C-Suite Leadership Strategy · The Next Chapter

The Fractional CISO: How to Build a Portfolio Practice That Pays

You have carried enterprise cyber risk for a decade and you are ready to do it for three or four boards at once — but a portfolio practice is a business, and most security leaders build it backwards.

You have spent years being the person who stands between the enterprise and the breach, and you now want that judgement to serve several companies rather than one. Understanding how to build a fractional CISO practice is less about your security depth — which is proven — and more about turning it into pricing, positioning and a pipeline that does not depend on the last relationship you left. This engagement builds that plan.

For
Senior CISOs going portfolio or fractional
The trap
Treating a practice like a longer job search
The shift
Trusted operator → retained advisor with pricing power
Investment
₹29,500 incl. GST / $250

Does this sound like you?

If several of these land, this engagement is built for you.

  • You could run security for several mid-market boards tomorrow, but you have no idea what a retained fractional engagement should actually cost or how to structure one.
  • The offers arriving are dressed up as advisory work but are really a full-time job at four days a week for less than you earned before.
  • Your entire pipeline is people you already know, and you can feel it drying up the further you get from your last operating seat.
  • You keep being asked to be an incident-response hotline rather than a standing member of the risk conversation, and the two are priced worlds apart.
  • You worry that once you are not embedded in one company, the market forgets you were ever the person who held its cyber risk together.
  • You suspect you are undercharging because you cannot yet articulate, to a buyer, why a part-time CISO is worth more than a compliance consultant.
01

Why security judgement does not price itself

A fractional CISO practice fails or thrives on a problem most technical leaders never had to solve inside a salaried role: security is bought as insurance, and insurance is chronically underpriced until the day it is needed. When you carried the mandate full-time, the board paid for your judgement without ever having to name what it was worth — it was bundled into a compensation number and a title. The moment you go portfolio, you are asking a buyer to attach a price to something they hope never to use, and that is a genuinely harder sale than a growth leader who can point to revenue or a CFO who can point to a fundraise.

This is the trap that hollows out most first attempts. The security leader assumes the practice will sell on credibility — the CISSP, the years, the incidents survived — and discovers that credibility gets you the meeting but not the fee. What the buyer is actually weighing is whether a part-time custodian of cyber risk is a genuine reduction in their exposure or an expensive comfort blanket. Until you can frame the engagement as the difference between an unmanaged enterprise risk sitting on the audit committee agenda and a governed one, you will be priced against a compliance vendor, not against the seat you left.

02

The retained advisor versus the four-day employee

There are two fractional practices a CISO can accidentally build, and they look identical from the outside. In the first, you are a retained advisor: several companies pay a standing fee for governed cyber risk, a defined cadence of board and risk-committee engagement, and the assurance that a proper CISO owns their posture. In the second, you are a discounted full-time employee spread thinly across firms that each secretly want all of you — running the SOC, chasing patch cycles, sitting in every standup — for a fraction of what a salaried CISO commands. The first compounds; the second exhausts you and pays less.

The difference is not the client size or the sector. It is what the engagement is scoped to own. A retained practice sells governance, board-facing assurance, architecture decisions and the standing relationship with the risk committee — the parts of the role only a seasoned CISO can do, priced accordingly. It deliberately does not sell hands-on operations, because the moment you agree to run the tooling you have signed up to be present, and presence is the enemy of a portfolio. Drawing that line — what you own versus what the client's own team or a managed service delivers — is the single decision that determines whether the practice is a business or a slow-motion return to salaried work.

  • Governed cyber risk, not operational firefighting — the board-facing half only a CISO can own.
  • A defined cadence — risk committee, audit committee, quarterly posture — not an open-ended hotline.
  • Assurance the enterprise can put in front of regulators and insurers, priced as risk reduction.
  • A clear boundary where operations, the SOC and tooling are the client's team or a managed service, never you.
03

Pipeline that survives leaving the building

Every CISO's first three fractional clients come from the network — a former colleague now on a board, a peer who trusts you, a vendor who introduces you. This warm pipeline feels like proof the practice works, and it is the most dangerous phase, because it disguises the real problem: warm intros are a depleting asset. Each one you spend is gone, they cluster in the world you just left, and they say nothing about whether the market at large will pay a stranger for fractional security leadership. Practices that never build a second engine plateau the moment the network is exhausted, usually around month nine.

The durable pipeline for a fractional CISO is built on being known for a specific, buyable point of view rather than being generally respected. The buyers of part-time security leadership — funded startups past their first serious customer-security questionnaire, mid-market firms facing a SEBI or RBI cyber mandate, PE portfolio companies with a due-diligence gap, GCCs standing up local security governance — each surface through different channels and respond to different framings. Knowing which of those buyers you are actually for, where they look, and what makes them reach for a fractional CISO rather than a full hire or a consultancy is the difference between a practice that markets itself and one that survives on referrals until it doesn't.

