Interim and Fractional CIO and CISO: the complete guide

You have three realistic options: launch a permanent search, which takes three to six months and leaves a leadership gap; promote someone internal who may not yet operate at board level; or bring in an interim or fractional CIO who can step in within days. An interim CIO covers the gap at full pace, while a fractional CIO gives you ongoing board-level leadership without a permanent hire. The free Technology Leadership Gap assessment shows exactly what the departure has left exposed.

Someone accountable, not a committee. Post-acquisition technology integration is where deal value quietly leaks: duplicated systems, uncontrolled spend, security gaps and stalled synergies. An interim or fractional CIO can own the integration end to end, framed in EBITDA terms. If a deal is still live, technology due diligence tells you what you are buying before you sign.

That silence is the risk. Boards are increasingly expected to govern cyber actively rather than delegate it and hope. Start by scoring yourself against the free Board Cyber Governance assessment, which measures you against all 22 actions of the UK Cyber Governance Code of Practice. A fractional CISO then gives the board a cyber position it can actually explain.

Put an interim CIO in now. A senior search can take six months, and the role does not pause while you wait. An interim CIO holds the seat at full pace, keeps programmes moving, and can even help you define and assess the permanent hire. You lose no momentum and carry no employment risk.

You are not alone, and a full-time CIO is rarely the answer on a not-for-profit budget. A fractional CIO gives you senior technology leadership for one to two days a week: enough to set direction, manage suppliers, protect your data and meet funder requirements, without the cost of a permanent executive. There is more in the not-for-profit section below.

With a diagnosis, not a hire. Most organisations feel the symptom (rising cost, slipping projects, nagging risk) without knowing the cause. The free Technology Health Check scores you across eight dimensions in a few minutes and tells you where the real problem is, and whether a fractional CIO is even the right answer.

A fractional CIO is a senior technology leader who runs your technology at board level on a part-time, ongoing basis, typically one to three days a week. You get someone who has led technology at scale, embedded in your business within days and accountable for outcomes, without a six-month search, a six-figure salary or the employment risk. “Fractional” describes the time commitment, not the seniority.

A fractional CISO is the security equivalent: a board-level Chief Information Security Officer on a part-time basis, owning your cyber strategy, risk and compliance. They translate technical risk into language a board can act on, lead your response to incidents and regulators, and steer certifications such as Cyber Essentials and ISO 27001. Many mid-market organisations need this judgement without a full-time appointment.

In the first 30 days they map the estate, contracts, spend and risks, and find the early savings. By 60 days they have a costed, prioritised roadmap the board has seen. By 90 days delivery is under way and you can judge them on results. The work is concentrated and accountable, not advisory. See how we work for the full method.

A CIO owns enterprise technology end to end: strategy, data and AI, cyber and risk, suppliers and spend, and is accountable at board level for turning it into business outcomes, not just keeping the lights on. A CTO owns the technology you sell: product and engineering. A CISO owns security and compliance. Most mid-market and non-tech businesses need a CIO first, often with CISO responsibilities folded in, which is why a combined CIO and CISO is increasingly the practical answer.

An interim CIO is a senior technology leader engaged at full-time pace for a defined period, usually three to twelve months, to cover a departure, lead a major programme or steady leadership through change. Unlike a fractional CIO, who is ongoing and part-time, an interim is temporary and intensive. Both give you board-level capability without a permanent hire.

Use interim when you need full-time leadership for a fixed period: a sudden departure, an urgent transformation, a post-deal integration. Use fractional when you need ongoing board-level direction but not a full-time role: steady governance, supplier management and strategy a day or two a week. The costly mistake is hiring one when you needed the other.

A virtual CIO (vCIO) is usually light-touch and advisory, often provided by your IT supplier or managed service provider as part of a contract. The difference that matters: a vCIO advises, an interim or fractional CIO leads, and an MSP-provided vCIO may have an interest in selling you more of the provider’s services. Independent leadership has nothing to sell you but the outcome.

When technology decisions are being made without the right expertise in the room. The common signals: a leadership gap or departure; a stalled or over-budget programme; rising cyber and compliance risk that no one owns; an acquisition or exit on the horizon; an IT manager out of their depth; or a board that cannot get straight answers about technology. If two or more sound familiar, it is time.

