What is the difference between a fractional CISO and a Non-Executive Director?

A fractional CISO is a part-time member of the management team who owns the security strategy, runs the security function, and reports to the executive committee. A Non-Executive Director sits on the board, holds the executive to account on cyber risk, brings independent challenge, and is personally liable as a statutory director under the Companies Act 2006. Different jobs, different reporting lines, different accountabilities. Not substitutes.

Should I hire a fractional CISO or a NED?

Hire a fractional CISO if you do not yet have a security function and need someone to build and run it. Hire a NED if you have a CISO (or fractional CISO) and the board needs an independent peer who can hold them and the wider executive to account. Mature organisations often have both — the fractional CISO does the work; the NED ensures the board governs it.

How much does a fractional CISO cost in the UK in 2026?

UK fractional CISO retainers typically run from £3,000 to £12,000 per month for 1-3 days per week, depending on the company size, sector, and the seniority of the practitioner. Day rates of £900-£1,650 are common for ad-hoc work. The fractional CISO is engaged as a service or contractor, not a director.

How much does a UK Non-Executive Director cost in 2026?

UK NED fees typically run from £24,000 per annum for a small private company through £42,000-£60,000 for SME and mid-market roles, up to £75,000-£120,000 for FTSE 250/100 specialist seats. The NED is a statutory director appointment, not a service engagement, and the fee includes pre-reading, board and committee time, one-to-ones, and incident-response on-call.

Can the same person be both a fractional CISO and a NED for my company?

No. The roles are mutually exclusive within the same company. A fractional CISO sits inside the management line and reports to the executive; a NED sits outside the management line and holds the executive to account. Combining them in one person at one company breaks the independence on which the NED role depends. The same person can be a fractional CISO at one company and a NED at another.

Does the fractional CISO need to be on the board?

Usually not. The fractional CISO is part of the management team and reports into the C-suite (often the CTO, COO, or CEO). Some larger companies elevate the CISO to a board attendee or invite them to present at the board meeting, but the CISO is not normally a board director. If the CISO is a board director, that further reinforces why an independent NED is also needed for the governance challenge.

When should we hire both a fractional CISO and a NED?

When the company is regulated (NIS2, DORA, FCA SYSC, ICO scrutiny), preparing for a fundraise or IPO, recently incident-affected, deploying AI in a regulated decision-making context, or simply scaling past the size where a single executive can hold the security function alone. The fractional CISO does the work; the NED makes sure the board is governing it. The two roles together are often less expensive than a single full-time CISO plus board-level governance accidents.

What about a virtual CISO (vCISO) — is that the same as a fractional CISO?

Effectively yes. "Virtual CISO" and "fractional CISO" are used interchangeably in the UK market, with "virtual" implying remote-only delivery and "fractional" implying part-time hours. Some firms differentiate but the underlying engagement is the same. Neither is a NED.

Fractional CISO vs Non-Executive Director — the honest comparison

The short version

If you have not yet built a security function and need someone to do that, you want a fractional CISO. If you already have a security function (whether full-time or fractional) and the board needs an independent peer to hold the executive to account on cyber and AI risk, you want a NED. Most growing companies past Series B end up needing both. Below is the structural detail behind that one-line answer.

The comparison at a glance

	Fractional CISO	Non-Executive Director
Reports to	The executive (CEO, CTO, COO)	The board (and through the chair, the shareholders)
Sits inside	The management team	The board of directors
Statutory status	Service provider / contractor	Statutory director under the Companies Act 2006
Personal liability	Contract liability (limited by the SOW)	Director liability under sections 171–177 (unlimited in scope, mitigated only by D&O insurance)
Filed at Companies House	No	Yes
Time commitment	1–3 days per week, ongoing	1–4 days per month, plus committee work and incident response
Typical UK cost	£3,000–£12,000 per month (£36k–£144k per year)	£24,000–£120,000+ per year
Term length	Rolling, often 6-12 month contracts with 1-month notice	3 years, with renewal for a further 3 (UK Code; nine-year independence sunset)
Owns the security strategy?	Yes — the fractional CISO writes it and runs it	No — the NED challenges and approves it
Does the work?	Yes — operational responsibility	No — governance responsibility
Independent of management?	No (is part of the management team)	Yes (the whole point of the role)

What a fractional CISO actually does

A fractional CISO is an experienced security executive engaged part-time, typically 1–3 days a week per company, often working with two to four organisations simultaneously. They are part of the management team. They have direct reports (the security analysts, engineers, GRC team), they own the security strategy, they run the day-to-day risk register, they lead the response when an incident lands, and they prepare the security narrative for customers, regulators, investors, and the board.

