If Part 8 answered the question 'what does a vCISO do?', this article answers the one that tends to follow it: 'why not just hire a proper CISO?'
It is a fair question, and it deserves a fair answer — not a sales argument for the fractional model, but an honest comparison that helps you make the right decision for your organisation.
A full-time CISO is embedded completely. They attend every relevant meeting, have full context of the business, and can respond to emerging risks or incidents without the constraints of a fractional engagement. They build deep relationships across the organisation and can develop and execute a long-term security strategy with full continuity.
In a business where cyber risk is genuinely complex, highly regulated, and central to commercial operations — a financial institution, a critical national infrastructure provider, a large professional services firm — a full-time CISO is probably the right answer.
The model exists for good reasons, and for some organisations, nothing else will do.
For most UK businesses under 500 employees, the full-time CISO proposition runs into three practical constraints.
Cost. A CISO in the UK market currently costs between £120,000 and £200,000 in base salary, depending on seniority and sector. Add employer's National Insurance, pension contributions, benefits, and the overhead of a senior hire, and the total employment cost exceeds £150,000 per year.
Availability. Experienced CISOs are in short supply. Recruitment timelines for senior security leadership typically run at three to six months, and the candidate pool for organisations at SME scale is narrower. An organisation that decides it needs a CISO today should not expect to have one functioning in the role for at least half a year.
Proportionality. The full-time CISO model assumes a security programme complex enough to sustain full-time leadership. For many SMEs, the governance function does not require five days a week. It requires consistent, skilled attention at the right cadence. A full-time hire in this environment risks underutilisation, scope creep, or ongoing pressure to justify the headcount.
Against those three constraints, the vCISO model is specifically designed.
Cost. A vCISO engagement typically costs between £2,500 and £6,000 per month, depending on scope and organisation size. Annualised, that is £30,000–£72,000 — a fraction of the equivalent full-time cost, with no employment overhead, no recruitment cost, and no notice period risk.
Availability. A vCISO engagement can be active within weeks. There is no recruitment process, no onboarding delay, and no gap between the decision to invest in governance and the delivery of that governance.
Proportionality. The fractional model means you get the governance function at the intensity your organisation actually requires. As the business grows, the engagement can scale accordingly.
Here is the dimension that matters most and gets discussed least.
The risk of leaving the governance gap open — no risk owner, no board-level reporting, no strategy — is concrete and ongoing. Every month without governance is a month of accumulating unmanaged risk.
The cost of a significant incident — operational disruption, legal fees, ICO investigation, reputational damage, client loss — typically exceeds the cost of two to three years of vCISO engagement. Often by a significant margin.
The risk-adjusted case for the vCISO model is not that it is cheaper than a CISO. It is that it is significantly cheaper than the alternative of leaving the governance gap open.
For most UK organisations at SME and mid-market scale, the right answer is the vCISO model. Not because it is cheaper, but because it is proportionate, fast to deploy, and specifically designed for the governance function they actually need.
The clearest next step is a conversation. In 30 minutes, we can give you an honest picture of your current governance posture, what a proportionate response looks like, and what an engagement with ITbuilder's vCISO team would involve. There is also the webinar — 30 June, w/c — where we will take these questions live. Register at itbuilder.co.uk/vciso-series.
What happens if our vCISO leaves or the engagement ends?
Because the vCISO model is governed by a contract with a firm rather than an employment relationship with an individual, continuity is the firm's responsibility. At ITbuilder, our vCISO function is team-backed — knowledge is documented and transferable. This is a meaningful advantage over the full-time hire model, where key-person risk is a genuine concern.
Can a vCISO help us decide whether we eventually need a full-time CISO?
Yes — and this is one of the genuine advantages of the model. A vCISO engagement gives you a clear view of your governance needs as they actually are. If you grow to the point where full-time CISO leadership is warranted, your vCISO is well-placed to define the role, brief the search, and provide continuity through the transition.
How do we justify the vCISO cost to our board?
The most direct justification is risk-adjusted cost. Ask your board what a significant incident would cost the business — in regulatory fines, legal fees, operational disruption, and client impact. Compare that to the annual cost of the engagement. The risk transfer value is typically an order of magnitude greater than the investment.
What's the minimum viable vCISO engagement?
An initial engagement typically covers: baseline risk assessment, governance framework, board reporting cadence, and incident response plan. This can be structured as a fixed-scope initial phase before moving to ongoing engagement.
Do we need to change our MSP or IT setup to work with a vCISO?
No. The vCISO works with your existing operational security arrangements. Their role is to govern the programme, not manage it. In most engagements, the vCISO improves the value you get from your existing investments by ensuring they are deployed in service of a coherent risk strategy.
The choice between a full-time CISO and a vCISO is not a choice between a proper solution and a cheaper compromise. It is a choice about what is proportionate to your organisation's actual governance needs. For most UK SMEs and mid-market businesses, the vCISO model is the right answer. The governance gap is a solvable problem. The cost of solving it is a fraction of the cost of not solving it.