Nearshore fractional CISO

Engaging a nearshore fractional CISO to secure regulated data

Hiring a cybersecurity executive on a fractional basis is a practical first step for building a security department from scratch. A large financial services company engaged our fractional CISO in a nearshore model to build out a 3-person team and close critical security gaps.

Handling critical data without a security team is a red flag

A few months ago, one of the largest appraisal services companies in North America hired our team to migrate their legacy infrastructure into AWS. Their platform handles 20+ million appraisal records and $18+ trillion dollars of mortgage value for banks and financial institutions. 

For context, an appraisal is an independent estimate of how much a property (house, apartment, office, etc) is worth. Banks and other financial institutions use appraisal information before approving mortgages or real estate loans to ensure that the borrower has sufficient capital to borrow against.

As our team started looking into their platform, we saw three major security red flags:

  • The platform itself was a critical point of failure. If it went down, financial institutions could not process appraisals, and the company lost millions in revenue. 
  • There were hundreds of unresolved vulnerabilities and critical security gaps everywhere we looked. 
  • The Security Manager (the only person on the security team) had quit a week prior 🤦🏻


Our big idea was to find an experienced Chief Information Security Officer (CISO) who had solved these problems before. But rather than hiring a full-time executive since the company didn’t know exactly what it needed, we looked for someone who could start on a fractional basis, at a fraction of the cost.

We told the CEO exactly what we believed the company needed: “Do not hire an entire security team yet. Start with a fractional CISO who can assess the risks, build the roadmap, and let him tell you who to hire next.”

We onboarded a nearshore virtual CISO in less than a week

For a platform handling millions of appraisals and large volumes of personal data, having security gaps was not an option. Every unresolved vulnerability increased the chances of a breach or could bring serious problems during the next audit or client security review. Banks don’t take security lightly. 

So, in as quickly as 3 days, Ewents found a top-level vCISO with 10+ years of experience, who has worked at one of the world’s largest German automobile companies. Finding such incredible talent is even being discussed by McKinsey, reinforcing the opportunity of leveraging Latin America as a region to find specialized talent

Once we had green light, our team started with a fractional (10-hour per week) CISO engagement to advise the CEO on three main questions:

  1. Who should we hire as part of our security team?
  2. Which cybersecurity tools does the company need right now?
  3. How much is people + tools going to cost?

 

Our vCISO found critical security gaps across the organization

During the first two months, our vCISO conducted a full security assessment across four key areas:

  • Reviewing the company’s existing security policies, processes, and tools
  • Assessing its SecurityScorecard rating and the issues affecting the score
  • Analyzing penetration testing and vulnerability management reports
  • Interviewing stakeholders across leadership, IT, and engineering to understand how security was managed in practice


The findings were not encouraging.

For starters, the company’s SecurityScorecard rating (the score banks and insurers check) was low, and it was easy to see why. There were dozens of open vulnerabilities across the applications and IT environment, including one unpatched system with more than 400 on its own, all tracked by hand with no way to know which mattered most. The company desperately needed a GRC specialist, since no one on the IT team owned the policies, risk register, and audit evidence that the banks were constantly requesting. To make matters worse, security was only checked every couple of months through penetration testing, rather than using MXDR or SIEM tools to continuously discover risks. 

The conclusion was clear: we needed to hire more people.

The engagement scaled into hiring a nearshore GRC and cybersecurity team

Our vCISO recommended adding two part-time nearshore specialists and partnering with an external MXDR provider. Together, this created the minimum team needed to start closing the most urgent gaps. Each part of the team had a specific purpose:

  • A fractional CISO guides the security program across the organization and report to the CEO
  • A Senior GRC analyst owns compliance, controls, and audit readiness, mapping the program to PIPEDA and NIST controls
  • An AppSec/Platform Security Engineer fixes technical gaps on the applications and the underlying AWS environment. 
  • An external MXDR vendor provides 24/7 continuous visibility into threats.


Within a few months, the company had gone from having almost no dedicated security function to having a complete, right-sized security team in place. The most critical gaps were closed, the vulnerability backlog was cleared, and the SecurityScorecard rating improved — tangible proof that the engagement was successful.

Keep in mind that the company also saved hundreds of thousands of dollars in annual payroll. Every role was engaged on a fractional, part-time basis at highly competitive nearshore rates, far below the cost of hiring the same team full-time in the United States.

How much nearshore fractional CISO services cost

Our engagement reflects a broader shift we are seeing across the market. Companies are no longer using nearshore teams only for traditional software development. They are also hiring specialized cybersecurity professionals, often starting with a fractional CISO. 

Before you start a search, it helps to see the roles that make up these engagements, along with indicative rates, since a clear budget makes the conversation far more productive. Note that the rates below are estimated ranges rather than set in stone, since the actual number for any role depends on seniority, scope, and the total number of hours assigned per week.

Role US contractor (ref.) Hiring nearshore
Fractional CISO $200–$300/hr $80–$130/hr
Senior GRC Analyst $130–$210/hr $55–$95/hr
Cloud Security Architect (AWS / Azure / GCP) $175–$275/hr $50–$85/hr
SOC Analyst (Tier 1 / Tier 2) $90–$150/hr $40–$60/hr
Data Privacy Consultant $150–$225/hr $90–$130/hr
Vulnerability Management Lead $150–$225/hr $60–$90/hr
Application Security Engineer $140–$220/hr $50–$90/hr
DevSecOps Engineer $150–$240/hr $50–$95/hr
Penetration Tester $160–$260/hr $50–$95/hr

Indicative mid-to-senior LATAM nearshore pricing. US contractor figures are reference points, not our rates.
Sources: Ewents proprietary data plus public market benchmarks and the ISC2 2025 Workforce Study.

How to hire a nearshore CISO with Ewents

A fractional Information Security Officer is often the best first security hire for a company building a program from scratch. Instead of spending months interviewing executives, you can onboard an experienced executive within days to assess your security posture, define priorities, and add specialized roles only where they are needed.

Working with a specialized security vendor from Latin America makes the process faster and more flexible. Any organization, regardless or size or industry, can gain access to senior cybersecurity professionals who work in your time zone at rates well below comparable U.S. hires. 

Ewents is a nearshore software services companies specialized in security and compliance. We provide fractional and vCISO services, giving companies the flexibility to scale their cybersecurity programs at ultra-competitive rates. 

If you’re looking to engage a fractional CISO, contact our team today

AI Highlights Extractor

Key Highlights:

Loading...