The $15,000 Question:
When a Fractional CISO Costs Less
Than Your Next Breach

Eleven days. That is how long a 280-person manufacturing company in the Hudson Valley sat with locked systems, stalled production lines, and a ransomware operator waiting on the other end of an encrypted chat. When the recovery was complete—backups restored, endpoints rebuilt, a forensics firm paid to confirm the threat actor was gone—the total cost landed at $340,000. The company's cyber insurance covered a portion of it. The deductible, lost contracts, and overtime hours did not appear anywhere in the policy summary they had reviewed during renewal. The CISO they hired afterward costs $15,000 a year.

That figure—$15,000—tends to stop business owners mid-sentence when I say it. They have spent the previous part of the conversation explaining that security leadership is out of their budget, that full-time CISOs are for enterprises, that they are doing fine with their IT provider handling things. Then I show them the math. Not the math of what a fractional CISO costs. The math of what the absence of one costs.

This is not an argument for spending money on security because regulators require it or because a vendor told you to. It is an argument built on a single data point that every SMB owner should be able to recite: the average total cost of a data breach for small and mid-size businesses was $4.88 million in 2024, according to IBM's annual Cost of a Data Breach Report (Ponemon Institute & IBM Security, 2024). That number is not a scare tactic. It is an actuarial figure. And for most businesses in the 50–500 employee range, it is a company-ending number.

When SMB owners think about security leadership, the mental model is usually a full-time senior hire: salary, benefits, bonus, equity if applicable. That model prices most of them out immediately. A CISO with genuine enterprise experience commands $250,000 to $350,000 in total compensation in major markets. In the Hudson Valley and broader Northeast, the range is closer to $200,000 to $280,000 for someone who has actually run a security program rather than managed a small IT team. Add employer-side payroll taxes, health insurance, 401(k) match, and professional development, and you are looking at a fully-loaded cost of $240,000 to $320,000 for a single hire.

For a 280-person manufacturer with $45 million in annual revenue, that number does not survive the budget conversation. So the decision, in most cases, is not "full-time CISO vs. fractional CISO." It is "fractional CISO vs. no dedicated security leadership at all." That is the actual choice on the table, and it has a knowable cost.

The IT provider comparison deserves particular attention. Managed service providers do excellent work within their scope: uptime, patching, helpdesk, infrastructure. What they are not doing—and most will tell you directly if you ask—is building a security program. They are not running vendor risk assessments, reviewing cyber insurance adequacy, preparing you for a SOC 2 audit, building an incident response plan, or presenting security posture to your board. Those are CISO functions, and MSPs are not paid or structured to perform them.

The Hudson Valley manufacturer—I will call them Ridgeline Industrial, though that is not their name—makes precision components for the construction and HVAC industries. Their IT environment was managed by a regional MSP they had used for seven years. The relationship was good. Patching was current on most systems. Endpoint protection was in place. Backups ran nightly to a NAS device on the same network segment as production.

The initial access vector was a phishing email targeting the accounts payable coordinator. The credential capture gave the threat actor access to the company's email environment. Over the following three weeks—before any encryption event—the actor moved laterally, identified the backup location, and mapped the environment. On a Tuesday morning, production systems began locking. The backup NAS was encrypted along with everything else. The ransom demand was $180,000 in cryptocurrency.

The insurance carrier covered roughly $160,000 of the total incident cost. Ridgeline's CEO told me afterward that he had assumed the policy would cover most of it. He had not read the sublimits. The business interruption coverage had a waiting period and a daily cap. The forensics coverage had a vendor approval requirement that cost them forty-eight hours at the start of the engagement. These are details a CISO would have identified during the annual insurance review. Nobody had done one.

The most common skepticism I encounter when discussing fractional CISO engagements is about hours. Eight to twelve hours per month doesn't sound like enough to do anything meaningful. That reaction is understandable if you are thinking of the CISO role as an operational one—someone who closes tickets, monitors alerts, and responds to incidents. That is not what a CISO does. That is what your MSP and security operations tools do.

A CISO's function is strategic and architectural. They decide what the security program looks like, set the risk tolerance framework, ensure the right controls exist in the right places, manage vendor and insurance relationships, and give the executive team honest answers about exposure. Eight to twelve hours a month is sufficient for that work if the CISO has the experience to use those hours efficiently. It is also, by design, augmented by the organization's existing IT resources executing against a clear program.

