Fractional CISO Retainer
Ongoing security program leadership for Series A through mid-market companies that need a senior security executive — without the $300K full-time commitment. One practitioner, every engagement, no hand-offs.
What's Included
- Monthly security program status review and roadmap update
- Risk register review and prioritization
- Quarterly board or executive security reporting
- Security policy and procedure development
- Vendor security assessment and third-party risk management
- Incident response advisory and on-call guidance
- Compliance framework monitoring (SOC 2, ISO 27001, HIPAA, PCI DSS)
- Up to 2 hours ad-hoc advisory included; additional at $350/hr
Deliverables
- Written monthly security program status report
- Updated risk register with prioritized action items
- Executive security summary (board-ready on request)
Frequently Asked Questions
How many hours per month does a fractional CISO work?
The retainer engagement includes approximately 15-20 hours per month. Enough for weekly touchpoints, policy and program work, risk register maintenance, and board reporting. Additional hours are available at $350/hr.
What is the minimum commitment for the fractional CISO retainer?
The minimum engagement is three months, then month-to-month. This is intentional: meaningful security program progress requires at least one quarter of consistent effort.
Can a fractional CISO handle our SOC 2 audit?
Yes. The retainer includes SOC 2 framework monitoring and compliance support. Companies with an active audit deadline often combine the retainer with the SOC 2 Readiness Sprint for accelerated preparation.
What is the difference between a fractional CISO and a vCISO?
The terms are often used interchangeably. "vCISO" (virtual CISO) typically describes a consulting firm model where multiple staff rotate through your account. A fractional CISO is a single senior practitioner working part-time. You get the same executive every engagement, with no hand-offs.