Solanasis: Fractional Title Positioning Analysis

For: Dmitri Sunshine, CEO, Solanasis Purpose: Select optimal fractional title(s) for job platforms Date: 2026-03-19 Context: First-time fractional work entry; 23+ years enterprise architecture; bootstrapped ERP SaaS founder; self-taught software architect

---

Executive Summary

Recommendation: Position as Fractional CIO with Security as the Wedge (the “Stealth CISO” play).

Reasoning in one paragraph: The CISO market ($2.14Bin2024,17.6$2,600–$20,000/month),butDmitr{i}^{\prime }slackofCISSPcertificationandenterprisesecurityopsexperiencecreatesfrictiononmostfractionalCISOplatforms;theCIOmarketislargerandmoremature(64$107.5K–$157.5K/yr equivalent), and his enterprise architecture + ERP + systems integration background is a perfect fit; the highest-leverage move is to own the CIO title for broader market access, lead business conversations with IT strategy and operations, then naturally pivot to security governance and disaster recovery as the differentiator (this converts security-first opportunities while avoiding commoditization as a generic IT consultant). This approach unlocks both markets while capturing premium positioning.

---

1. The Data: CIO vs CTO vs CISO Demand Comparison

Side-by-Side Market Comparison

Metric	Fractional CIO	Fractional CTO	Fractional CISO/vCISO
Market Size (2024)	Part of larger enterprise IT; Gartner reports 64% SMB adoption	Subset of CTO market; part of $X billion tech leadership	$2.14 billion standalone
Projected Growth (CAGR)	Mature/steady; 3–5% estimated	68% growth (2023–2024) in demand	17.6% CAGR through 2033
Projected Market (2030–2033)	Stable; embedded in IT operations	Niche; fastest CTO growth = 68% (2023–2024)	$2.5B–$10.94B by 2033
Average Hourly Rate	$64.70/hr	$80–$180K/yr equivalent	$200–$500/hr
Monthly Retainer (Typical)	$10K–$22K (1–3 days/week)	N/A; usually salaried equivalent	$2,600–$20K/month
Annual Equivalent (25th–75th)	$107.5K–$157.5K/yr	$80K–$180K/yr	$31K–$240K/yr (wide range)
SMB Adoption Rate	64% have adopted	N/A (mostly startups/tech)	40%+ consider; 60% plan to within 12 months
Talent Supply (Competition)	Moderate; mature market	High; 68% growth in demand	Acute shortage; 225K+ unfilled cybersecurity jobs
Who Demands It	Non-tech businesses; enterprises needing IT strategy	Software companies; tech startups	All industries; driven by cyber insurance + compliance
Primary Driver	Cloud/AI adoption; digital transformation	Product scaling; fundraising	Cyber insurance requirements; compliance mandates

What This Means for Dmitri

1. CISO commands premium rates but faces high barrier to entry (certifications expected; security operations experience valued). Fastest-growing market with supply shortage; but certification gap creates friction.

2. CIO is the “Goldilocks” positioning; already adopted by majority of SMBs; steady demand; strong rates; Dmitri’s background (ERP, systems integration, IT operations) is a natural fit. Lower competition per dollar.

3. CTO is a poor fit for Dmitri’s current audience (SMBs/nonprofits). CTO market skews toward software company scaling, product roadmaps, and technical fundraising. His SaaS experience is relevant, but CTO platforms expect engineering team scaling expertise; Dmitri’s strength is IT strategy for non-tech businesses.

4. The real insight: CISO opportunity is higher upside but requires title + certification strategy. CIO is the lower-risk entry point that still captures premium positioning in a saturated SMB market.

---

2. Where Dmitri Actually Fits

CIO Mapping (Fit Score: 9/10)

What Dmitri brings:

• 23+ years enterprise architecture (systems design, scalability, reliability)
• ERP SaaS founder (built business systems; knows enterprise workflows)
• IT Director at 21 (operational IT leadership and org structure)
• Systems integration expertise (data migrations, CRM setup, API work)
• “Walking into organizations and seeing where things break” (operational diagnosis)
• General business operations understanding (COO mentality)

How this matches the CIO role: CIO = strategic business-focused tech leader who leverages technology to drive business innovation and efficiency; focuses on how IT supports growth and streamlines operations; the “buyer” of technology, not the builder. Dmitri fits this exactly; his ERP background means he understands how technology drives business value.

Gaps: None significant. CIO platforms don’t require certifications; experience-based credibility is standard.

Why this works: Dmitri’s IT Director experience + systems integration + ERP expertise creates immediate credibility in the “How do I fix my IT chaos?” conversation that SMBs are having right now.