04

The Indian cyber-governance tailwind

There has rarely been a stronger moment in India to be a credible part-time custodian of cyber risk, and most CISOs going portfolio are underusing it. CERT-In's incident-reporting directives, the Digital Personal Data Protection Act and its obligations on data fiduciaries, SEBI's cybersecurity and cyber-resilience framework for regulated entities, and the RBI's expectations of boards on IT and cyber governance have collectively turned security from a technical concern into a documented board responsibility. Every one of those obligations creates a company that needs governed cyber risk it cannot yet staff full-time — which is precisely the buyer a fractional practice exists to serve.

The mistake is to treat this regulatory backdrop as compliance work and price it like an audit. The board does not want a checklist; it wants someone who can sit in the risk committee, translate an obligation into a defensible posture, and stand behind it if a regulator or an insurer asks. That is CISO work, not consultant work, and it is worth a standing retainer rather than a project fee. A fractional practice that positions itself against this tailwind — as the enterprise's accountable security mind for a fraction of a full seat — is selling into demand that the regulation itself is manufacturing, and that is a far stronger footing than competing on hourly rates with a compliance shop.

You are not selling hours of security work. You are selling a board the ability to say, truthfully, that a real CISO owns its cyber risk — to a regulator, an insurer and an acquirer — without carrying a full seat. Price the assurance, not the time.

05

From invisible-until-the-breach to visibly indispensable

The oldest curse of the CISO — that security is invisible until the breach — follows you into the portfolio practice and quietly caps your fees. When nothing goes wrong, the client cannot see what they are paying for; when something does, they remember why they hired you but wonder if it was your fault. A fractional practice that does not solve this visibility problem lives in permanent renewal anxiety, forever re-justifying a retainer against the silence of an uneventful quarter. The fee follows the perceived value, and perceived value collapses in calm.

Solving it is a positioning discipline, not a marketing one. The mature fractional CISO makes the governance visible on purpose — a standing risk report the board reads, a posture the audit committee can see improving, a documented reduction in the enterprise's insurable and regulatory exposure that exists whether or not an incident ever comes. The value being sold shifts from catching the breach to governing the risk, and governed risk is legible in every quarter, not just the bad ones. This engagement is built to design that legibility deliberately, so the practice sells on standing assurance rather than on fear — and so the renewal is never in question because the value was never invisible.

How it plays out

The banking CISO who was building a job, not a practice

Consider a group CISO — call him Arun — who had spent eleven years carrying cyber risk at a large private-sector bank and its fintech subsidiary, through two regulator examinations and one genuinely frightening intrusion attempt he had quietly contained. He left to go portfolio, and within four months had three engagements, all from former colleagues, all paying well below his old package, and each of which had somehow expanded until he was effectively running three security functions part-time — on incident calls at midnight, chasing patch cycles, present everywhere. He was busier than he had been salaried, earning less, and could not see how it would ever scale.

The diagnosis named the actual failure, which was not his security ability but his scoping. Arun had sold his availability rather than his judgement. Each client had bought, in effect, a discounted full-time CISO, because nothing in his engagement drew a line between the governed cyber risk only he could own and the operational security their own teams should run. His pipeline was three warm intros deep and had no second engine. And because the value he delivered was hands-on firefighting, it was invisible in every quiet week and re-priced downward at every renewal. He had rebuilt his old job three times over, worse.

The roadmap re-founded the practice. Arun re-scoped every engagement to governance, board-and-risk-committee assurance and posture ownership, and pushed operations back to client teams and a managed detection service — halving his hours and doubling his effective rate. He anchored his positioning to the DPDP Act and the SEBI cyber-resilience framework, becoming the accountable security mind mid-market boards could put in front of regulators, and built a real pipeline into that buyer rather than mining his contacts. And he instituted a standing quarterly risk report that made his value visible in calm quarters, not just crises. Within a year he held four retained clients on standing fees, worked four days a week, and had a practice that grew from positioning rather than from favours — the portfolio he had meant to build the first time.

Illustrative composite — every engagement is calibrated to your specific situation.

What the two conversations cover

Session 1 · Diagnosis

  • Separate the governed cyber risk only a CISO can own from the operational security work that is quietly turning your engagements into part-time jobs.
  • Diagnose your current pricing against what you are actually selling — availability versus board-facing assurance — and where the fee is leaking.
  • Map which fractional-security buyer you are genuinely for, and how much of your pipeline is depleting warm intros versus a durable engine.

