– FRACTIONAL CISO · HANS STUDY · ONTARIO, CANADA
Fractional CISO, security leadership without the full-time hire
Retained, part-time security leadership for organizations that need a CISO's judgment but cannot justify a full-time executive. Security strategy, board and executive reporting, program design, risk and compliance ownership, vendor decisions, and incident oversight. Delivered on-site, hybrid, or fully remote as a virtual CISO. Independent, with CISSP held.
The gap a fractional CISO fills
Most organizations reach a point where security has outgrown the person handling it on the side. The board is asking questions. The cyber insurance renewal has a longer questionnaire than last year. A compliance framework is now a contract requirement. A customer security review landed on someone's desk and nobody owns the answer. The work needs an executive who can set direction and stand behind it, but the headcount and the budget for a full-time CISO are not there.
A fractional CISO closes that gap. You get the strategy, the accountability, and the boardroom credibility of a senior security executive, on a retained, part-time basis, sized to what the organization actually needs. Not a full-time salary. Not a project that ends when the report is filed. A standing security leader who shows up on a regular cadence and owns the program between sessions.
I have worked across enterprise networks, physical security, OT, and the compliance frameworks that govern them, in government, defence, critical infrastructure, and enterprise environments across Canada and the United States. The fractional CISO work draws on all of it, because real security leadership does not stop at the IT boundary.
What a fractional CISO owns
Security strategy and roadmap
A written security strategy tied to the actual risks the organization carries, with a roadmap that sequences the work by impact rather than by whatever the last vendor demo emphasized. Something the leadership team can fund and the technical team can execute.
Board and executive reporting
Security translated into the language the board speaks: risk, exposure, cost, and the trade-offs behind each decision. Regular reporting that holds up under scrutiny from auditors, insurers, and customers, without burying the room in jargon.
Security program and governance
Policies, standards, and the operating rhythm that turns them into practice. Access governance, asset and vendor inventory, change control, and the documentation that proves the program exists when somebody asks for evidence.
Risk and compliance ownership
Ownership of the framework the organization is working toward or maintaining: CMMC, CPCSC, NIST SP 800-171, NIST SP 800-53, ISO/IEC 27001, NERC CIP, ITSG-33, or GO-ITS. Gap assessment, control mapping, evidence collection, and audit defence, run as a program rather than a fire drill.
Vendor, platform, and architecture decisions
Independent judgment on the security and technology decisions that are expensive to reverse. What to buy, what to consolidate, what to retire, and which integrator proposals hold up. No resale relationship steering the answer.
Incident oversight and escalation
A defined escalation path and a leader who can run the room when something goes wrong. Incident response planning before the event, and senior oversight during it, so the organization is making decisions instead of improvising them.
Cyber insurance and audit readiness
The controls and the evidence that insurers and auditors actually ask for, in place before the questionnaire arrives. Honest answers on the application, and a posture that backs them up.
Team support and hiring
Mentoring the internal team, setting the technical bar for security hires, and giving an IT group that inherited security responsibility a senior voice to escalate to. The goal is to make the organization more capable, not more dependent.
Fractional, virtual, or hybrid
The engagement model fits the organization, not the other way around. The work is the same. The delivery is whatever the situation calls for.
- Fractional CISO, a regular retained cadence with on-site presence where it matters, for organizations that want a security leader embedded in the operation
- Virtual CISO (vCISO), the same leadership delivered fully remote and on-demand, for organizations that are distributed, lean, or simply do not need anyone in the building
- Hybrid, remote by default with scheduled on-site time for board meetings, audits, assessments, and incident response
- Scoped to the engagement, sized by the hours and the cadence the organization needs, with the scope written down so both sides know what the retainer covers
Why independence matters at the CISO level
A CISO who also sells you the platform has a conflict baked into every recommendation. The fractional CISO work carries no resale relationship, no license revenue, and no service contract to protect. The advice on what to buy, what to keep, and what to walk away from reflects the organization's risk and budget, not a partner quota.
It also reaches further than most security leadership. The same person who can write the board report can read a switch configuration, size a video surveillance deployment, segment an OT network, and tell you whether the integrator's design will hold up. Security leadership that understands the infrastructure underneath it, not just the policy on top.
Related advisory areas
Strategic Security and Technology Consulting →
Project-based strategy and technology advisory for organizations that need direction without a standing retainer.
CMMC and CPCSC Compliance →
Certification readiness and control work for defence supply chain and Canadian programs.
Enterprise Network Architecture →
The network and infrastructure layer the security program depends on.
Industrial and OT Networks →
Security leadership that extends into the control systems most CISOs never touch.
Common questions
What is a fractional CISO?
A fractional CISO is an experienced Chief Information Security Officer who works for an organization on a part-time, retained basis instead of as a full-time employee. The organization gets executive security leadership, strategy, board reporting, program ownership, and accountability, at a fraction of the cost and time commitment of a full-time hire. It suits organizations that have outgrown ad hoc security but cannot justify a full-time CISO salary.
What is the difference between a fractional CISO and a virtual CISO (vCISO)?
They describe the same service with a difference in delivery. A fractional CISO usually implies a regular, retained cadence with some on-site presence and a closer working relationship with the leadership team. A virtual CISO, or vCISO, is delivered remotely and on-demand. In practice the line blurs, and most engagements are hybrid. Hans Study provides both, scoped to whatever the organization actually needs rather than to a label.
When does an organization need a fractional CISO?
The usual triggers are a compliance framework becoming a contract requirement, a board or owner asking for security accountability, a cyber insurance renewal that now demands controls the organization cannot evidence, a customer security review with no clear owner, growth that has outpaced the security function, or an incident that exposed the lack of senior security leadership. If security decisions are being made by people without the authority or the experience to own them, that is the signal.
What does a fractional CISO actually do?
The work covers security strategy and roadmap, board and executive reporting, security program and governance design, risk management, ownership of the compliance framework, vendor and platform decisions, incident response planning and oversight, cyber insurance and audit readiness, and support for the internal team. The mix is set by the organization's priorities and revisited as they change.
What does a fractional CISO cost?
A fractional or virtual CISO engagement is priced by the cadence and hours the organization needs, on a monthly retainer, and lands well below the fully loaded cost of a full-time CISO. The scope is written down so both sides know what the retainer covers, and it can scale up for an audit or an incident and back down once the work is steady.
What credentials does Hans Study bring to the role?
Hans Study holds CISSP and has worked across enterprise networks, physical security, OT and ICS, and the compliance frameworks that govern them, in government, defence, critical infrastructure, law enforcement, and enterprise environments. The fractional CISO work combines executive-level security leadership with hands-on infrastructure depth, which is uncommon at the CISO level and matters when the strategy has to survive contact with the technical reality.
Does Hans Study provide fractional CISO services across Canada and the United States?
Yes. Hans Study is based in Ontario, Canada, and provides fractional and virtual CISO engagements across Canada and the United States. Remote delivery makes location largely irrelevant, and on-site time is scheduled where the engagement calls for it.
Can a fractional CISO cover physical security and OT, not just IT?
Yes, and that is a deliberate part of the offering. Most CISOs come from an IT background and stop at the IT boundary. Hans Study covers IT, physical security, and OT and ICS, so the security program accounts for the cameras, access control, and control systems that sit on the same networks and carry real risk, rather than treating them as somebody else's problem.
Security leadership, sized to fit
A fractional or virtual CISO engagement starts with a conversation about what the organization needs to own and what it is missing today. No retainer commitment to have that conversation. The scope, cadence, and cost get written down before anything starts.
Start a conversation