves the most money. I have seen a firm hire a delivery-heavy fractional when all it needed was a governing vCISO and a junior analyst, and it overpaid for a year.

The second decision is permanence. A part-time external leader is right when the risk is real but the workload is not yet full-time. A full salary, employer benefits, and a long recruitment cycle for a scarce senior hire are heavy commitments. The moment your security workload reliably fills a full week, the maths flips toward a permanent hire. A good external arrangement should plan its own exit from day one. If a provider has no view on when you will outgrow them, be wary.

The third decision is regulatory exposure. Under the FCA Senior Managers and Certification Regime, accountability for relevant functions rests with a named senior manager. Operational resilience is one such function. A part-time external leader can run the programme that satisfies the regulator. The regulated accountability itself usually stays with an internal executive. Decide early who holds the function, because that single choice shapes who you hire and at what seniority.

The fourth decision is how you will prove value. Security leadership is easy to buy and hard to measure. Decide your success metrics before you sign, not after. A vague brief produces a vague engagement that is impossible to defend at renewal. The rest of this pillar expresses those metrics as risk reduction a finance director will accept.

Five dimensions

Every security-leadership buying decision can be reasoned through five dimensions. Score your own situation against each before you choose a model. The point is not to find the most senior option. It is to match the model to the gap.

Accountability and ownership

The first dimension is who owns the outcome. A vCISO is the accountable owner of the security posture. They work part time, typically one to two days a week, on a retainer. They sit at the board table. They own the risk register. They represent security to auditors and regulators. The word that matters is owner. A vCISO is not advice you can ignore. They carry the posture, and they answer for it when an auditor pushes.

The mechanism is ownership made visible. The vCISO’s name appears on the risk register, the board pack, and the regulator correspondence. That single line of attribution changes behaviour, because work that used to float between teams now has a destination.

A fractional CISO overlaps heavily but tilts toward delivery. The same person may own the posture and also run the programme hands on, three days a week building the controls rather than only governing them. The line between vCISO and fractional CISO is blurry in the market, and many practitioners use the terms interchangeably. The honest distinction is hours and depth of delivery, not seniority.

A BISO owns something narrower and deeper. The Business Information Security Officer embeds inside one business unit, perhaps a payments line, a lending product, or a data platform. They translate central security policy into engineering reality for that line. They do not own the firm-wide posture. They own security outcomes for their patch, and they report into the central CISO function. A BISO sits between the security function and the business line it serves, fluent in both languages.

For a fintech with several distinct product lines, a BISO is how you stop central policy from becoming shelfware the moment it meets a real sprint. I worked with a payments business where the firm-wide policy was sound but ignored on the ground. Engineers saw it as paperwork from another floor. Embedding one security lead inside the payments squad changed that. Within a quarter the policy was applied in design reviews rather than rediscovered in audits.

What good looks like here is simple. The owner can be named without hesitation, and that name is the same in the board pack and in the engineering stand-up. If ownership is vague, no title will fix it.

Score yourself. Do you need firm-wide ownership, programme delivery, or business-line embedding? Most firms past a certain size need all three.

Workload and permanence

The second dimension is how much work there actually is. Map your security workload against a calendar. A regulator readiness programme with a hard deadline is intense but finite. Steady-state governance of a mature posture is lighter and ongoing. A scaling firm shipping new regulated products every quarter generates continuous heavy demand. These three profiles call for three different commitments.

The mechanism is matching the contract shape to the demand curve. Buy permanence for a finite spike and you carry a full salary long after the deadline passes. Buy part-time flexibility for permanent rising demand and the gap reopens the moment the work outgrows the days you bought.

A part-time external leader fits the first two well. One to two days a week covers governance, board reporting, and a paced programme. When the workload reliably exceeds three days a week for two or more quarters, the case for a permanent hire strengthens. At that point you are renting a full-time role at a premium, and the premium stops being worth it.

A fractional model is the bridge. It carries you through the heavy programme phase. Then it steps down to a lighter retainer, or it hands over to a permanent hire it helped you recruit. The best external engagements include their own succession plan. If a provider cannot tell you how the relationship ends, treat that as a warning sign.

A lending platform I advised did this well. We ran an intensive readiness programme for two quarters, then deliberately tapered to a one-day governance retainer once the heavy build was done. The firm kept the institutional memory without paying the heavy rate a day longer than the work required.

What good looks like is a planned glide path. Your provider can tell you, on day one, what the engagement looks like in twelve months and what would trigger a step down. An engagement that only ever grows is rarely serving the client first.

Score yourself. Is your heavy workload a finite project, a steady state, or permanent and growing demand?

Regulatory accountability

The third dimension is where regulated accountability sits. In UK fintech, the FCA expects a named senior manager to hold accountability for relevant functions under the SMCR. Operational resilience needs a clear owner. So does third-party risk. So does ICT risk under DORA-aligned expectations. These are not duties you can outsource wholesale.

