Cybersecurity budgets keep rising. So do breaches. For small and mid-sized businesses, that paradox is particularly painful: they face the same attackers as global corporations but without the budgets, staff, or expertise to defend themselves.
Most successful attacks aren’t the result of nation-state zero-days. They’re the basics—an unpatched system, default credentials, missing multi-factor authentication, or a backup that fails when it’s needed most. These are solvable problems, but solving them consistently requires leadership and accountability. And for many businesses, that’s exactly what’s missing.
Why Strategy Is the Real Gap
A Chief Information Security Officer is supposed to set direction: assess risks, prioritize controls, and make sure security improves over time. But the reality is that full-time CISOs are expensive and in short supply. Hiring one is out of reach for the vast majority of organizations.
This creates a market imbalance. There are endless tools and services available, but not enough strategic guidance to ensure those tools are deployed effectively. As Joe Levy, CEO of Sophos, told me, “There’s this market failure. We have no shortage of tools and services, but the vast majority of organizations don’t know what to do next.”
The result is a landscape where companies spend money on security and still fall victim to attacks because they don’t know where to focus or how to measure progress.
Enter the Virtual CISO
A virtual CISO, or vCISO, is an emerging model designed to close that gap.
Instead of a full-time executive, organizations engage a vCISO on a fractional basis or through a managed service. The vCISO can bring executive-level strategy into environments that would otherwise never see it.
Levy put it plainly: “The idea of institutionalizing virtual CISO isn’t about trying to replace a human being with software or AI. It’s about making the institutional wisdom and best practices of what CISOs do accessible to all the organizations that don’t have them.”
There’s another dynamic driving the shift. Den Jones, founder and CEO of 909Cyber, sees it from the practitioner side: “I’d say there’s a lot of CISO’s feeling that the level of pressure, accountability and liability of the full-time role is becoming less attractive. More CISO’s are mentioning to me that the balance of this versus CEO/Board support, funding and culture means there’s a bit of an exodus. It’s slowly becoming more attractive to become a vCISO with less of the burden.”
But the transition isn’t without challenges. Jones notes that “Lone vCISO’s often struggle as they try to balance working for clients with finding new clients. During a period of client turnover many vCISO’s feel the financial rollercoaster with some giving up. That’s why companies like Sophos and 909Cyber exist—we can help both our clients and the CISO community find the right balance.”
Scaling Through Partnerships
Even with the vCISO model, reach is a challenge. There are hundreds of millions of small and mid-sized businesses worldwide. No single consultant or firm can cover that ground.
This is where managed service providers (MSPs) come in. MSPs already serve as the IT backbone for many organizations. By working in tandem with vCISOs, MSPs can move “up the stack,” offering not just ticket resolution but security strategy. With the right incentives and accountability, they can measure and demonstrate progress week by week—exposed systems reduced, MFA adoption increased, phishing simulations improved.
“The MSP population is a force multiplier,” Levy emphasized. “They’re the last mile for delivering security strategy at scale.”
AI as a Force Multiplier—With Limits
Artificial intelligence is often pitched as the solution to every problem. In this case, it does have a role to play—but not as a replacement for human judgment. AI can serve as a catalyst for scale. It can codify best practices, flag misconfigurations, and surface risks more consistently than a manual process.
For example, AI can scan configurations to identify weak settings, draft remediation steps, and even nudge teams until they’re completed. It can standardize hygiene at scale and free humans to focus on exceptions, risk trade-offs, and strategy.
But AI needs direction. As Levy cautioned, “AI won’t do this all on its own. It still requires human direction. It’s a catalyst, but not a replacement.”
Measuring What Matters
The test of any security strategy is simple: Are you better tomorrow than you were yesterday?
Success shouldn’t be measured in acronyms or dashboards. It should be reflected in concrete outcomes:
- Internet-facing services reduced from seven to zero.
- Multi-factor authentication enforced across 95% of accounts.
- Backup restore tests passed three quarters in a row.
- Phishing failure rates dropped from 18% to 6%.
When security is framed in those terms, it becomes a business conversation—about resilience, continuity, and trust—not just a technical one.
Looking Ahead
The economics of ransomware ensure attackers will continue to target the “underserved middle.” For many of these businesses, the choice isn’t between hiring a CISO or not. It’s between adopting a pragmatic model like vCISO—or being left exposed.
The virtual CISO isn’t a luxury. It’s becoming a necessity. And as MSPs and AI expand its reach, Levy and Jones are confident that strategy can finally scale to the millions of organizations that have long been left behind.
The real question isn’t whether companies can afford a vCISO. It’s whether they can afford not to have one.