You've hit the size where security, compliance, and AI governance can't be a side-of-desk task anymore. The sales team is fielding security questionnaires that nobody owns. The board wants to know who's accountable. But you're not ready to put 1.2 to 1.8 million DKK a year plus stock into a full-time Head of Security, and the Big 4 quotes you get back make you laugh and then quietly panic.

Fractional security leadership has become a real option in the Nordic market over the last few years. Whether it fits your specific situation is a different question. This article is the honest answer, written by someone who runs a fractional practice and who will still tell you directly when fractional is the wrong call.

What “fractional” actually means

The word gets used loosely, so it's worth being precise. A fractional security leader is a named senior practitioner who is embedded in your leadership structure, accountable for outcomes, and engaged on an ongoing basis at a defined fraction of a full-time role. Typical scope is 0.2 to 0.4 FTE for a security-only remit, and 0.3 to 0.6 FTE when the role extends to CTO or CIO territory with infrastructure, vendor management, and engineering leadership in it.

The word “embedded” is doing real work in that definition. It means the fractional shows up in your systems (your Slack, your wiki, your calendar), knows your product and your customers by name, has sat through enough of your leadership meetings to understand the tone, and can make judgement calls without having to ask a dozen context questions first. Embedded is what you're paying for and what distinguishes this model from most alternatives.

That is different from several other things people sometimes lump into the same bucket:

  • A consulting project has a fixed scope, a fixed end date, and a deliverable. A fractional engagement is a continuing relationship. You can have the same person deliver a project and then stay on fractionally, but the two modes are structurally different.
  • An advisory board seat is typically a few hours a month of strategic input, paid in equity or a small cash retainer. The advisor is not accountable for day-to-day outcomes and not expected to be in the room when things go wrong.
  • CISO-as-a-service from a vendor usually means a rotating team of practitioners doing standardised work against a menu of services. You get coverage. You do not get a named person who knows your business.
  • Interim leadership is a temporary full-time role, often during a gap between a departure and a new hire. An interim CISO works 4-5 days a week for 3-9 months and then leaves. Different economics, different commitment.

A real fractional arrangement sits between an advisor and an interim. You get a named, senior, accountable individual who is present enough to own outcomes and who is scoped deliberately so that the cost makes sense for your stage.

When fractional is the right model

The pattern I see most often in companies where fractional fits cleanly looks something like this:

  • You're between 40 and 250 staff.Below 40, you often don't have enough going on to justify a senior outside operator -- a good MSP and a sharp internal generalist can carry you. Above 250, the volume of concurrent programs usually demands a full-time owner.
  • You're selling into enterprise or a regulated market. Your buyers are asking for ISO 27001, SOC 2, NIS2 alignment, or DORA readiness. Someone has to own those conversations and the programs behind them, and that someone needs gravitas with auditors and enterprise security teams.
  • You have one to three clear workstreams that need senior ownership. ISO 27001 certification. Incident response maturity. A compliance program build. AI governance. Cloud cost and security posture. Clear scope is what makes fractional efficient.
  • Your board wants senior accountability.They need to see a name attached to security and a plan they can stress-test, and they're not satisfied with “the CTO also looks after this when she has time.”
  • You can't yet justify or can't yet recruita full-time hire. Either the economics don't work (the work is real but doesn't fill a week), or the talent market is tight and you'd rather not make a rushed permanent decision.
  • You want to build internal capabilityrather than rent external capability forever. A good fractional should be actively transferring knowledge and writing things down so the engagement doesn't become load-bearing indefinitely.

If four or more of those apply to you, fractional is probably worth a serious conversation. If fewer than three apply, you likely need a different shape of help -- possibly a project, possibly an advisor, possibly just a good contract with an MSP and an hour a month of someone senior to stress-test your plan.

One pattern worth calling out specifically for the Nordic market: Danish and broader Nordic buyers tend to expect directness and are generally comfortable with a consultant who pushes back, questions the brief, and says “no” when no is the right answer. That cultural baseline is an advantage for a well-run fractional practice and a disadvantage for the kind of operator who survives by telling clients what they want to hear. Use it. If a prospective fractional seems to soften their language the moment you disagree with them, that's information.