Session 2 · The plan

  • Design the retained-advisor engagement model — scope, cadence, boundaries and the price of assurance rather than hours.
  • Build the positioning against India's cyber-governance mandates so the regulation manufactures your demand instead of your network.
  • Set the visibility discipline — the standing risk reporting that makes your value legible in calm quarters and secures every renewal.

The mistakes to avoid

  • Scoping engagements around your availability rather than your judgement, so each client quietly rebuilds a discounted full-time CISO seat around you.
  • Pricing against compliance vendors instead of against the enterprise risk you govern, and being read as an expensive checklist.
  • Living entirely off warm introductions from your last role, and mistaking a depleting network for a working pipeline.
  • Agreeing to own operations, the SOC and tooling — signing up for a presence that makes a real portfolio impossible.
  • Leaving your value invisible in uneventful quarters, so every renewal becomes an argument you have to win against the silence of no breach.

One offering · one outcome

  • Two 60-minute one-to-one conversations with a senior Gladwin partner
  • A complete diagnostic of where you stand in the market today
  • A personalised repositioning roadmap you keep — your gap analysis and 90-day plan
Book and pay online

C-Suite Leadership Strategy — Assessment and Roadmap

2 × 60-minute conversations · one booking

₹29,500incl. GST · per booking
  • Two 60-minute one-to-one conversations with a senior Gladwin partner
  • A complete diagnostic of where you stand in the market today
  • A personalised repositioning roadmap you keep — your gap analysis and 90-day plan
Pay in:

Loading available slots…

Frequently Asked Questions

By deciding, before you sign anything, what the engagement owns. A practice that sells governed cyber risk — board and risk-committee assurance, posture ownership, architecture decisions — compounds and commands a real fee. One that sells your availability collapses into discounted full-time work, because the moment you agree to run operations you have signed up to be present everywhere. The line between what you own and what the client's team delivers is the whole business, and the first session exists to draw it precisely.

There is no single number, because the fee follows what you are scoped to own, not the hours you put in. A governance-and-assurance retainer priced as risk reduction sits far above an operational one priced as labour, even for the same client. The real work is being able to justify, to a buyer weighing insurance against cost, why a part-time accountable CISO reduces their exposure more than a compliance vendor does. Once that framing is solid, the pricing conversation stops being a negotiation on rate and becomes one on value.

It is the most common and most disguised problem in a new practice. Warm introductions feel like proof the model works, but they are a depleting asset — each is spent once, they cluster in the world you just left, and they tell you nothing about whether strangers will pay for fractional security leadership. Practices that never build a second engine plateau the moment the network runs dry, usually within a year. The fix is being known for a specific, buyable point of view, which we design in the second session.

That is the real risk of the invisible-until-the-breach problem, and it is why visibility is a discipline, not vanity. A fractional CISO who governs risk quietly and says nothing becomes forgettable between incidents. One who publishes a standing posture view, sits visibly in risk committees and is associated with a clear point of view on, say, DPDP readiness stays present in the buyer's mind. The roadmap builds that presence deliberately, so your standing does not decay the moment you stop being someone's full-time employee.

You do not compete with them — you sit in a seat they cannot fill. A consultancy delivers a project and leaves; a managed service runs tooling. Neither can be the accountable, board-facing security mind that owns the enterprise's posture and stands behind it to a regulator or insurer. That accountability is precisely what a fractional CISO sells and what those providers structurally cannot. Positioned correctly, you are often the person who governs the very managed services the client buys, rather than their competitor.

Strongly, if you position for it rather than treat it as audit work. CERT-In directives, the DPDP Act, the SEBI cyber-resilience framework and RBI expectations of boards have turned security into a documented board responsibility, creating many companies that need governed cyber risk they cannot yet staff full-time. That is exactly your buyer. The mistake is pricing it as compliance; the opportunity is being the accountable security mind a board can put in front of a regulator for a fraction of a full seat — demand the regulation itself is generating.

A consultant advises and hands over a report; the client still has no one accountable for the risk. A fractional CISO holds the accountability — a standing seat in the governance, ownership of the posture, and the relationship with the risk committee. That is a different product with a different price and a different renewal logic. Blurring the two is why many practices undercharge: they position as consulting, get priced as consulting, and never capture the value of the accountability only a real CISO can carry.

Two 60-minute conversations with a partner, a written diagnostic of where your practice is leaking value — scope, pricing, pipeline and visibility — and a personalised roadmap document with the specific moves for your situation: the retained engagement model to sell, the buyer to target, the regulatory positioning to own and the visibility discipline that secures renewals. One price, incl. GST, or $250 internationally. No tiers and nothing further to buy.