The mechanism is personal regulatory liability. A senior management function carries individual accountability under the regime. The regulator expects a real person inside the firm to be answerable. An external leader can build and run the programme that satisfies these expectations. What they usually cannot do is hold the regulated function on your behalf. That accountability rests with someone inside the firm with the standing to be held responsible.

The practical pattern is a split. A named internal executive holds the function. An external vCISO does the heavy lifting and prepares the evidence. The executive stays accountable and informed. The vCISO supplies the depth and time the executive lacks. Done well, the internal owner can answer a regulator’s questions without notes.

I have seen the failure mode too. A firm hired an external leader and quietly assumed accountability had moved with them. It had not. When the regulator asked who owned operational resilience, the internal answer was a shrug. Naming the internal owner on day one avoids that gap.

A BISO changes this picture inside a large group. Where a business line is itself a regulated entity, the BISO may carry delegated accountability under a group framework. For most growth-stage fintechs that subtlety does not yet apply, but it is worth knowing before you scale.

What good looks like is a named internal owner who is genuinely informed, not a figurehead. The external support makes that person stronger in front of the regulator, never a screen they hide behind.

Score yourself. Who in your firm can credibly hold the regulated accountability, and what support do they need to do it well?

Cost and pricing

The fourth dimension is what each model costs, and here numbers help. Treat every figure in this section as an illustrative UK market band for 2026, not a quote. Your actual figure depends on firm size, regulatory load, and seniority. We scope a real price per discovery call, because no honest number survives contact with the specifics until those specifics are known.

Two pricing drivers sit underneath every model. The first is day rate, which reflects the seniority and scarcity of the person. The second is the shape of the commitment, usually a retainer for ongoing governance or a fixed scope for a defined project. A retainer buys a predictable slice of senior time each month. A project price buys a named outcome with a start and an end. Mixing them up is where budgets drift.

A vCISO retainer for one to two days a week illustratively runs £4,000 to £10,000 a month. That is roughly £48,000 to £120,000 a year for part-time accountable leadership. A fractional CISO at three days a week carries more hands-on delivery and runs higher, often £10,000 to £18,000 a month. A BISO embedded full time in one business line sits closer to a full salaried security-leader cost, in the order of £110,000 to £160,000 a year plus on-costs.

Compare those to a permanent group CISO. A full-time CISO at a regulated UK fintech illustratively costs £150,000 to £250,000 in base salary. Then add bonus, equity, employer National Insurance, and pension. Recruitment fees can add a further 20 to 30 per cent in the first year. Add the lead time too, often three to six months for a scarce senior hire. During that wait the risk sits unowned, which is a real cost that never appears on an invoice.

The pricing lesson is simple. You are not choosing the cheapest model. You are choosing the model whose cost matches the work. Paying a fractional delivery rate for governance you could buy at a vCISO retainer is waste. Paying a vCISO retainer for a workload that needs full-time hands is false economy that leaves the gap open.

What good looks like is a price tied to a defined scope and cadence, not a round number plucked from the air. If a provider quotes before understanding your regulatory load, the number is decoration. The right figure falls out of the work, which is why we scope it per discovery call.

Risk reduction and ROI

The fifth dimension is the one boards actually decide on, and the one most security pitches skip, which is the return. Security leadership is a cost line until you express it as risk reduction. The cleanest way to do that is to borrow the discipline of quantified risk analysis. The FAIR approach puts a number on the loss you are avoiding.

FAIR stands for Factor Analysis of Information Risk. It asks two questions about any risk. How often is the loss event likely in a year? And how much would it cost when it does? Multiply the two and you get an annualised loss expectancy. A control that lowers either the frequency or the magnitude reduces that expectancy. The reduction is your return.

Here is the shape of the argument for a board paper, with every figure labelled illustrative. Suppose your firm faces a plausible regulatory or incident loss. Give it a magnitude band of £2,000,000 to £8,000,000. Assess the current annual likelihood at around 15 per cent. That is an illustrative annualised loss expectancy in the region of £300,000 to £1,200,000, depending where you sit in the band. Now suppose a capable engagement demonstrably lowers that likelihood from 15 per cent to 5 per cent. The expectancy falls by two thirds.

Against an illustrative vCISO cost of £90,000 a year, the reduction in expected loss dwarfs the spend. The point is not precision. You need the model to be honest about the bands and explicit about the assumptions. That lets the board challenge the inputs rather than the conclusion. A finance director who would dismiss a security wish list will engage with an expected-loss reduction expressed in pounds.

