Fractional CISO

Many of the companies we talk to know they need to do more with security but they don’t have a dedicated security function yet.

Typically, we’re talking because:

  • A partner, customer or investor asked for security due diligence.
  • There is a regulation that the organization knows about but doesn’t know how to meet.

To help these companies, we have built a service offering called Fractional CISO which is exactly what it sounds like.  We provide a part time security professional to help navigate and execute a program commensurate with the size and needs of the company we are helping.  To hire a full time CISO is not only too expensive, but it may not be the right place to spend the money early on for a smaller company.  It might be best to include some technical resources before going deep with a full time CISO.  We can help both build the program and fill in the technical gaps along the way.  Additionally, many security related activities require interaction with legal, IT and even HR teams – so a full time person might be spinning their wheels waiting for responses.  We have found that a slow and steady approach to a security program allows everyone in an organization to get on board.

Our typical Fractional CISO program includes:

  • Tracking contracts and security commitments
  • Policies and Standards Alignment
  • Vendor, Risk and Incident Management
  • Certain technical security activities (eg. Vulnerability Scanning)
  • Self assessment
  • Training
  • Security vendor engagement
  • Roadmap and program implementation

It is implied in the Fractional name, but one attractive element of this service line is that we can scale it up and down to meet customers budgets, priorities, etc.

To find out more about our Fractional CISO offering, contact us at info @ or reach out directly to matt @ jemurai.com.