Do You Need a vCISO or a Fractional CTO? How to Tell
As more South African businesses bring in senior technology help on a part-time basis, two titles keep coming up. The vCISO and the fractional CTO. They sound similar, the arrangements look alike, and plenty of people use the terms as if they mean the same thing. They do not, and choosing the wrong one means paying for a head pointed in the wrong direction.
Here is how to tell which problem you actually have.
What a fractional CTO is for
A fractional CTO is a senior technology leader you bring in part-time to own the direction of your technology. They are looking forward. What should we build, what should we buy, how should the team be structured, which platform decision will we regret in two years.
You want a fractional CTO when technology is central to where the business is going and you need someone to steer it, but you are not yet at the size where a full-time executive makes sense. They make architecture decisions, guide the technical team, and translate between what the business wants and what the technology can do. We went into this in detail in what a fractional CTO actually does and when to get one.
What a vCISO is for
A vCISO, a virtual Chief Information Security Officer, owns a narrower and deeper question. Are we secure, and can we prove it. Their focus is risk, compliance, and protection rather than building and growth.
You want a vCISO when security and compliance are the pressing concern. Perhaps a large customer is demanding evidence of your security posture before they will sign. Perhaps POPIA obligations are weighing on you and nobody internally owns them, a situation we described in POPIA is not a once-off exercise. Perhaps you have grown fast and quietly know your defences have not kept up.
A vCISO sets security strategy, manages risk, handles compliance, and is the person who can stand in front of a board or a customer and account for how the organisation is protected.
The overlap, and the honest answer
The two roles overlap because good technology leadership includes security and good security leadership understands the technology. A capable person in either seat will care about both. But their centre of gravity is different. The CTO is oriented toward building the future. The vCISO is oriented toward protecting the present.
If your sharpest problem is where are we going and how do we build it, you want a fractional CTO. If it is are we safe and can we demonstrate it, you want a vCISO.
Some smaller businesses genuinely need a bit of both, and at that size one experienced advisor can often wear both hats sensibly rather than splitting the budget across two part-time executives. The thing to avoid is hiring for the title rather than the problem. Start from the question that is actually keeping you up, and the right role usually names itself. The practical security operations underneath either role are part of how we run managed IT at Claritam.
How to evaluate candidates for either role
Once you know which role you need, the next challenge is finding the right person. A good fractional CTO candidate should be able to walk through a technology strategy they have shaped, name the decisions they made and why, and describe the outcomes. They should have experience across multiple industries and technology stacks, because the value of a fractional CTO is pattern recognition — they have seen what works and what does not in enough environments to guide yours.
A good vCISO candidate should be able to describe how they have handled a real incident, not just how they would handle one hypothetically. They should understand the South African regulatory environment — POPIA specifically, but also sector-specific requirements if your business operates in finance, healthcare, or critical infrastructure. They should be able to stand in front of a board and explain risk in language the board understands, not in technical jargon.
For either role, ask for references from businesses of a similar size and stage. A fractional CTO who has only worked at large enterprises may struggle with the resource constraints of a growing business. A vCISO who has only worked in compliance-heavy regulated environments may struggle with a business that is starting from a low security baseline. Fit matters as much as experience.
When to start with one and add the other
For many South African businesses, the right answer is not one or the other. It is one first, then the other as the business grows. A business that is still figuring out its technology direction needs a fractional CTO first. Get the technology foundation right — the platforms, the team structure, the architecture decisions. Once that is stable, the security gaps become visible and a vCISO can address them against a known technology baseline.
A business that is facing an immediate compliance deadline or has just survived a security incident needs a vCISO first. Get the immediate risk under control, then bring in the fractional CTO to build the technology strategy on a secure foundation. The order matters because each role depends on the other’s output. A security strategy without a technology strategy is a list of controls that may not fit the business. A technology strategy without security is a plan that will eventually be interrupted by an incident.
The businesses that get this right are the ones that start from the problem, not the title. If you are unsure which problem you have, our detailed breakdown of what a fractional CTO actually does may help clarify the technology side, while the board questions framework can help surface which gaps are most pressing.
Need Help With Your Security or IT?
We work with South African businesses to assess, deploy, and manage security and IT that actually fits. No jargon, no scare tactics. Practical advice and real support.
Contact Us →





