Let's talk
Oxford Infosec

Fractional & Virtual CISOWho owns security?

Sooner or later a customer, an investor, or your own board asks who's responsible for security, and the honest answer is “a bit of everyone, really”. For most small businesses a full-time CISO is neither affordable nor necessary, but the need for senior security leadership doesn't go away.

A fractional CISO gives you part-time access to a senior security leader who sets direction, advises the board, and owns the big decisions, without the cost of a permanent hire. The focus is governance: we make sure your IT team and providers are pointed in the right direction and delivering what the business actually needs.

In short

  • 01Senior security leadership and board-level credibility, at a fraction of a full-time hire.
  • 02Risk, strategy, and decisions owned by an experienced practitioner you can call “our CISO”.
  • 03An engagement shaped around the outcomes that matter most to your business.

What problems we solve

Growing businesses reach a point where security decisions are too important to wing, but not frequent enough to justify a full-time hire. You're in the right place if any of these are hard to say honestly today:

01

Nobody really owns security

Decisions fall through the cracks or get made by whoever happens to be in the room.

02

We're not sure what our biggest risks are

Risks are vaguely understood, not documented, prioritised, or tracked.

03

The board can't speak to our security

Founders scramble for a credible answer, often over- or under-selling the position.

04

We've never agreed how much risk we'll accept

Risk decisions are implicit and inconsistent, with no framework behind them.

05

If something happened tonight, we'd wing it

Reactive firefighting without a plan. Panic, followed by expensive mistakes.

06

Security questions stall our deals

Days lost on questionnaires, and competitors with a better posture win the work.

How a fractional CISO engagement works

01Format
Stakeholder survey

Scope the engagement

You and key stakeholders rate the statements that matter most. That tells us where to focus, where you're already strong, and what success looks like.

02Rhythm
Monthly

Lead and govern

Your CISO sets the strategy, builds and owns the risk register and roadmap, reports to the board, and keeps decisions moving through a regular check-in.

03Minimum term
6-month minimum

Review and prove progress

Each quarter we measure which statements have moved from “can't say” to “can say”, refresh the roadmap, and adjust focus as your business changes.

That's the outline of how we work. The full service description sets out the detail, assumptions, and exclusions.

Read the full service description

Companies we've worked with.

AmpereBeamBiographicaChalfenGeneral IndexHarbr DataJudge.meLightsonicResponsible MarketingSyntassoThe Key GroupZaptic

What your CISO owns

Your CISO leads on the things that need senior judgment, and points your team and providers at the rest.

01Security strategy and direction
02Risk appetite and tolerance
03Risk register and treatment
04Security roadmap and priorities
05Roles and decision rights
06Board and investor reporting
07Incident readiness and escalation
08Compliance and certification strategy
09Supplier and third-party risk
10Access and people security oversight

Who it's for

20 to 200 employees: real security risks and stakeholder expectations, but a full-time CISO would be underused

Handling sensitive data: customer, financial, or health data, or valuable intellectual property

Facing external scrutiny: customer security questions, investor due diligence, or certifications on the roadmap

A technical product or service: SaaS platforms or businesses where IT systems are core to what you do

Past the basics: foundational controls already in place, ready for direction rather than hands-on setup

What's not included

  • Day-to-day security operations
  • Writing policies and procedures
  • Implementing technical controls
  • Hands-on incident response
  • Penetration testing and audits
  • 24/7 availability or on-call
Read the full service description

Your fractional CISO is a senior practitioner who has held security leadership roles across multiple sectors and organisation sizes, typically holding recognised qualifications such as CISSP or CISM. You work with the same named person throughout, so they learn your business once and carry that context throughout.

Term and engagement

Minimum term

6 months

Renewable quarterly thereafter

Commitment

Part-time

Priced to agreed scope

Reviews

Quarterly

Scope and focus revisited

The right level depends on your size, sector, and the outcomes you're targeting. Use the calculator for an indicative estimate.

Estimate the cost

Common questions

Fractional CISO FAQs

Put a CISO in your corner.

A short conversation is usually enough to tell whether a fractional CISO is the right fit, which outcomes to target first, and what the engagement would look like. If something else suits you better, we'll say so.

Estimate the costGet in contact