A fast-growing payments firm in Shoreditch needs a CISO to satisfy its FCA SMCR obligations, sign off operational resilience attestations under PS21/3, and respond to a Section 166 skilled persons review notice. The board approves a senior salary for the role. Eight months later, the seat is still empty. Three candidates accepted competing offers. The Section 166 deadline has not moved.
This is the recruitment reality for FCA-regulated firms in 2026. The senior security leadership market is thin, the SMCR accountability sits with whoever holds the role, and the cost of a wrong hire — both financially and in regulatory exposure — is severe. A fractional vCISO solves this problem in weeks rather than quarters, and for most firms under 500 staff, the economics and outcomes are simply better.
What a fractional vCISO actually is
A fractional vCISO — sometimes called a virtual CISO — is an experienced security leader engaged on a defined time commitment, typically two to eight days a month, with clear deliverables tied to your risk register, regulatory obligations, and board reporting cycle. They sit in your management meetings, own the security strategy, sign off on policy, and engage directly with the FCA, ICO, auditors, and your skilled persons reviewer when required.
This is not advisory consultancy. Outsourced security leadership through a vCISO model means the individual is accountable for outcomes — the risk treatment plan, the ISO 27001 certification track, the third-party assurance programme, the incident response runbook. The "fractional" element refers to time allocation, not commitment. When a regulator asks who owns security, the answer is the vCISO.
The distinction matters. Advisory consultants produce recommendations; vCISOs produce decisions. A firm that engages a security advisor to write a report still needs someone to own the response. A vCISO eliminates that handoff gap.
Why this matters now for FCA-regulated firms
Three pressures have converged. First, the FCA's operational resilience rules under PS21/3 required firms to identify important business services, set impact tolerances, and remain within them by 31 March 2025. Boards now need ongoing evidence of mapping accuracy, scenario testing, and lessons-learned cycles. That is monthly work, not annual — and it requires a named accountable executive.
Second, the Cyber Security and Resilience Bill currently progressing through Parliament will extend NIS-style obligations to managed service providers and tighten incident reporting timeframes for in-scope entities. Firms with EU customer exposure also face DORA (which applied from 17 January 2025 for EU-regulated financial entities) through their group structure or cross-border servicing arrangements. Each new regulation adds to the CISO's accountability scope.
Third, SMCR requires named individual accountability. Leaving the senior manager function for information security vacant — or having it default to a COO with no security background — is a regulatory weakness that surfaces immediately in any supervisory review. The FCA expects the person named to have the competence and time to discharge the role.
A permanent CISO at a senior salary plus benefits, equity, and a six-month notice period is the wrong instrument for a 120-person payments firm. Fractional vCISO services deliver the same regulatory standing at a fraction of the burn rate.
When fractional beats permanent
The fractional model wins decisively in four scenarios:
- Sub-500 headcount firms where a full-time CISO would be underutilised across the working week. The fixed cost of a permanent hire makes no sense when the second line of defence can be delivered in 2-4 days per month.
- Pre-Series C or pre-IPO firms needing institutional-grade security posture without permanent fixed cost. Investors and due diligence teams expect enterprise-level security governance; fractional vCISO delivers this without the permanent salary commitment.
- Firms in regulatory remediation — Section 166 reviews, ICO undertakings, post-incident board mandates — where credibility from day one matters more than onboarding ramp. A fractional vCISO lands running, with existing relationships and regulatory experience.
- Firms pursuing ISO 27001, SOC 2, or Cyber Essentials Plus on a defined timeline where the leadership requirement is intense for six to twelve months then steady-state. Once certified, the vCISO scales down to maintenance mode.
A permanent hire makes sense once the firm has a security team of four or more, a board that wants the function reporting directly to the CEO, and a budget that justifies the fixed overhead. Below that threshold, a virtual CISO in the UK market delivers better leverage.
Practical implementation: first 90 days
A vCISO engagement that does not produce visible output in the first 90 days is failing. The pattern we apply at Pyralink:
Days 1–30: Risk register review, control gap analysis against your stated framework (ISO 27001, NIST CSF 2.0, or FCA expectations), stakeholder mapping, and a board paper that names the top five risks and proposed treatment. This sets the baseline — without it, subsequent work has no reference point.
Days 31–60: Policy framework refresh — typically information security policy, acceptable use, access control, supplier security, and incident response. These are the documents your auditors and regulators will request first. Run a tabletop exercise with the executive team that simulates a realistic incident scenario. Establish the security steering committee cadence.
Days 61–90: Deliver the 12-month roadmap with quantified risk reduction milestones, regulatory deliverables aligned to FCA reporting cycles, and a budget recommendation the CFO can sign off. The roadmap should include clear success criteria — what does "reduced risk" mean in measurable terms?
Common mistakes to avoid
Firms that buy fractional vCISO services badly tend to make the same errors. They engage someone with a consulting background but no operational scars — get a leader who has run a SOC, handled a real breach, and faced a regulator across a table. They contract for "advisory hours" with no named deliverables — the statement of work must be written around outcomes, not input. They exclude the vCISO from board meetings — this defeats the entire purpose of having accountable security leadership. They cycle through providers annually — security leadership compounds; switch only for clear cause, not to chase a marginally lower monthly fee.
The most expensive mistake is treating the vCISO as a part-time employee rather than a leadership function. A vCISO who is not given access to board discussions, budget decisions, and architecture reviews cannot deliver the accountability the firm needs.
Frequently asked questions about fractional vCISO services
Can a fractional vCISO be named under SMCR?
Yes. The FCA's SMCR framework does not require the Senior Manager Function for information security to be a full-time employee. The named person must have the requisite competence and time commitment to discharge the role. Our consultants have acted as the named SMF holder for multiple FCA-regulated clients.
How many days per month do we need?
Most firms under 250 staff require 2-4 days per month for foundational coverage. Firms in regulatory remediation or pursuing certification typically need 6-8 days per month for the first 3-6 months. The commitment varies by maturity, regulatory exposure, and incident activity.
What happens if there is a major incident?
The vCISO leads the incident response, including regulatory notifications and communications. The engagement model should include provision for surge days during incidents, typically at pre-agreed rates. A well-structured vCISO engagement accounts for this in the commercial terms from the start.
How Pyralink helps
Pyralink Innovation Ltd delivers fractional vCISO services to UK financial services, fintech, and regulated SME clients from £497 per month for foundational coverage, scaling to full senior-manager-function support for FCA-regulated firms. Our consultants hold CISM, CISA, and CC credentials and have led security functions through ISO 27001 certification, FCA skilled persons reviews, and post-incident regulatory engagement.
We carry £5M professional indemnity insurance. Engagements are backed by our CloudAuditX platform for continuous multi-cloud posture monitoring, so your vCISO is working from live evidence rather than quarterly snapshots. Michael Adedeji, our Founder and Managing Director, personally reviews every FCA-regulated client engagement scope.
If your CISO seat is empty, your operational resilience attestation is approaching, or your board has asked who owns security accountability — talk to us before you post the next job advert.