You’ve decided to invest in security. Now you need to figure out who to hire first. A security leader to build the strategy? An engineer to do the actual work? Some hybrid role that tries to do both?

For companies between 100 and 600 employees, the answer is usually the same: start with fractional security leadership, then hire a hands-on security engineer as your first full-time security headcount.

Here’s why that model works.

The Economics of Security Leadership

A full-time senior CISO costs $350K+ in total compensation. That’s a significant investment for a mid-market company, and it’s heavily weighted toward strategy and leadership rather than execution.

Security programs need both. You need someone who can build the security roadmap, work with the management team, handle external stakeholders, and make strategic decisions. You also need someone who’s hands-on-keyboard actually configuring tools, responding to alerts, and implementing controls.

Hiring a $350K leader who then has nobody to execute their strategy doesn’t make sense. The strategy piles up on the engineering team, who are supposed to be building product.

A fractional CISO at $10-15K monthly gives you the leadership piece. The savings versus a full-time hire can fund a full-time security engineer who actually does the work.

What the Fractional Model Looks Like

The fractional CISO builds the security program: roadmap, budget, priorities, governance. They work with the executive team, handle board-level conversations, and interface with customers and auditors. They lean on existing resources to execute. IT handles some work, engineering handles some, and the fractional CISO coordinates and directs, but they’re not doing the hands-on implementation.

At some point, the execution burden on those teams becomes too great. Engineering is spending too much time on security instead of product. The IT person is overwhelmed. That’s when you hire your first full-time security person.

And that person should be a security engineer, not another manager.

The Right First Full-Time Hire

Your first security headcount should be close to the source of risk.

If you’re delivering applications through the cloud (most companies we work with), that means someone who can: - Build and operate vulnerability management - Configure and tune security tools - Work in the DevOps and product security space - Partner with IT on basic infrastructure security - Execute the roadmap the CISO builds

This person is hands-on. They’re configuring the EDR, connecting it to the MDR, tuning alerts, running scans. They’re the execution engine that makes the security program actually function.

If you’re heavily compliance-driven (multiple frameworks, regulated industry, know-your-customer requirements), your first hire might be a GRC specialist instead, someone to manage evidence collection, coordinate audits, and maintain compliance documentation. But for most companies, the security engineer is the right choice.

The Top-Heavy Trap

The instinct is often to hire a security leader first. Someone senior who “owns” security and takes it off the executive team’s plate.

This creates problems. A full-time security leader without a team becomes another person telling engineering what to do. All the work still piles up on the same people, and you’ve added management overhead without adding execution capacity. Too many chiefs, not enough people doing the work.

The engineering team eventually makes the ROI case: “We have three engineers each spending a third of their time on security tasks. If we had a full-time security engineer, we could focus on product development.” That case is easy to make. The case for another manager is harder.

When Full-Time Leadership Makes Sense

The fractional model has limits. At some point, you need dedicated leadership. Signs you’ve outgrown fractional: - Security program complexity requires daily executive attention - Board and customer interactions need a full-time face - You’re building a security team (multiple hires) - Regulatory requirements demand dedicated leadership - The fractional hours needed approach full-time cost

The transition usually happens as companies scale past 500-600 employees, or when compliance and customer requirements reach a threshold where security becomes a significant organizational function rather than a support function.

But most mid-market companies aren’t there. They need strategic direction and execution capacity. The fractional + engineer model provides both at reasonable cost.

The Staffing Progression

A typical progression for mid-market companies:

Stage 1: Fractional CISO only - Leadership builds program, coordinates existing resources - Engineering and IT execute security tasks - Works until execution burden becomes too heavy

Stage 2: Fractional CISO + security engineer - Engineer handles hands-on execution - Fractional provides strategy and external interface - Most companies stay here for a while

Stage 3: Fractional CISO + small team - Add GRC specialist if compliance is heavy - Add product security if engineering is large - Fractional still provides leadership

Stage 4: Full-time CISO + team - Program complexity justifies dedicated leadership - Typically 500+ employees - Full security organization

The companies that handle this well don’t rush to full-time leadership. They invest in execution capacity first, get strategic direction from experienced fractional leadership, and scale the team as the business requires.