Fractional CISO vs in-house: when to hire vs retain
Founders ask me this question constantly. The answer depends less on company stage than on what the role actually has to do this quarter — and it's usually different from what you think.
Founders ask me this question constantly. "At what stage should we hire a full-time CISO?" The honest answer is that the stage matters less than what the role actually has to do this quarter, and the role almost always has to do something different from what you think.
If your immediate need is signing off on enterprise security questionnaires, supporting a SOC 2 or ISO 27001 audit, and acting as the named security contact for prospects and partners, you do not need a full-time hire. You need someone senior who can show up on customer calls, write the policies, and put their name on the questionnaires. A fractional CISO at one or two days a week will do this work better than the senior engineer you'll otherwise pull off the product to do it badly, and at less than a third of the loaded cost.
If your immediate need is building and operating a security program — running incident response, hiring engineers, owning detection engineering, managing the relationship with the board on risk — you need a full-time hire. The fractional version of this role is structurally limited because a security program is a continuous activity, not a series of artifacts. The fractional CISO can help you scope the role and even run the search, but they're not going to operate the program for you indefinitely.
The mistake I see most often is hiring full-time too early. A pre-Series-B startup hires a name-brand CISO at a senior salary, and the CISO spends six months building processes the company is too small to need. Morale degrades, the CISO leaves for a bigger company, and the founders conclude that they tried security and it didn't work. They didn't try security. They tried a process built for a 500-person org at 50 people, and it broke for predictable reasons.
The healthier path for most funded startups: a fractional CISO during the period where the security work is mostly artifact-shaped (questionnaires, audits, policies, advising the founders on what matters). Hire full-time when the work shifts to being operational and continuous, which is usually when you cross 75–100 employees, sign your first highly regulated customer, or experience an incident that changes the conversation.