The return depends on the engagement model that delivers it. A retainer suits ongoing governance, where value compounds quietly month after month. A fixed project suits a readiness push with a deadline, where value lands on a date. A fractional bridge suits a heavy phase that will taper. Set the cadence to match. I favour a monthly working rhythm with the operating team and a quarterly board report. That way the people doing the work and the people accountable for it see the same picture. Fix the board reporting line before you start, because a leader who reports through the wrong person loses authority the role depends on.

What good looks like is a single page the board already understands. The loss band, the likelihood assumption, and the cost sit together, and a finance director can poke every input. If the return only lives in the security team’s head, it does not yet exist.

Score yourself. Can you state, in one sentence and in pounds, the loss band each model is meant to reduce? If you cannot, you are not ready to buy yet. That gap is the first thing the right adviser will help you close.

How to know if you’re getting it right

Five measurable signals tell you whether your chosen model is working. Put them on the same dashboard the board reads, and review them quarterly. Each one converts a feeling about security into a number you can defend.

The first signal is regulatory readiness. Track the count of open audit and regulator findings and their age. A working engagement closes findings faster than new ones open. The oldest finding should get younger over time, not older. If the backlog grows quarter on quarter, the model is under-resourced, and a step up in days or seniority is the honest response.

The second signal is board confidence, measured plainly. Can your board answer three questions in one sitting? What are your top three security risks? What are you doing about each? What residual risk remains? If the board paper needs translating after it lands, the leadership layer is not making risk legible, and legibility is half the job at this level.

The third signal is delivery throughput. Count the security work items shipped per quarter. Policies ratified. Controls implemented. Remediation closed. A vCISO governing well still shows steady throughput from the teams they steer, because governance with no movement is just attendance. Flat throughput with a rising retainer means presence, not progress.

The fourth signal is time to decision. Measure how long it takes to get a security sign-off on a new product, vendor, or change. The right model shortens this, making the safe path the fast path. If security has become the bottleneck that engineering routes around, you have bought a brake, not a leader, and that workaround culture costs more than the role saved.

The fifth signal is the expected-loss trend. Revisit your FAIR estimate each quarter with the same method and the same assumptions. If the engagement is reducing real risk, the annualised loss expectancy falls over time as likelihood drops. That trend line is the single most persuasive artefact you can put in front of a board. It answers the only question they truly care about. Is this spend buying down our exposure?

If three or more of these signals are flat or sliding after two quarters, do not renew on autopilot. Re-scope, change the model, or change the provider. An engagement that cannot show movement on its own dashboard has answered the renewal question for you.

Next steps

Before the four actions, a word on timing. A handful of trigger signals tell you the moment has arrived. An auditor flags that no one owns security. The board asks a question about AI or operational resilience that no one can answer. You are about to ship a newly regulated product. A funding round puts the firm under sharper diligence. Any one of these means the risk now exceeds what an unowned posture can carry. Waiting past the signal is how readiness programmes turn into incident responses.

If you do hire a vCISO, the first 90 days set the tone. A capable one spends the first month listening and mapping, building an honest risk register. The second month turns that register into a prioritised programme the board has agreed. The third month shows early movement on the highest risks, plus the first quarterly board report. If 90 days pass with no risk register and no agreed priorities, the engagement has started badly, and that is the time to say so.

With timing settled, four concrete actions will move you from confusion to a defensible decision this week.

First, write the gap in one sentence. Not “we need a CISO”, but something specific. “We have no named owner of our regulator readiness programme.” Or “central security policy is not reaching our payments engineering team.” The sentence tells you which of the three models you are actually buying. If you cannot write it, that is the gap, and the diagnosis comes before the hire.

Second, map your security workload against a calendar for the next two quarters. Mark the heavy phases and the deadlines. The shape of that map decides permanence. A finite spike points to a fractional bridge. A steady load points to a vCISO retainer. A permanent rising demand points toward an eventual full-time hire.

Third, identify who holds the regulated accountability. Name the internal executive who can credibly carry the relevant senior management function, and list the support they need. This single decision shapes the seniority and shape of whatever you buy. Skipping it is how firms end up with an external leader and an accountability gap at the same time.

Fourth, draft the one-page ROI case using the FAIR shape above. Pick the loss band. State your likelihood assumption. Show the expected-loss reduction against the model’s cost, with every figure labelled illustrative until your own numbers replace it. Run it past one finance person and one security person. When both can challenge the inputs and still accept the conclusion, you have a board paper that gets signed.

Do those four things and the choice between a vCISO, a fractional CISO, and a BISO stops being a debate about titles. It becomes a matter of matching the model to the gap, the spend to the work, and the cost to the risk it buys down. That is a decision a board can make in one sitting, and a regulator can respect.

If your firm is at this fork and the answers above feel just out of reach, that is the moment a senior practitioner earns their fee, by diagnosing the gap before anyone signs anything.