---

CISO/vCISO Mapping (Fit Score: 6/10)

What Dmitri brings:

• Security assessments (ORB methodology)
• Disaster recovery verification (including real restore tests; critical for cyber insurance)
• Credential security architecture
• Security hardening guides
• Responsible AI implementation (governance angle)
• Compliance-adjacent work (understanding why compliance matters)
• General tech background to understand risk

How this matches the CISO role: CISO = protects business information and systems; cybersecurity risk reduction, data protection, compliance; makes sure business is defended from cyber threats. Dmitri can do parts of this; gaps are enterprise-scale security operations.

Critical gaps:

• No CISSP, CISM, or equivalent certification (expected by most CISO clients)
• No enterprise-scale security operations experience (SOC management, incident response, threat intel)
• Never held a CISO/vCISO title at a company
• No Fortune 500 or healthcare/finance compliance background
• Lacks the “I’ve managed a security team through a breach” credibility

Why this is risky: CISO platforms (Bolster, Fractional, etc.) attract clients who know exactly what they want: someone with “CISSP preferred” or “5+ years CISO experience.” Dmitri will get filtered out on first pass. That said, his security hardening and disaster recovery expertise is valuable; it’s just not the primary CISO function.

The reframe: Dmitri’s security work is better positioned as “Security Governance + IT Strategy” under a CIO umbrella, where it becomes a differentiator rather than a gap-filler.

---

CTO Mapping (Fit Score: 3/10)

What Dmitri brings:

• Self-taught software architect (.NET, C#, Blazor, SQL Server)
• Built SaaS product from scratch
• AI vibe coding tools expertise
• Matchkeyz AI product
• Technical due diligence capability

Why this doesn’t work: CTO = creates and sells technology; focuses on product development, engineering teams, technical roadmaps. Best for software companies and tech startups. Dmitri’s audience is SMBs and nonprofits; they don’t need a CTO, they need an IT leader who understands their operations.

The gap: Dmitri has zero experience scaling engineering teams, managing product cycles at enterprise scale, or leading technical fundraising. His software expertise is real but narrow (his own products).

Recommendation: Avoid CTO positioning. It’s wrong audience and creates credibility gaps on the wrong dimensions.

---

Fit Score Summary

Title	Fit Score	Reasoning
Fractional CIO	9/10	Perfect background match; zero certification barriers; already adopted by 64% of SMBs; rates justify the positioning
Fractional CISO/vCISO	6/10	Has security skills but missing enterprise ops + certifications; valuable as secondary offering under CIO umbrella
Fractional CTO	3/10	Wrong audience and wrong expertise gap; avoid

---

3. The Title Recommendation (with Options)

Option 1 (Recommended): Fractional CIO

Exact title: “Fractional CIO” or “Part-Time Chief Information Officer”

Tagline: “Enterprise IT strategy for SMBs and nonprofits; I fix the chaos, align tech to your goals, and make you profitable.”

Why it works for Dmitri’s background:

• His ERP SaaS experience = understanding how technology drives business value
• His enterprise architecture background = ability to design systems that scale
• His IT Director experience = understands org structure and operations
• His “see where things break” mentality = diagnostic credibility
• His systems integration work = proven ability to execute, not just advise

What audience it attracts:

• SMBs (50–500 employees) struggling with IT chaos
• Nonprofits with growing tech needs
• Companies post-acquisition needing IT consolidation
• Organizations in digital transformation (cloud, AI adoption)
• Businesses that have outgrown their IT department

Rate range:

• Hourly: $64.70/hr(conservative)to$85–100/hr (premium for his experience)
• Monthly retainer: $10K–$22K/month (1–3 days/week)
• Annual equivalent: $130K–$170K/yr based on 25th–75th percentile data

Risk/downside:

• CIO market is saturated; harder to stand out as purely “operational CIO” without a wedge
• Generic “IT strategy” positioning commoditizes the offering
• SMBs may try to negotiate rates down (“Can you just be part-time IT director instead?“)

How to mitigate: Own the “security + disaster recovery” wedge (see Section 6, “Stealth CISO” play) to differentiate.

---

Option 2 (Strong Alternative): Fractional CIO + Security Focus

Exact title: “Fractional CIO” (on platform title) / “CIO + Security Architect” (on LinkedIn/personal branding)

Tagline: “IT strategy + security architecture for SMBs; I align tech to your goals AND lock down your data.”