When the role genuinely needs someone full-time, every day, line-managing a large internal team. If you have fifty or more IT staff needing daily operational direction, hire a permanent CIO or a strong IT director. Fractional and interim leadership is for strategy, governance and direction, not full-time operational supervision. We will tell you honestly if that is what you need.

It needs CIO-level judgement, which is not the same as a full-time CIO. Most mid-market firms have an IT manager keeping the lights on but no one owning the strategic half: cost, risk, vendor leverage, board reporting and direction. That gap is exactly what fractional leadership fills. The Technology Leadership Gap assessment shows whether the strategic half is being done.

Decide on whether the role is full-time work. If there is genuinely a full day, every day, of board-level technology leadership to do, hire permanently. If the strategic work is real but part-time, a fractional CIO gives you the same seniority at a fraction of the cost and risk, and you can always step up to permanent later. Most mid-market businesses are in the second case.

As a market guide, UK fractional CIO day rates typically run from around £800 to £2,000 a day depending on seniority and complexity, which at two days a week is roughly £6,400 to £16,000 a month. Compare that with £160,000 to £300,000-plus for a permanent CIO once national insurance, pension, bonus and recruitment are loaded in. Starkhorn scopes each engagement to the work; ask for an indicative figure in a conversation.

Interim CIO day rates are typically higher than fractional, reflecting the full-time pace, and commonly fall between around £700 and £2,500 a day by sector and complexity, for a defined three to twelve month term. You are paying for intensity over a fixed period rather than ongoing part-time leadership.

A fractional CIO usually costs roughly 20 to 30 per cent of a permanent CIO’s fully-loaded cost, with no recruitment lag, no notice-period exposure and no redundancy risk. You also avoid the six-month search during which the seat sits empty. The saving is real, but the bigger advantage is speed and flexibility.

It often pays for itself early. Most engagements identify vendor and licensing savings in the first weeks that exceed the cost of the first month, before any strategic value. Beyond that, the return shows up as controlled spend, reduced risk, faster delivery and, for private-equity-backed firms, EBITDA you can defend at exit.

Three common shapes: a fractional retainer (a set number of days a week, ongoing); an interim engagement (full-time pace, fixed term); and a fixed-scope project, such as a due diligence or a remediation. The right model depends on whether your need is ongoing direction, urgent cover or a defined piece of work.

It depends on the working arrangement, not the label. Genuinely independent engagements, where the leader controls how the work is done and serves multiple clients, are often outside IR35, but each engagement should be assessed on its own facts. Take advice rather than assume.

Days, not months. An interim or fractional CIO can usually start within a week or two, against a typical permanent search of three to six months. Fractional engagements often run twelve to thirty-six months; interim engagements three to twelve. The point of the model is speed without long-term lock-in.

Often both, which is why combining them in one leader is increasingly the practical answer for mid-market firms. A CIO owns technology direction and cost; a CISO owns security and compliance. Splitting them across two part-time hires creates seams; one leader who carries both closes the gap, especially for regulated businesses facing FCA, ICO or Cyber Essentials pressure alongside transformation.

It is the UK government and NCSC framework setting out what boards are expected to do to govern cyber risk, built around five principles and 22 specific actions. It applies to any board that wants to demonstrate it is taking cyber seriously, and it is fast becoming the benchmark. Score yourself free against all 22 actions with the Board Cyber Governance assessment.

Cyber Essentials is a self-assessed certification against five technical controls; Cyber Essentials Plus is the same controls verified by a hands-on technical audit. Plus carries more weight and is increasingly required for government contracts, larger tenders and some insurance. Check your readiness with the free Cyber Essentials and Cyber Essentials Plus assessments.

They overlap, but a vCISO is often lighter and more advisory, while a fractional CISO takes genuine leadership accountability for your security programme. If you need someone to own cyber risk, lead the board conversation and answer to regulators and insurers, that is a fractional CISO, not a part-time adviser.

