Jessica A.,
Too Long; Didn't Read
Anyone looking for external security leadership will come across three terms that are often used interchangeably, but describe different models. This article explains what vCISO, Fractional CISO, and CISOaaS each mean, which model fits which situation, and the five things you should pay attention to when making your choice.
If you start looking for external security leadership, you will come across three terms: vCISO, Fractional CISO, CISOaaS.
They mean roughly the same thing. But only roughly.
The differences become noticeable in day-to-day practice, especially when it matters.
The three models
vCISO (Virtual CISO)
This term comes mainly from managed service providers. You book a function, not a person. Behind the "vCISO" there is often a team that distributes the tasks. A named contact person is sometimes included, sometimes not.
This model is a fit if you want a structured security service for a time-limited project, for example preparing for an audit or introducing a framework. The quality depends on who does the work behind the scenes.
Fractional CISO
Here, you book a person. An experienced security expert who dedicates a defined portion of their time to your company, typically one to two days per week.
You know who you are working with. The person gets to know your company, builds trust over time, and is not interchangeable in the event of an incident.
The downside: you depend on a single person. If that person ends the engagement, institutional knowledge is lost.
CISOaaS (CISO as a Service)
This is the hybrid model. A named senior CISO takes responsibility but has access to a team behind the scenes. You get the personal continuity of a Fractional CISO and the depth that a solo operator cannot provide.
That makes sense when security requirements are complex: a regulated environment, multiple compliance frameworks, an enterprise customer base with its own security requirements.
Which model fits when?
Three factors determine that: the complexity of the requirements, the importance of personal continuity, and the budget.
For a clearly defined project without an ongoing governance requirement, a vCISO model may be sufficient.
If you need long-term security leadership that knows your company, can act in an incident, and can also serve as the external point of contact, then you need a Fractional CISO or CISOaaS model.
If regulatory requirements are added, FINMA, NIS2, ISO 27001, or if you have customers who review your security posture, then you need the depth of a CISOaaS model.
What to look for when choosing
Industry experience
General security knowledge is good. Someone with experience in your industry sees the relevant risks from the outset instead of learning them first. Ask about specific engagements in similar companies.
Experience from operational business
A frequently overlooked point. Has the person ever worked as an internal CISO? External consultants bring breadth, but often not the depth that comes from operations. In-house experience makes the difference in difficult decisions under pressure.
How they describe crises
Ask directly: "Describe an incident you coordinated." A good answer is specific and calm. Anyone who evades the question or stays theoretical probably has little practical experience with real crises.
References
No provider should brush you off by saying everything is under NDA. Anonymized references or a conversation with a former client are possible. If that is not possible, that is a signal.
The first 90 days
This is the most common weak point in onboarding external CISOs: too little structure in the initial phase. Ask what specifically happens in the first three months. Anyone who does not have a clear answer is not prepared.
What no model can replace
All three models share one limitation: they are external.
That means less institutional knowledge than an internal CISO, limited presence in day-to-day operations, and a dependency you have to actively manage. That is not a reason to forgo external security leadership. It is a reason to deal with it openly.
A good provider addresses this themselves. Anyone who does not either wants to sell too quickly or lacks self-reflection.
In summary
vCISO, Fractional CISO, and CISOaaS are not synonyms. The right term tells you what you are booking: a function, a person, or a person with a team behind them.
The decision between the models follows the question of what you need. The real work then lies in selecting the person or team.
If you are at this stage and need a conversation partner who knows all three models from practice: we are available.