When fractional is NOT the right model

This is the section that matters most, and it's the one you should hold me to. A fractional practitioner who won't name the situations where they're the wrong answer is a practitioner who will sell you a contract you shouldn't sign.

Do not hire a fractional in the following situations:

  • You are in the middle of an active breach or major incident.Incident command is a full-time job while it's happening. You need someone in the chair from early morning to late evening, making decisions, coordinating with legal, regulators, insurers, customers, and forensics. A fractional at 0.3 FTE cannot do that. Bring in an incident response retainer or an interim, run the incident hard, then think about fractional for the after-action work.
  • You are regulated with dedicated-function or seniority expectations your fractional cannot meet. Financial institutions under DORA (Regulation (EU) 2022/2554) must maintain an ICT risk management function that is organisationally segregated and independent from operational IT functions, per Article 6(4), with a simplified regime under Article 16 for smaller entities. DORA does not mandate a full-time CISO title, but for most in-scope firms above the micro-enterprise threshold a fractional arrangement will not meet the independence and seniority expectations regulators apply. Similar dedicated-officer expectations exist under specific payment-services and critical-infrastructure regimes. Do not try to paper over that with a fractional title. Regulators read contracts.
  • Your real need is 24/7 operational ownership. SOC alert triage, on-call rotations for production security events, threat hunting around the clock -- that is a team and tooling problem, not a leadership problem. Use an MSSP or build a small internal team. A fractional can help you architect and govern it, but they are not the pager holder.
  • You are above 300 staff with several concurrent major programs. In my experience, fractional capacity tops out here for most senior practitioners. Beyond that size, the number of meetings, stakeholders, decisions, and concurrent workstreams outgrows what a 0.3-0.5 FTE role can credibly cover. If you force it, something gets dropped.
  • You need daily hands-on line management of junior staff. Fractional is senior accountability and program ownership, not daily people management. If your real gap is a manager who runs stand-ups, does 1:1s three times a week, reviews pull requests, and coaches juniors through their first incident, hire that manager. Fractional can help you scope the role and interview candidates.
  • Your board demands a full-time hire as an investor or regulator signal.Sometimes the political requirement is the requirement. If a lead investor will only fund the next round when there's a full-time CISO on the org chart, you don't need a reasoned debate about organisational design. You need to hire.

If any of these apply to you, a fractional engagement is the wrong instrument, and a fractional who agrees to take your money anyway is telling you something about how they run their practice.

What good fractional looks like day to day

Assuming the fit is right, here is what you should expect the working relationship to actually look like. This is the part that often surprises first-time buyers.

You'll have a regular rhythm. Typically a weekly or bi-weekly working session with the executive sponsor (CEO or CTO), plus scheduled time with the relevant leads -- engineering, operations, sales enablement on security questionnaires, people ops on training. Between sessions, there's async availability on Slack or Teams within stated hours, and escalation paths for actual urgency.

The fractional should be in your leadership conversations, not parked on the side. That means showing up to the monthly management meeting when security, risk, or compliance is on the agenda, being copied into vendor negotiations that have a security dimension, and having standing invites to the parts of board prep that concern the remit. Not everything. The relevant parts.

Ownership is on outcomes, not hours. A good fractional does not send you a timesheet. They work against a scoped set of outcomes -- for example, “ISO 27001 stage 1 pass by end of Q3, measurable reduction in inherited technical risk, documented incident response process with two rehearsals completed.” If they need more hours one month and fewer the next, that's the deal.

Ask what happens if they're out for two weeks. A serious practitioner has a specific answer: a named peer they can route work to, an explicit principal-incapacity transition clause in the SOW, or an engagement scoped so it doesn't depend on someone being on call 24/7. All three are legitimate. Vague hand-waving is the red flag. Specificity, in whatever form, is what matters.

They write things down. This is one of the real differentiators between a fractional who is building capability and one who is building dependence. The policies, the runbooks, the decision log, the risk register, the vendor assessments -- these live in your systems, in your language, maintained so they outlive the engagement. You should be able to fire your fractional and keep operating. A practitioner who keeps the important context in their own head, their own notes, and their own templates is selling you lock-in, not leadership.

And when you're ready to hire full-time, they help. They write the job description, sit on the interview panel, do reference calls, and plan the handover. A fractional who resists you hiring your first full-time security lead is a fractional with the wrong incentive structure.