Concretely, a UK fractional CISO will typically: write or own the company's information-security policy set; lead ISO 27001 / Cyber Essentials / SOC 2 certification programmes; manage the relationship with the SOC (in-house or outsourced); approve security architecture decisions; oversee third-party risk and supply-chain security; sit on the change-advisory board; brief the executive committee monthly; and present to the main board quarterly.

Fractional CISO is the right answer when the company is too small, too early-stage, or too cost-constrained to justify a full-time CISO appointment, but is past the point where security can be left to "the CTO also does it on Fridays". The market is well-served — Boardman, FosseTech, Leadership Services, Freeman Clarke, and a long tail of independent practitioners all offer the role at the £3k-£12k per month band.

What a Non-Executive Director actually does

A NED is a member of the board of directors who does not have day-to-day executive responsibility. They are filed at Companies House as a director, they share the same statutory duties as executive directors under the Companies Act 2006, and they are personally liable in the same way. They are appointed to bring independent judgement, specialist expertise, and oversight to board decision-making — and to hold the executive directors to account on behalf of shareholders, the regulator, and other stakeholders.

A specialist cyber NED (or a Cyber and AI NED) does this with a particular focus on cyber and AI risk: reading the board pack with a domain-literate eye; sitting on the audit, risk, or technology committee; holding standing one-to-ones with the CISO and head of AI between meetings; being on the phone within hours of a serious incident; reviewing the AI register, the DPIAs, and the third-party risk profile; and bringing regulator-readiness as standing posture rather than crisis response.

The NED is not running the security function. The NED is making sure the board is governing it.

The structural difference that matters most

Here is the single most important distinction, and it is the one most consultancy-blog comparisons get wrong:

A fractional CISO cannot govern themselves. They are part of the management team. The board cannot ask them "are you doing your job well?" because they are the management response to the question. Asking the management team to grade itself is exactly the situation that good corporate governance is designed to prevent.

A NED is structurally outside that loop. The NED's job is to ask the management team — including the fractional CISO if there is one — the questions the board needs answered and to do so independently of the management's narrative. That independence is statutory, not stylistic: a NED is, by definition, someone who has no executive role in the company and whose loyalty is to the company itself rather than to any individual executive.

This is why the two roles are not substitutes. A fractional CISO who tries to be a NED is conflicted; a NED who tries to be a fractional CISO is no longer independent. The most mature companies recognise this and run both roles in parallel.

Statutory and legal differences

A fractional CISO is engaged under a service contract or a Statement of Work. Their liability is bounded by the contract's limitation-of-liability clause (typically a multiple of the annual fee) and by their professional indemnity insurance. They are not a director of the company; they are not on the Companies House register; they cannot bind the company in transactions; and they do not vote on board resolutions.

A NED is a statutory director. The seven duties under sections 171–177 of the Companies Act 2006 apply equally to executive and non-executive directors. The "reasonable care, skill and diligence" test under section 174 is judged against both an objective standard and a subjective standard — and a NED appointed for cyber expertise is held to a higher standard on cyber decisions than a generalist NED would be. NED appointments require D&O liability insurance to protect the personal assets of the director, and a deed of indemnity from the company under section 234 of the Companies Act.

Practically: if the company suffers a serious cyber incident with regulatory consequences, the NED is in the room when the regulator visits and is part of the board's collective accountability for what happened. The fractional CISO, however senior, is in the room as a witness — not as a respondent.

Cost — and how to think about it

The headline numbers look similar — both roles can sit in the £30k–£100k band depending on the company — but the comparison breaks down once you look at what each is delivering.

Fractional CISO cost is operational expenditure: you are paying for hours of executive work and the strategy and execution that come with it. The cost-per-day is high because the work is high-skilled, the demand is high, and the supply of practitioners with regulated-industry CISO experience is limited. The fractional CISO is the cheap way to access executive-grade security leadership without the overhead of a full-time hire.

