I think there is a ton of value of having a single person who is responsible for security. A CISO specifically tends to be a larger company initiative. In my experience, CISO's range from a Chief technical security engineer to someone on the legal or executive team who handles the compliance side of the shop. In our shop, we have 2 people who are in charge of security - a head of infosec on the Engineering side and a CISO on the legal side. The head of infosec runs our security team, does red team/blue team activities, technical training, pen testing, development of defend tools, and so on. The 'CISO' handles compliance legalize, audit activities, customer security questionnaires, etc. Both are CISSP certified but our head of infosec has the on the ground knowledge.
I would also argue that a permanent employee has more of a vested interest than a contractor. You typically use a contractor to limit liability (you can sue/blame someone if something goes wrong). This is a double-edged sword because ownership ultimately lies with those who profit or lose the most. If your goal is really to secure the organization and not just check off a box - my opinion is that a full time leader is the way to go.