Red flags when evaluating a fractional practitioner

The Nordic market for fractional leadership has grown fast enough that the bar is uneven. Here are the patterns I'd reject on.

  • Hourly billing dressed up as a retainer.If the proposal says “40 hours per month at 1,500 DKK per hour,” that is consulting. It has no outcome commitment, no cover arrangement, and no skin in the game. You'll end up in quarterly haggles about whether last month's extra hours should roll over.
  • No clear answer on principal-incapacity.Ask directly: “What happens if you're out for two weeks?” A good answer names the mechanism -- a peer, an SOW transition clause, or a scope boundary. A shrug or “I never get sick” is the single point of failure they're supposed to help you remove, not replicate.
  • Identical messaging to every prospect.If their proposal to you reads like the same document with your logo swapped in, they're not going to do customised thinking for you either. You want to see evidence they've actually thought about your stage, your market, and your specific constraints.
  • The “our team will support you” model.If a senior pitches the sale and then hands the delivery to a rotating cast of juniors, you are paying senior prices for junior labour. That's a consultancy, not a fractional. Insist on a named individual with named backup.
  • Unwilling to show a named reference.A fractional operating in the Nordics for any length of time has clients who will take a reference call. If they're evasive about this, that's your answer.
  • The 20,000 DKK a month offer.At that price point, somebody is either starving, desperate, or pricing a short project as a “retainer” to get the foot in the door. Senior fractional work in the Danish market typically sits between 55,000 and 110,000 DKK per month, depending on scope and seniority. Significantly below that range, something is off.
  • No professional indemnity insurance. Ask for the limit and the certificate. Any serious independent operating in this space carries PI cover sized to realistic engagement risk; exact figures vary by jurisdiction, engagement scope, and carrier terms. No insurance at all means no accountability structure behind the title.
  • Can't articulate when they wouldn't recommend themselves.This is the cleanest filter. Ask: “In what situations would you tell a prospect you're the wrong fit?” If they can't give you a specific, credible answer in under 30 seconds, they either haven't thought about it or they're unwilling to say it out loud. Both are problems.

Honest cost comparison

The economics shift a lot depending on size. The table below is rough but directionally honest for a Danish B2B SaaS around 100 staff, selling to enterprise, running ISO 27001 and some AI governance work in parallel. All figures in DKK, all-in annual cost, first-year view.

OptionAnnual all-in costTime to productiveOngoing accountability
Full-time Head of Security (permanent)1.2M -- 1.8M3 -- 6 monthsFull, but carries hiring risk
Fractional security leader (Standard retainer)600K -- 850K2 -- 4 weeksNamed, scoped to retainer level
Fractional security leader (Executive retainer)900K -- 1.2M2 -- 4 weeksNamed, broader scope, more access
Big 4 permanent advisory setup800K -- 2M+4 -- 8 weeksRotating team, limited continuity
Ad-hoc consulting projects (year view)400K -- 1.5MPer projectNone between projects

A few things are hidden in those numbers and worth pulling out.

The full-time number includes salary, pension, benefits, a realistic equity grant for a senior technical hire, recruiter fees (typically 20-25% of first-year salary through a specialist firm), and the productivity cost of the first 3-6 months while the person is ramping. Wrong-hire risk is real in senior security roles -- I have seen enough first-year exits in scaling companies to treat it as a material line item, not a tail event -- and the downstream cost of a mis-hire (severance, re-recruitment, lost program momentum) lands around 2 million DKK even in the merciful cases. That's the number you're really comparing fractional against when you model it properly.

The fractional numbers assume a serious independent in the Danish market with the right profile for your stage. Standard retainer means a clearly scoped remit, regular cadence, named cover. Executive retainer means broader access, more hours, deeper involvement in board and investor conversations. Below 55K DKK a month, you are outside the range where you can expect this shape of engagement from a credible senior practitioner.

The Big 4 number is the one that surprises people most. If you try to run a permanent advisory arrangement with one of the large firms, expect senior-partner hours billed at 3,500-5,000 DKK each, manager and consultant hours layered in, and a minimum engagement size that quickly lands you above 800K DKK a year. The work product is often excellent on narrow technical scopes and weak on embedded leadership.