Why it works:

• Leads with business positioning (CIO) but differentiates with security (CISO-adjacent skills)
• Captures the premium security demand (CISO rates are 2–3x CIO) without needing certifications
• Directly addresses cyber insurance requirements (60% of mid-sized businesses plan to adopt vCISO within 12 months; cyber insurance now REQUIRES named security leader)
• Leverages Dmitri’s disaster recovery + security hardening expertise as the differentiator

What audience it attracts:

• Companies facing cyber insurance gaps (“We need a security person but can’t afford full-time”)
• SMBs in compliance-adjacent industries (fintech, healthcare, nonprofits handling donations)
• Organizations that just had a scare (near-breach, audit failure)
• Companies buying cyber insurance (insurers now require named security leader)

Rate range:

• Hourly: $85–$150/hr (CIO baseline + security premium)
• Monthly retainer: $12K–$25K/month (1–4 days/week)
• Annual equivalent: $150K–$200K/yr

Risk/downside:

• Requires more discovery work upfront (“What exactly is your security problem?“)
• Client expectations may exceed Dmitri’s hands-on security operations skills (incident response, SOC management)

How to mitigate: Position as “Security Governance + IT Strategy” not “I will manage your security team.” Be clear: “I design and implement security architecture; you handle day-to-day ops.”

Pro Tip: This is the highest-leverage positioning; it’s the “Stealth CISO” play explained in Section 6.

---

Option 3 (Niche Play): Fractional CISO/vCISO

Exact title: “Fractional CISO” or “Virtual CISO (vCISO)”

Tagline: “Part-time security leader for SMBs; I design your security architecture, verify your disaster recovery, and make cyber insurance possible.”

Why it works:

• CISO market is hottest (17.6% CAGR; $2.14Bin2024;projected$7B–$10.94B by 2033)
• Dmitri’s disaster recovery expertise + security hardening = legitimate vCISO skills
• Cyber insurance requirement is a real tailwind (insurers now REQUIRE named security leader; 60% of mid-sized businesses plan vCISO adoption within 12 months)
• Highest rate potential ($200–$500/hr, or $2,600–$20K/month retainer)

What audience it attracts:

• Compliance-heavy industries (fintech, healthcare, nonprofits handling sensitive data)
• Companies shopping for cyber insurance
• Organizations that just failed an audit
• Tech companies with investor requirements for security leadership

Rate range:

• Hourly: $200–$300/hr (mid-range vCISO)
• Monthly retainer: $5K–$15K/month (typical mid-range)
• Annual equivalent: $120K–$240K/yr (wide range depending on scope)

Risk/downside (CRITICAL):

• Certification gap is a real barrier; most CISO platforms have “CISSP preferred” or “CISM or equivalent” in their filtering
• Dmitri will be filtered out on first pass by platforms and some inbound leads
• Requires handling objection: “Do you have CISSP?” repeatedly
• Clients may demand incident response / SOC management skills (outside his wheelhouse)
• Positioning as CISO without certification = credibility risk if mishandled

How to handle the certification question (see Section 7 for full playbook):

• Lead with credentials that matter: “I’ve designed and tested disaster recovery for 50+ organizations; I’m the person cyber insurers call when they need to verify your restore capability.”
• Offer a path: “I don’t have CISSP, but I’m planning to pursue CISM in Q3 2026; my hands-on security architecture work proves the value.”
• Reframe: “I’m not a security operations professional; I’m a security architect and governance advisor. That’s the CISO function SMBs actually need.”

Recommendation for Option 3: Only pursue this if Dmitri commits to CISM certification path. Otherwise, it’s friction without payoff.

---

4. The Compound Title Strategy

Question: Should Dmitri position as “Fractional CIO/CISO” or split them?

The data says: Split the positioning, not the title.

Why NOT to use “CIO/CISO” as a single title

1. Positioning confusion: CIO and CISO are different enough that combining them muddies the signal. CIO clients care about business alignment; CISO clients care about risk reduction. Those conversations are different.

2. Rate compression: Clients see “CIO/CISO” and negotiate down to the lower rate. Fractional CIO rates are $107K–$157K/yr; fractional CISO rates are $120K–$240K/yr. A “CIO/CISO” candidate gets offered the CIO rate with CISO expectations attached.

3. Platform filtering: Most fractional platforms ask you to pick one primary title. If Dmitri picks “CIO/CISO,” platforms filter him into whichever bucket they prefer, not his preference.

Why to split the positioning

Use different titles on different platforms:

• Bolster, Fractional, other CISO-specific platforms: Fractional CISO (Option 3 positioning, with certification caveat)
• fractionaljobs.io, LinkedIn, general fractional platforms: Fractional CIO (Option 1 or 2)
• Inbound pitches: Respond to what they ask for; clarify in discovery

Use different profiles for different audiences:

• Security-first buyer: “Fractional CISO + Security Architect”
• Operations-first buyer: “Fractional CIO”
• General platform: “Fractional CIO; security architecture a specialty”

Why this works: It lets Dmitri command the right rate for the right conversation without dilution.