NED cost is governance expenditure: you are paying for the independent judgement, the personal liability, and the regulator-readiness the NED brings. The cost-per-day looks higher because you are paying for the seat and the standing, not just the hours. A NED who attends only the board meetings is failing the role; a NED who is genuinely engaged is doing four to eight hours of pre-reading per pack, multiple one-to-ones per month, committee work, and being on the phone when an incident lands.

The honest comparison: if you only need security operations done, hire a fractional CISO. If you need board-level cyber governance — particularly under NIS2, DORA, the EU AI Act, or the UK Cyber Governance Code — hire a NED. If you need both (most regulated companies past £10m revenue do), the combined cost is roughly equivalent to one mid-market full-time CISO appointment, and you get strictly more capability for the same money.

When to hire which — a decision tree

Rather than pretending this is a one-size-fits-all decision, here is the actual framework I use when boards ask:

Hire a fractional CISO if

You have no security function at all today, and someone needs to build one.
You have a junior or mid-level security manager who needs senior cover and steerage.
You are working through a specific project — ISO 27001 certification, SOC 2, an incident response retainer — that needs an executive owner but does not justify a full-time hire.
The board is functional and asks the right questions, but the management team needs technical depth they do not have.
The company is below £10m revenue and the cost of a full-time CISO is genuinely not affordable.

Hire a Non-Executive Director if

You have a CISO (full-time or fractional) and the board cannot independently assess whether they are doing the job well.
The company is in scope of NIS2, DORA, the EU AI Act, or the UK Cyber Governance Code and the board needs board-level domain expertise to discharge its duty.
You are preparing for a fundraise, an IPO, an acquisition, or a regulator-led audit — all of which sharpen the diligence on board-level cyber and AI governance.
You have suffered a recent incident or near-miss, and the technical fix is in but the governance gap remains.
You are deploying AI in a regulated decision-making context (credit scoring, recruitment, claims handling, medical triage) and the board needs to be able to govern that deployment.
Your CISO is leaving, has just left, or is signalling they will — the board needs an independent read on what comes next.

Hire both if

You are a regulated firm (financial services, healthcare, critical national infrastructure, energy, payments).
You are a scale-up past Series B with a real security risk profile and a board that needs to govern it.
You are post-acquisition, integrating two cyber estates, and need both the operational lift and the governance oversight.
You are running AI in production at scale and need both engineering execution and board-level governance.

Most companies past £20m revenue with any meaningful regulatory load fall into the "both" category. The combined annual cost of a fractional CISO at £6k/month plus a specialist NED at £45k is £117,000 — meaningfully less than a single full-time CISO at the £150k–£200k band, and structurally stronger because the work and the oversight are split between two independent people.

The conflicts to watch out for

Two patterns I see often, both of which are bad practice:

Asking the same person to be both the fractional CISO and the NED. Some firms offer this as a "two-in-one" engagement. It is structurally broken: the person is either not a real NED (because they sit inside the management line) or not a real fractional CISO (because they cannot honestly assess their own performance for the board). One or the other; never both at the same company.

Asking the company secretary to act as the cyber NED's substitute. The company secretary supports the board's processes; they do not supply technical cyber judgement. Substituting them for a NED on the cyber agenda is a governance shortcut that fails on the day it most needs not to.

Hiring a generalist NED and engaging external advisors for the cyber input. This is more defensible than the previous two but it is still suboptimal. The generalist NED then has to translate the advisor's input into board language, and the board's independent judgement on cyber is only as good as that translation. A specialist NED brings the judgement directly.

When you should hire a fractional CISO instead of me

Honest answer: most small companies considering whether to hire a NED would actually be better served, today, by a fractional CISO. The NED role only works when there is a working security function for the NED to govern. If you do not have one yet, the NED appointment is premature — there is nothing to oversee — and you will burn a fee that would be better spent on building the function in the first place.

If your annual security budget is under £150,000 in total, you almost certainly want a fractional CISO and not a NED. If your security function is one junior analyst and an outsourced SOC contract you signed two years ago and have not reviewed since, the same advice applies. Build the function first; bring the NED in once there is something for them to govern.

I have a list of fractional CISOs I trust at the £3k-£12k/month band, in the UK and EU. Ask me on the call and I will make introductions. The first call is free either way.

Considering a Cyber and AI NED appointment? The fastest way to know if there's a fit is a 30-minute call. See how to engage me for the process, or just go straight to the contact form with "NED enquiry" in the subject line.