The point of the table is not that fractional is always cheapest. It's that the realistic alternatives are closer together than people assume, and the right question is fit, not just price.

The transition to a full-time hire

If fractional is doing its job, there should come a point where the work has grown to justify a full-time owner. Your revenue has grown, the regulatory surface has expanded, the team has scaled. You're now at 180 staff, three active compliance frameworks, an AI product that needs governance you can defend, and a board conversation that is monthly rather than quarterly. Fractional is running hot. It's time.

A good transition looks like this. The fractional starts the conversation -- you shouldn't have to. They help you write the job description, grounded in the work that's actually been happening, not a generic template. They help you assess the market, set the comp range realistically, and decide whether to go search or inbound. They sit on your interview panel and do reference calls. They write a handover document that covers active programs, key relationships, open decisions, and lessons learned. And when the new Head of Security starts, the fractional is around for 4-8 weeks in a reduced capacity to transfer context and then steps out cleanly.

The red flag in this phase is a fractional who keeps finding reasons you're not quite ready yet. Who subtly scopes new workstreams that conveniently require their involvement. Who's vague about the end state. Fractional engagements have a natural lifespan -- usually 12-30 months depending on the starting point -- and a practitioner who has internalised that will tell you when they think the end is approaching rather than waiting for you to raise it.

It's also fair to end a fractional engagement and not hire full-time. Sometimes the work genuinely gets to steady state and can be maintained by your existing leadership plus targeted project help. A good fractional will tell you that too.

And there's a third option people forget: downgrading rather than ending. You might go from 0.4 FTE to 0.15 FTE once the heavy lifting is done, keeping your fractional on a lighter advisory retainer for the monthly management meeting, the quarterly board prep, the annual audit cycle, and the occasional incident or major vendor decision. That kind of long tail is useful, and it costs a fraction of a fraction. But only agree to it if the scope is genuinely smaller, not if it's a polite fiction to keep the invoice alive.

What to ask before you sign

If you're evaluating a fractional practitioner, use these questions in your scoping call. They're designed to surface the things proposals don't cover.

  1. Who is my named backup, and when have you last used that arrangement?You're looking for a specific person and a real example. If the answer is abstract, the arrangement probably isn't real.
  2. What is your professional indemnity insurance limit, and can you share the certificate? Serious independents will send it without hesitation.
  3. What's your engagement exit clause? Notice period in both directions, what happens to work product, handover expectations, confidentiality after exit. Read the contract, not the proposal.
  4. Can you show me a scope document from another engagement, redacted?You're checking whether they actually write scope documents and whether those documents look like thinking rather than boilerplate.
  5. What would make you tell me, on this call, that I'm not the right fit for you?This is the best single question in the list. The answer tells you whether they've thought about the edges of their own practice.
  6. How do you charge for outcomes versus hours, and what happens when scope changes? You want a clear model, a simple change control process, and no nickel-and-diming.
  7. Who else would you recommend I talk to, including people who are not you?A practitioner who can't name two or three credible alternatives -- fractional or otherwise -- is probably not well connected to the market you're operating in.

If the answers to those seven questions are concrete, specific, and comfortable to give, you're probably talking to someone real. If the answers are vague, defensive, or rehearsed, keep looking.

Closing

Fractional security leadership is a good answer when the fit is right. It is a bad answer when it's being used to paper over a problem that needs a different shape of response. The difference matters, and the difference is not subtle once you look at it honestly.

If you want to talk through whether fractional makes sense for your specific situation -- or whether a different option would fit better -- you can book a 30-minute scoping call. I'd rather tell you “not a fit” on that call than sell you something that doesn't work. The reference calls you take from my current and former clients will tell you whether I mean it.

Related reading

Cloud cost drift: how a doubled Azure bill tells a governance story covers an engagement area that often comes into fractional scope alongside security and compliance: cloud governance and cost discipline. When one person owns both, the operating model is more coherent and the evidence trail for auditors is cleaner.

AI readiness is not data readinesscovers the AI governance work that increasingly falls within a fractional security leader's remit: AI inventory, role classification, vendor due diligence, and board-level reporting. If your fractional remit includes AI governance, this article explains what good looks like at your stage.