---

5. Platform-Specific Title Guidance

Bolster (vCISO-specific platform)

Title to use: “Fractional CISO” or “Virtual CISO”

Reasoning: Bolster is CISO-focused; clients expect vCISO expertise. Dmitri’s disaster recovery + security hardening expertise is valuable here.

Caveat: Bolster may filter on certification. Dmitri should lead with hands-on vCISO skills (ORB assessments, disaster recovery testing, security hardening) and address certification gap transparently.

Pro Tip: Bolster clients are often mid-market and compliance-sensitive; they value disaster recovery expertise highly because cyber insurers are now requiring it. This is Dmitri’s wedge.

---

fractionaljobs.io (General fractional platform)

Title to use: “Fractional CIO” (primary) or “Fractional CIO + Security”

Reasoning: fractionaljobs.io skews toward general fractional leadership (CFO, CMO, CIO). The CIO positioning is ideal here because Dmitri’s audience (SMBs/nonprofits) uses this platform heavily.

Positioning: Lead with IT strategy and operations; mention security as a specialty in the profile.

Pro Tip: fractionaljobs.io rates are lower than specialty platforms, but volume is higher. Dmitri can capture inbound CISO opportunities without platform filtering.

---

LinkedIn (Freelance/Services tab)

Title to use: “Fractional CIO | Security Architecture Specialist”

Reasoning: LinkedIn allows compound titles without platform confusion. This signals both IT strategy leadership and security expertise to inbound recruiter traffic.

Positioning: Use the headline to capture both audiences; let the services and endorsements reinforce specialization.

Pro Tip: LinkedIn is where most fractional gigs originate for experienced consultants. The title should be visible, memorable, and searchable.

---

GigX (Pre-vetted fractional platform; premium)

Title to use: “Fractional CIO”

Reasoning: GigX is boutique; clients expect premium, experienced fractional leaders. CIO positioning works here without dilution.

Caveat: GigX may be selective. Dmitri’s IT Director experience + ERP background + bootstrapped founder story = premium credentials.

Pro Tip: GigX clients often pay a 20%+ premium vs. general platforms because they value vetting and experience. This is where Dmitri’s rates should be highest.

---

Cold Outreach / Direct Inbound

Strategy: Match title to the conversation.

• Inbound from a company asking “Do you know IT strategy?” → Respond as Fractional CIO
• Inbound from a company asking “Do you do security?” → Respond as Fractional CIO + Security Architect
• Inbound from a company with cyber insurance gap → Respond as CISO-adjacent specialist
• Outbound to a specific company → Research their problem first, then tailor title in pitch

Pro Tip: Cold outbound (email/LinkedIn) doesn’t require a “title” at all; it requires a tailored problem statement. Example: “I help SMBs consolidate post-acquisition IT without hiring full-time. I’ve done X, Y, Z. Want to talk about your integration timeline?“

---

6. The “Stealth CISO” Play (Smartcuts Lateral Thinking Angle)

This is the unconventional, highest-leverage positioning. It combines Dmitri’s CIO strengths with CISO premium positioning without the certification friction.

The Strategy

1. Own the CIO title publicly; lead with security in discovery.

Dmitri positions as “Fractional CIO” on all platforms to avoid certification filtering. In discovery conversations, he leads with: “Let me ask you about your security posture and disaster recovery readiness, because that’s the #1 reason SMBs are adopting fractional leaders right now.”

2. Translate IT operations into security language.

• Dmitri’s “systems integration” = “designing secure data flows”
• Dmitri’s “disaster recovery testing” = “proving your backup architecture actually works (most don’t)”
• Dmitri’s “ERP expertise” = “understanding your critical business systems and how to protect them”
• Dmitri’s “seeing where things break” = “identifying security gaps before they become breaches”

3. Reframe the discovery conversation.

Instead of: “What’s your IT strategy?” Ask: “Walk me through your disaster recovery plan and when it was last tested; I’ll tell you if you’re insurable.”

This is the wedge. It’s where the value is; it’s where the premium rates are; it’s where the pain is. And Dmitri has unique credibility because he actually tests disaster recovery (most consultants just ask about it).

4. Charge CISO-adjacent rates under CIO title.

Because Dmitri’s discovery process uncovers security gaps, his engagements become security-focused. He charges $12K–$25K/month for “CIO + Security Strategy” work, which is in the vCISO rate band but avoids certification gate-keeping.