This is not a theoretical list. These are the activities that, had they been in place at Ridgeline, would have changed the outcome. The phishing that initiated the attack is difficult to fully prevent. The lateral movement that went undetected for three weeks is addressable through network segmentation and monitoring controls. The backup architecture failure is entirely preventable. The insurance surprise is preventable. The forty-eight-hour IR firm delay is preventable. Most of the $340,000 was recoverable through program decisions, not technology purchases.

IBM's annual Cost of a Data Breach Report is the most comprehensive longitudinal dataset on breach economics available to practitioners. The 2024 edition surveyed 604 organizations across 17 industries and 16 countries that experienced breaches between March 2023 and February 2024. For SMBs specifically—organizations with fewer than 500 employees—the average breach cost was $3.31 million. For larger organizations it was higher, but the SMB figure is the one that matters here, because it represents your peer group and it represents an event that most SMBs cannot absorb (Ponemon Institute & IBM Security, 2024).

The Verizon 2024 Data Breach Investigations Report adds operational context to those financial figures. Of the 30,458 security incidents analyzed, 10,626 were confirmed data breaches. Ransomware and extortion were involved in 32% of all breaches. The median time-to-ransom in ransomware incidents was under 24 hours. And critically for the SMB conversation: small businesses were targets at rates comparable to large enterprises—threat actors do not skip your company because you are smaller (Verizon, 2024).

There is a second data point from IBM worth holding: organizations with high levels of security AI and automation saved an average of $2.22 million per breach compared to organizations without those capabilities. The gap is not primarily about technology spend—it is about having someone with the expertise to configure, deploy, and interpret those tools. A fractional CISO is the mechanism through which an SMB accesses that capability without the full-time hire.

Three months after the incident closed, Ridgeline's CEO made the call. The engagement started at ten hours a month—$1,250 per month on a retained basis. The first ninety days looked like this: a full security program assessment, a rewritten backup and recovery architecture with immutable off-site storage, a vendor risk inventory covering their top twelve technology relationships, an incident response plan reviewed and pre-registered with their insurance carrier, and a tabletop exercise run with the executive team.

The insurance conversation alone recovered part of the engagement cost. The carrier had flagged two deficiencies on the renewal questionnaire that were driving a premium surcharge. Both were addressable through documentation and control changes that were already underway. The surcharge came off. The net premium increase from the incident was reduced from the projected $18,000 to $11,000. The fractional CISO engagement paid for most of itself in year one through insurance premium optimization alone.

The CEO's comment at the six-month mark was that the most valuable thing was not any specific control change. It was having someone in the room—or on the call—who could answer the question "are we okay?" with something more substantive than "I think so." That is not a small thing. Security anxiety is real in SMB leadership, and it tends to manifest as either paralysis or over-investment in point solutions that do not address underlying program gaps. A fractional CISO channels that energy into a coherent program.

A fractional CISO engagement is not the right answer for every SMB. If your business has no technology dependencies, processes no sensitive data, and has no contractual security obligations from customers or partners, the case is weaker. That describes a small number of businesses today, and the number is shrinking.

The profile that benefits most from fractional CISO engagement: organizations between 50 and 500 employees that handle customer PII, financial data, or protected health information; companies with significant technology-dependent operations where downtime has direct revenue impact; businesses that have received security questionnaires from enterprise customers and struggled to answer them; and organizations approaching cyber insurance renewal who are uncertain whether their controls match the representations they are making in the application.

That last category deserves emphasis. Cyber insurance carriers are tightening underwriting standards. The questionnaire that was two pages in 2020 is now twelve pages, and the answers have legal weight. If your organization attests to controls you do not have—MFA on all remote access, for example, or a tested incident response plan—you create coverage dispute exposure at exactly the moment you need the policy to pay. A fractional CISO helps you answer those questions accurately and close the gaps before renewal.

If those questions produce confident, documented answers, your security program is in reasonable shape. If they produce uncertainty, inconsistency, or the response "our IT provider handles that"—you have the gap that fractional CISO engagement is designed to close.

Ridgeline Industrial is a real company with a real incident, real costs, and a real outcome. The $340,000 is not hypothetical. The $15,000 engagement that followed it is not hypothetical. The math between those two numbers is, ultimately, the only argument that needs to be made.