Before hiring their first Chief Information Security Officer (CISO), CEOs and boards should consider a fractional CISO (F-CISO) to build foundational security programs that set the permanent CISO up for success. This strategy addresses a critical disconnect: executives often view security breaches and compliance failures as technical problems, but these business-threatening issues typically stem from cultural and process deficiencies requiring organizational transformation, not just technical expertise.

Seasoned security leaders rarely want to spend their first year (and political capital they’ve yet to earn) fighting internally to build basic programs from scratch. Meanwhile, finding candidates with deep technical knowledge, program creation experience, and organizational change management skills complicates recruitment and inflates costs; the traditional hire-first approach creates unnecessary risk.

An F-CISO handles the heavy lifting of program construction for a defined period (usually six months to a year), then transitions management and knowledge to the permanent hire, who can focus on optimization and growth rather than foundational building. This approach reduces hiring pressure while ensuring both roles play to their strengths. Our take on it is not unique (though our implementation is), but in this post we spell it out in a manner that is explicit and comprehensive.

This article discusses how best to deploy a Fractional CISO. Next week we will discuss how you can select a good one, and ensure that they have the skill-sets you need to support your business.

Cultural Change

Through axioms like “measure twice, cut once” and “an ounce of prevention is worth a pound of cure,” we intuitively know fixing problems during planning is always cheaper and easier than afterward, yet executives struggle to apply this logic to information security. Security pain almost always stems from failing to integrate information security into your culture and business structures. It should be noted that integration is a two-way street; your CISO must be able to integrate the program into your business operations. Security programs are like racing brakes - they’re not there to slow things down; they’re there to enable your business to go as fast as safely possible.

“We absolutely love walking into a situation where there is a fractional resource on board, and we often request that the fractional CISO be in the interview loop” – Michael Piacente, Hitch Partners

Your organization’s culture is seen in the processes your company uses to turn ideas into money. That can’t be changed overnight. You can’t make people who think, “We can fix security later,” suddenly start thinking, “We need to build in security earlier.” Any CISO worth hiring will take one look at an organization that routinely incurs massive tech debt and politely pass. Furthermore, change is hard, and a lot of political capital will be spent making the necessary changes. Many of these changes will be procedural, and operations and people are loath to have personnel from outside their department dictate changes.

If security isn’t embedded in the CEO’s strategic vision, the company’s cultural structures will inevitably treat it as an afterthought rather than a core business function. As Alfred D. Chandler observed, structure follows strategy. So any cultural change not embraced and promoted by the CEO will fail.

Having the F-CISO introduce disruptive cultural change frees your eventual permanent CISO to focus on program management and delivery.

Your CISO Candidate’s Hiring Priorities

Despite the C-suite title, CISOs often struggle for executive recognition; according to the gold-standard Hitch Partners 2025 CISO Survey, just two percent of CISOs in companies with more than 5,000 employees report to the CEO. Unlike other business functions, security isn’t intuitive to most senior leaders, forcing CISOs to spend significant time educating executives to secure resources with mixed success. That mixed success leads to shorter tenures than other executives: Hitch Partners puts the average tenure of a CISO in 2025 at 39 months. Consider this from the candidate’s perspective: when your expected time in the role is just over three years, you don’t want the first year marked by spending political capital you haven’t yet earned, struggling to achieve mere table-stakes.

Candidate CISOs, therefore, are picky. They first look at what they’ll have to work with: How many people? What’s the budget? What are our capabilities? How comprehensive are my visibility of events and observability of systems? How many incidents has the company had in the past 24 months? Where are the postmortems and penetration test reports? How do other departments work with security? Is security seen as a partner, or as a barrier to getting things done?

They’re seeking proxy data that speaks to how empowered they will be, how the company culture views security today, and how much authority will come with the responsibility to “fix security.” They’re asking this before they ask about salary, stock, benefits, and perks.

The qualified CISO seeks to understand where they will start that job of fixing security. “What do we have in this place that’s good?” is the question of the day. Because the more stuff there is that doesn’t need to be fixed, the faster they can get to work on the really important things.

That qualified CISO is also keenly interested in the leadership expectations of how long it will take to get things “fixed” and how well the CEO and board understand security. Do they see it as a competitive advantage, or as a tickbox set of metrics? What does the CEO think “good” will look like? These all speak to whether the leadership understands what it takes to get from where we are to where we’re going.

The stakes are high for these candidates. Of the more than 500 CISOs who answered that 2025 Hitch Partners survey – more than half of whom work at privately-held firms, and four in 10 at companies from 250 to 2500 people – reported average comp and bonus at privately held firms of $400,000, plus annual stock grants worth $257,000. Even the comp and bonus of CISOs at small companies under 250 people was $328,000. These candidates want to know if this role will succeed, or if they should keep looking for the right fit.

The Two-Stage Approach

A lot must go well for an organization to find the right full-time CISO candidate who will enjoy the confidence and trust of the CEO and board, convince all stakeholders that the relationship will succeed, and get them in place. In the first three months, the new CISO will confirm the conditions they learned of, and find out the things that didn’t come up, during the hiring process. Then they can start the months-long process of fixing things.