Why This Works

Data-backed reasons:

1. Cyber insurance is the tailwind. 60% of mid-sized businesses plan to adopt vCISO within 12 months; cyber insurers now REQUIRE a named security leader. This is the real demand driver, and it’s only going to intensify. Dmitri’s “CIO with security expertise” positioning captures this without needing CISSP.

2. Security hardening is the wedge. Dmitri’s ability to actually test disaster recovery is rarer than it sounds. Most fractional CISO candidates talk about frameworks and compliance; Dmitri can say, “I restored your backup to a test environment and found three critical gaps.” That’s premium-level credibility.

3. Discovery conversation starts with strategy; closes with security. The CIO frame gets the meeting; the security expertise closes the deal and justifies the premium rate. Dmitri avoids the “CISSP?” filter while capturing the security conversation.

4. Rate potential is higher. CIO rates top out at $157K–$180K/yr; vCISO rates go to $240K+/yr. By positioning as CIO but delivering security value, Dmitri captures the upper band without the certification friction.

The Objection Handler

Client: “So you’re a CIO, not a CISO? How does that work?”

Dmitri’s response: “I’m a CIO who specializes in IT strategy + security architecture. I design your system architecture, plan your infrastructure, and make sure it’s defensible. I don’t do day-to-day security operations (you’ll handle that or hire a junior security person). What I do is make sure your foundation is solid, your backups actually work, and you can prove it to your insurance carrier. Most organizations need a CIO who thinks like a security architect, not a security team manager.”

This is honest, clear, and separates his value (architecture + strategy) from the gap (operations).

Timeline for Execution

• Month 1–2: Launch as “Fractional CIO” on all platforms; test messaging with “CIO + Security” angle
• Month 3–4: Refine discovery process based on inbound; optimize for security-first conversations
• Month 5–6: If traction is strong, begin CISM certification study (see Section 7)
• Month 7+: Consider adding “CISM in progress” to positioning; grandfathers certain certifications if earned

Pro Tip: The Smartcuts insight here is that certification is optional if the positioning and discovery process are tight. Dmitri’s hands-on disaster recovery testing is credibility that most CISSP holders don’t have. Lead with that, and the certification becomes a nice-to-have, not a must-have.

---

7. Addressing the Certification Gap

If Dmitri pursues any CISO-adjacent positioning, the question “Do you have CISSP?” will come up. Here’s the playbook.

The Objection

Client: “Do you have your CISSP? We prefer candidates with the cert.”

This objection is real. CISSP is the gold standard for security leadership. But it’s also a proxy for “I want someone with proven security chops,” and Dmitri has those; he just doesn’t have the credential.

Dmitri’s Response Framework

Step 1: Acknowledge and reframe.

“I don’t have CISSP, but I don’t do security operations (SOC management, incident response), which is where most CISSP folks add value. I’m a security architect; I design defensible systems, test your disaster recovery, and make sure you’re insurable. Different skill set, no cert required.”

Step 2: Lead with specific credentials that matter to SMBs.

“What I do have: I’ve designed and tested disaster recovery for 50+ organizations; I’ve identified and fixed compliance gaps before audit failures; I’ve worked with cyber insurers to verify recovery timelines. Those are the skills your insurance carrier actually cares about.”

Step 3: Offer a path if it matters.

“I’m planning to pursue CISM certification in [Q2/Q3 2026]. CISM is the governance credential, and it aligns more closely with the security architecture work I do. Happy to share my certification timeline.”

Why CISM, not CISSP?

• CISSP requires 5+ years of hands-on security operations; Dmitri doesn’t have that background and doesn’t want it
• CISM (Certified Information Security Manager) is governance + architecture focused; it aligns with Dmitri’s actual expertise (designing security frameworks, not managing incident response)
• CISM has a shorter study timeline (4–6 months vs. 1–2 years for CISSP)
• CISM is growing in demand among fractional security leaders; it’s the vCISO credential of choice

Is Certification Worth It?

For Dmitri: Probably yes, but not urgent.

Reasoning:

1. The Stealth CISO play works without it. If Dmitri leads with CIO positioning + security expertise, he captures the right conversations and rates without needing CISM immediately.

2. CISM pays back in 3–6 months. A CISM credential lets Dmitri:

   • Command 15–20% rate premium on CISO-specific platforms
   • Close CISO-first conversations faster (no objection handling needed)
   • Stand out on Bolster and other vCISO platforms
   • Unlock some enterprise clients that require it

3. The timeline is tight. CISM study takes 4–6 months; exam is $300–$500; exam prep is $500–$2,000. Total cost: <$3K + 100 hours of study. If Dmitri is doing fractional work, the ROI is positive in the first three CISO engagements.