By turning compliance from a scramble into a managed position. A fractional CISO builds the controls, evidence and governance that insurers and regulators expect, leads certifications such as ISO 27001 and Cyber Essentials, and gives you a defensible risk narrative. For FCA-regulated and data-heavy firms, that judgement is hard to run without.

Because technology either accelerates the value-creation plan or quietly undermines it, and most portfolio companies cannot justify a full-time CIO. A fractional or interim CIO gives the board senior technology leadership tied to EBITDA: controlling spend, capturing integration synergies and de-risking the exit. See the private equity page for detail.

Technology due diligence is an investment-grade assessment of a target’s technology before you buy: architecture, security, technical debt, licensing, team and integration cost. You need it on any deal where technology is material, which is most of them. Done well, it tells you what you are really buying and typically surfaces several times its fee in recoverable value. See technology due diligence.

By making technology an asset in the data room rather than a red flag. Through the hold, they control cost and capture synergies; approaching exit, they ensure the technology story stands up to a buyer’s diligence and that nothing undermines the multiple. The aim is technology that shows up in EBITDA, not just on the balance sheet.

Increasingly, yes, and the model suits them especially well. A not-for-profit rarely has the budget for a full-time CIO but still faces real technology demands: protecting sensitive data, meeting funder and grant requirements, modernising legacy systems and governing risk. Fractional and interim leadership gives them senior judgement for one or two days a week.

Because it converts a cost they cannot justify into one they can. The strategic technology work in a charity is real but rarely full-time, so paying for a fraction of a senior leader is exactly right. It also brings independence and cross-sector experience that a single in-house hire cannot, which matters to trustees and funders.

That they are accountable for it, including data protection and cyber risk, under Charity Commission expectations and the law, and that many funders and contracts now require Cyber Essentials. A fractional CIO or CISO helps trustees meet those duties, protect beneficiaries’ data and spend limited technology budgets well. Daniel has served as a non-executive director on the board of one of the UK’s largest charities.

Most organisations are less ready than they think, and the waste shows up before the value does. Readiness is less about tools and more about data, governance, skills and choosing the right use cases. The free AI Readiness Check shows where your AI spend would get wasted first and the one thing to fix before buying anything.

AI governance is making sure AI is adopted safely, legally and with control over cost and data, rather than spreading through teams unchecked. It sits with the CIO and CISO because the risks are theirs: confidential data exposed to public tools, unmanaged spend, and decisions made by systems no one is accountable for. A fractional CIO and CISO puts the guardrails in before the problems appear.

Ask: Have you held the CIO or CISO role yourself, and at what scale? Will you be hands-on and accountable, or just advising? How will you report to the board and measure success? Are you independent, with nothing to sell me beyond the outcome? And, honestly, is a fractional leader even what I need? A provider confident in its answers will not flinch at the last one.

Real CIO or CISO tenure, at board level, across more than one organisation, with delivery you can point to: cost taken out, programmes landed, risk reduced, exits supported. Relevant membership, such as the Institute of Interim Management, and a track record of published thinking are good signs. Ask for specifics, not adjectives.

A bench pairs you with one of many leaders, sometimes a different one each time, and the firm takes a margin. An independent gives you the same named leader throughout: the person who assessed your business stays to deliver the change. For continuity and accountability, the same senior person from first call to final handover is hard to beat.

Against outcomes, not activity. Expect clear metrics from the start (savings captured, risks closed, programmes delivered, capability built) and board-ready reporting in commercial language, not technical detail. The right measure of success is a business that is measurably stronger, and eventually one that no longer needs them.

Through a method we call Embed-to-Independence: we do not advise and leave, we embed senior CIO and CISO leadership, deliver the outcomes, and build your internal capability until the business runs without us. It runs in four phases, Discover, Diagnose, Deliver and Sustain, and it is measured by the day you no longer need us. See how we work.

A clear picture and early proof. Within 30 days you have the estate mapped, the risks named and the first savings found; by 90 days a board-approved roadmap is in delivery and you can judge the work on results. We are confident enough to be measured on those first 90 days.

Two low-commitment ways. Take a free assessment, starting with the Technology Health Check, to see where you stand; or book a conversation, a short, no-pressure call where we will tell you honestly whether we can help and what the first steps look like. No long forms, no pitch.