Being diagnostically capable of identifying key issues, sufficiently organized to create strategy and to design needed programs, and tenacious enough to fight resistance to change is a rare set of skills. It’s also a different set of skills from those of someone who wants to stay on and manage the program once it’s been built, continuously improving and expanding it over the long haul.

We advise CEOs to instead consider a two-stage approach.

Stage One: Define and Build

Stage One introduces revolutionary change. The first step is collaboratively articulating the CEO’s vision for the security function’s business goals. This vision provides program legitimacy, guides metric development, and ensures that the CEO’s business goals drive the program.

Program vision statements focus on business outcomes: “support development velocity and reduce costs through simple and easy-to-use tools,” “reduce outage frequency and impact,” or “give executives clear risk decisions, leading to better-informed practices that maximize prior technology investments.”

The rest of Stage One translates the CEO’s requirements into deliverable program elements. This involves assessing current capabilities across people, process, and technology, then creating or adjusting as needed. Success depends less on buying tools and more on building the infrastructure, procedures, and foundations that make tools simpler to use and manage later.

This requires excellent negotiation skills and tenacity. The CEO most effectively drives progress through continuous support and vision reinforcement, enabling consensus through shared goals and using CEO support for budgetary and decision-making backing rather than executive mandates. Note that enabling consensus doesn’t mean “wait until everybody agrees.” Executives will disagree and the CEO and Board will have to make decisions; that is the job. Clear, risk-informed CEO decisions empower the CISO and signal that cultural change is taking hold.

Stage Two: Manage and Enhance

Stage Two transforms the Stage One framework into a sustainable, long-term system. The permanent CISO becomes a senior executive focused on iterative, incremental improvement built on solid infrastructure. Finding one full-time candidate with skills for both stages is challenging and riskier than using two distinct stages.

“We absolutely love walking into a situation where there is a fractional resource on board, and we often request that the fractional CISO be in the interview loop,” Michael Piacente, Hitch Partners Managing Partner, told us. “CISO to CISO interviewing and interaction is key; the business leaders can nod their heads in agreement but often the nuance between the two professionals is missed by the business.”

The Fractional CISO Strategy

The strategy is straightforward: transform within 6-12 months the organizational information security capabilities by establishing the foundational infrastructure, stakeholder alignment, and operational framework necessary for permanent CISO success, then transition leadership and provide knowledge transfer to enable sustainable long-term security program execution.

The core F-CISO approach centers on making difficult strategic decisions and brokering critical organizational agreements while realigning team priorities and capabilities to support the CEO’s security vision. With the trust and support of the CEO and board of directors, the F-CISO builds the program framework while avoiding major vendor commitments that should remain with the permanent successor.

Operating as an external change agent, the F-CISO focuses on rapid capability transformation rather than relationship management, ultimately executing a planned leadership transition once the foundation is complete.

Common CEO Missteps in Deploying F-CISOs

There are two big and common mistakes when bringing in a fractional CISO: acting as if filling the chair is the same as building the program, and then treating them as if they’re full-time staff.

Getting an F-CISO in place is the start, not the finish, of achieving your goals. To succeed, the CEO must support program development through regular interaction and collaboration with the F-CISO, as well as regular communication to the company that this direction is the CEO’s initiative. A F-CISO isn’t a temp or consultant; this is a strategic choice that the company will deliver. That means the support of internal communications staff, regular mentions at All-Hands meetings, and acknowledgment in company newsletters are critical.

The second mistake is treating the F-CISO as if they’re the permanent CISO. While you are building the program, the business must continue. Very soon into their engagement, your F-CISO will be brought in to address immediate tactical problems, such as incidents, customer concerns, and auditor questions. It’s essential that this be understood as a risk, and that it is communicated regularly that the F-CISO is there for structural changes, not day-to-day work.

COO Advisor Amanda Schwartz Ramirez recently told First Round that treating a fractional executive as a full-time hire is a dangerous mistake. We agree; if your F-CISO is constantly in meetings and entangled in internal intrigue, they’re not turning wrenches and leading the charge to build the program you need.

Who This Works For

Leadership teams that are unprepared to actively support the cultural transformation outlined here should address internal commitment before engaging a CISO or F-CISO. The approach we’ve spelled out here fits organizations preparing for their first permanent CISO hire but lacking foundational security programs or those where previous CISO candidates declined after learning about the current security posture. Organizations facing regulatory scrutiny, audits, or investor due diligence need this strategy to demonstrate quickly maturing capabilities.

This approach suits companies that recognize security as a business function but struggle with operational integration. When thoughtful analysis of security incidents reveals cultural rather than technical gaps, the F-CISO’s change management focus addresses root causes that permanent hires can’t tackle effectively in their first year.

The strategy doesn’t align with organizations seeking to manage day-to-day security operations over strategic transformation. We’d suggest that they consider whether they can “run” day-to-day security operations before building the cultural and structural foundations we’ve described here.