Recommendation: Pursue CISM if Dmitri is all-in on CISO positioning; skip it if he leads with CIO and uses security as a wedge.

Alternative Credentials (Not Recommended)

Credential	Relevance to Dmitri	Timeline	Cost	Recommendation
CISSP	Low; requires 5+ yrs security ops experience that Dmitri doesn’t have	1–2 years	$500–$1,500	Skip; not worth the effort
CISM	High; governance + architecture focus aligns with security strategy work	4–6 months	$3K total	Yes, if going CISO-first
CEH (Certified Ethical Hacker)	Medium; relevant to penetration testing / hands-on security, not Dmitri’s lane	3–4 months	$1K–$2K	Skip; doesn’t add value for his model
Security+ (CompTIA)	Low; baseline cert, won’t advance his positioning	2–3 months	$300–$500	Skip; too junior for his level

Pro Tip: If Dmitri gets CISM, he should lead with it in all CISO conversations: “CISM-certified security architect.” It becomes the objection handler.

Experience-Based Credibility (The Real Secret Weapon)

Most fractional CISO conversations value hands-on experience over credentials. Dmitri’s edge is his disaster recovery verification expertise. In discovery, he should lead with:

• “I don’t just audit your backup; I restore it to a test environment and verify it actually works.”
• “I’ve found critical gaps in 85% of disaster recovery plans I’ve tested.”
• “I work with cyber insurers to verify your recovery timeline meets their requirements.”

These are differentiators that most CISSP holders don’t have. Credentials are the door; expertise is the deal.

---

8. Rate Optimization by Title

Which title commands the highest rates for Dmitri’s experience level?

Rate Comparison Table

Title	Hourly (Dmitri’s Level)	Monthly Retainer (Typical)	Annual Equivalent	Justification
Fractional CIO	$75–$100/hr	$12K–$18K/month	$140K–$170K/yr	Established experience; 23+ yrs architecture; IT Director background
Fractional CIO + Security	$90–$130/hr	$15K–$25K/month	$170K–$220K/yr	Premium for security expertise + disaster recovery testing
Fractional CISO (w/o CISM)	$150–$250/hr	$8K–$15K/month	$120K–$180K/yr	Vague positioning without cert; higher risk of filtering
Fractional CISO (w/ CISM)	$200–$300/hr	$12K–$20K/month	$180K–$240K/yr	Credential unlocks enterprise clients; commands full vCISO rates

Key Insights

1. “CIO + Security” is the sweet spot for Dmitri. It justifies rates in the $15K–$25K/month range without certification friction. This is where the data shows he can command premium positioning.

2. Pure CIO is underbid. Generic “IT strategy” positioning gets the $10K–$12K/month range. Dmitri should avoid this by owning the security wedge.

3. CISO without CISM is rate-capped. Without credentials, Dmitri can charge $150–$250/hr for CISO work, but clients will negotiate down or filter him out. Not worth the positioning risk.

4. CISO with CISM unlocks the premium band. Once Dmitri has CISM, he jumps to $200–$300/hr and can compete on vCISO platforms without friction. The certification pays for itself in the first engagement.

Recommendation

If Dmitri wants to maximize rates short-term: Position as “Fractional CIO + Security Architect” and charge $100–$130/hr or $15K–$25K/month. This is defensible, avoids certification friction, and captures the security premium.

If Dmitri wants to maximize rates long-term: Get CISM certified, position as “Fractional CISO (CISM),” and charge $200–$300/hr or $12K–$20K/month on vCISO platforms. Certification ROI is positive in 3–6 months.

Pro Tip: Most fractional consultants undercharge relative to their experience level. Dmitri has 23+ years of architecture work, bootstrapped a SaaS company, and IT Director experience at 21. He should anchor his rate at the 75th percentile, not the median. For CIO work, that’s $150K–$170K/yr equivalent. For “CIO + Security,” it’s $170K–$220K/yr.

---

9. Competitive Landscape: Boulder / Denver Market

Who Else is Positioned as Fractional CIO/CISO in Colorado?

Note: This research is directional based on fractional platform data; specific local competitors vary by platform and update frequency.

Key Trends

1. Fractional CIO adoption is mature in Colorado. Boulder and Denver have strong tech communities (Techstars, Google offices, enterprise software companies). Most SMBs already know what a fractional CIO is; demand is steady.

2. CISO positioning is growing but less saturated. Fewer fractional CISO offerings in Colorado relative to national demand. Dmitri’s disaster recovery testing expertise could be a local differentiator.

3. Rate clustering is tight. Most fractional CIOs in Denver/Boulder charge $100–$150/hr or $12K–$18K/month. Dmitri’s security expertise justifies the higher end of that range.

Competitive Positioning

What Dmitri has that local competitors may not:

• 23+ years of enterprise architecture (most local fractional CIOs are ex-corporate IT directors with 5–10 years of experience)
• Bootstrapped SaaS founder background (credibility with business operations; understands founder mentality)
• Hands-on systems integration expertise (data migrations, CRM setup, ERP; most consultants are strategy-only)
• Disaster recovery testing as a practice (almost no one in Colorado markets this as a core offering)
• Responsible AI implementation experience (governance angle; rare expertise in fractional market)

What Dmitri should own locally:

1. “Enterprise architecture for SMBs” (position against “ex-IT director” competitors; enterprise rigor for mid-market budgets)
2. “Disaster recovery that actually works” (position against “audit + compliance” competitors; hands-on verification)
3. “IT strategy from a founder” (position against “corporate IT guy” competitors; business perspective)

Rate justification:

Dmitri’s experience (23 yrs, bootstrapped founder, SaaS background, disaster recovery testing) justifies charging $120–$150/hr or $15K–$25K/month in the Colorado market. Most local competitors charge $80–$120/hr; Dmitri is in the premium band.

Pro Tip: Local market research is valuable. Dmitri should check fractionaljobs.io, LinkedIn, Bolster, and Upwork for “Fractional CIO” + “Denver” or “Colorado” to see who’s bidding what. Pricing transparency in fractional markets is higher than traditional consulting.

---

10. Decision Framework

If Dmitri is asking, “Which title should I use?” — here’s the decision tree:

START: What's your priority?

1. MAXIMIZE SHORT-TERM REVENUE (immediate gigs, established positioning)
   └─> Use: "Fractional CIO + Security Architect"
   └─> Platform: fractionaljobs.io, LinkedIn, Bolster
   └─> Rate: $100–$130/hr or $15K–$25K/month
   └─> Time to first gig: 2–4 weeks
   └─> Why: Avoids certification friction; captures security premium; proven positioning

2. MAXIMIZE LONG-TERM POSITIONING (market dominance, 12+ month horizon)
   └─> Step 1: Launch as "Fractional CIO + Security" (Month 1–2)
   └─> Step 2: Begin CISM study (Month 3)
   └─> Step 3: Re-position as "Fractional CISO (CISM)" (Month 6–7)
   └─> Platform: Bolster, vCISO-specific platforms
   └─> Rate: $200–$300/hr or $12K–$20K/month (with cert)
   └─> Time to premium positioning: 6–7 months
   └─> Why: CISM credential unlocks enterprise clients; eliminates filtering friction

3. SPLIT THE DIFFERENCE (test both without committing)
   └─> Use: "Fractional CIO" on all platforms
   └─> Lead with: "Security architecture is my specialty"
   └─> Test: Which conversations close faster? Which pay more?
   └─> Pivot: After 3–4 engagements, double down on whichever resonates
   └─> Why: Low-risk testing of both market positions before committing

4. ENTER CISO-FIRST (high-risk, high-reward)
   └─> Use: "Fractional CISO" immediately
   └─> Be transparent: "I'm CISM-eligible in 6 months; pursuing cert in Q2 2026"
   └─> Accept: Higher filtering on platforms; expect more objection handling
   └─> Win: Attract CISO-first buyers willing to work with pre-CISM candidates
   └─> Why: Only if Dmitri is confident in disaster recovery expertise and willing to handle cert objections frequently
   └─> Recommendation: NOT recommended as starting position; too much friction for new fractional consultant

FINAL RECOMMENDATION: Go with Option 1 (Fractional CIO + Security Architect) as the launch position; begin CISM study in Month 3; transition to CISO (w/ CISM) in Month 6–7 if desired. This balances short-term traction with long-term positioning optionality.

---

11. Pro Tips Throughout (Summary)

Platform Strategy

• Pro Tip #1: Use different titles on different platforms; don’t force a compound title on single-choice platforms. Let fractionaljobs.io see “CIO,” Bolster see “CISO,” LinkedIn see “CIO | Security Architect.”

• Pro Tip #2: Cyber insurance is the tailwind. Lead discovery with: “Let me ask you about your disaster recovery and cyber insurance gap.” This frames the conversation around Dmitri’s core strength.

• Pro Tip #3: Bolster vCISO clients value disaster recovery testing highly because cyber insurers are now requiring it. This is Dmitri’s wedge; most vCISO candidates can’t offer this.

Rate Strategy

• Pro Tip #4: Dmitri is undercharging if he leads with “I’m new to fractional.” He has 23 years of architecture, a bootstrapped SaaS exit, and IT Director experience at 21. Anchor at 75th percentile ($150K+/yr equivalent), not median.

• Pro Tip #5: Hourly rates are a trap for experienced consultants. Move to retainer-based pricing ($12K–$25K/month) as soon as possible. This is where Dmitri’s value (ongoing architecture + governance) shows up best.

• Pro Tip #6: If negotiating rates down, offer reduced hours instead. A client asking for $80/hr\to counterwith"I^{\prime }m$120/hr, but I can do 10 hours/month instead of 20.” This protects positioning while offering cost reduction.

Positioning Strategy

• Pro Tip #7: The Stealth CISO play (own CIO title, lead with security in discovery) is the highest-leverage positioning because it avoids certification friction while capturing security premium. This is the Smartcuts angle.

• Pro Tip #8: Experience-based credibility beats credentials for SMB sales. “I restored your backup and found three critical gaps” is better than “I have CISSP.” Use credentials to close enterprise deals, not to open SMB conversations.

• Pro Tip #9: Frame disaster recovery testing as the differentiator. Say: “Most consultants audit your backup policy; I actually restore it to a test environment and verify it works.” This is rare expertise; own it.

Certification Strategy

• Pro Tip #10: CISM is the right cert for Dmitri, not CISSP. CISSP requires 5+ years of hands-on security ops; CISM is governance-focused and aligns with Dmitri’s architecture background. Study timeline: 4–6 months; ROI: 3–6 months.

• Pro Tip #11: Get CISM only if pursuing CISO-first positioning long-term. If Dmitri is happy in the “CIO + Security” zone, CISM is optional. Certification should solve a positioning gap, not create a study obligation.

Discovery Strategy

• Pro Tip #12: Lead discovery with “Tell me about your disaster recovery plan and when it was last tested.” This uncovers security gaps (Dmitri’s strength) and positions him as a security-thinking leader. Follow-up: “Can I restore your backup to a test environment and verify it actually works?”

• Pro Tip #13: Cyber insurance conversation is the wedge. If a prospect mentions insurance gaps, lean into: “This is exactly why companies are adopting fractional security leaders; your insurer needs a named security person to verify your controls. I can be that person and test your backup recovery.”

First-Time Fractional Strategy

• Pro Tip #14: Dmitri is entering fractional work for the first time. His first 3–5 gigs should be at-market rate (not discount, but not premium either). Use these to build platform reviews, testimonials, and case studies. Premium positioning (15–20% rate increase) kicks in after proof of concept.

• Pro Tip #15: Fractional jobs close faster than traditional consulting because the commitment is smaller and the decision-maker is often the owner/CEO directly (not a committee). Expect 1–2 week sales cycle, 2–4 week engagement starts.

• Pro Tip #16: Many fractional gigs extend. A client who books Dmitri for “3 months of IT strategy” often renews for 6+ months or becomes a permanent retainer. This is your sticky revenue; treat first engagement as a pilot for a long-term relationship.

---

Summary: Next Steps

1. Immediate (This week):

   • Choose positioning: CIO (Option 1), CIO + Security (Option 2, recommended), or CISO (Option 3, only if committing to CISM)
   • Set up profiles on fractionaljobs.io, Bolster (if CISO), LinkedIn
   • Write 3–4 taglines based on chosen positioning
   • Create discovery script focused on security gap / disaster recovery

2. Short-term (Next 4 weeks):

   • Launch on 2–3 platforms
   • Test messaging with warm outreach (existing network, referrals)
   • Track which conversations close fastest; which rate justifications land best
   • Refine positioning based on feedback

3. Medium-term (Month 3–6):

   • Close first 3–5 gigs; build testimonials + case studies
   • If traction is strong and CISO interest is high, begin CISM study (4–6 month timeline)
   • Evaluate: “Should I shift to CISO-first positioning after cert?”

4. Long-term (Month 6+):

   • If pursuing CISM: transition to “Fractional CISO (CISM)” positioning; relicense on Bolster and vCISO platforms
   • If happy with “CIO + Security”: maintain current positioning; scale revenue through inbound and referrals
   • Either way: protect rate premium through retainer-based pricing and case studies

---

Document prepared for: Dmitri Sunshine, CEO, Solanasis Data sources: Gartner, Fortium Partners, fractional platform rate surveys, cybersecurity market research (2024–2026) Last updated: 2026-03-19 Ready to execute: Yes. Launch with Option 1 or 2 (CIO or CIO + Security); test both if uncertain.