Statistics can be unforgiving, and in the case of cyber security, they shed new light on the state of modern business. It is estimated that just 0.009 per cent of the world’s one million companies have a chief information security officer, or CISO, on staff. For years, this organisational luxury was reserved exclusively for corporate giants with huge budgets. However, in the face of new regulations such as NIS2 and DORA, and the increasing aggressiveness of cyber gangs, the ‘IT guy for everything’ model in the SME sector is definitely becoming history. Regulatory requirements and market realities are forcing entrepreneurs to radically change their paradigm and move from owning tools to buying competence.
The IT sector is facing a structural problem that will only get worse in the coming years, with the Bitkom association forecasting a shortage of more than 650,000 experts by 2040. This is not a temporary staffing hole, but a new economic reality in which medium-sized companies stand at a loss in the fight for talent. SMEs rarely have salary budgets or benefit packages that can compete with the offers of global corporations, and even if they do manage to hire a specialist, keeping them within the company borders on the miraculous. Market researchers predict that almost half of current CISOs will change employer by 2025, making recruitment processes drag on for months and consuming resources that smaller players simply do not have.
The consequences of this are already clearly measurable, with companies with fewer than 500 employees citing a lack of specialists as the second biggest threat to their security. This leads to a paradoxical situation in which company boards are consciously accepting cyber risks. This is not due to ignorance or underestimation of the risks, but to simple helplessness and lack of access to human resources capable of implementing effective protection. In Germany, a sizable percentage of organisations link successful ransomware attacks directly to a lack of internal knowledge and the ability to detect threats in time.
In response to these staff shortages, the market has turned to automation, and managed security services are gaining popularity as a pragmatic alternative to building in-house. Central to this are MDR, or Managed Detection and Response, services, which combine EDR and XDR technologies with external teams of analysts available around the clock. Using advanced machine learning and artificial intelligence, these teams can detect anomalies and stop attacks in real time, often acting faster and more effectively than any in-house administrator.
However, there is a dangerous trap of thinking that technology alone will solve all an organisation’s problems. MDR services are great at the operational layer, as they are great at putting out fires, detecting intruders or isolating infected workstations, but they are not designed for strategic thinking. No algorithm will create a RODO-compliant security policy, prepare a company for a complex NIS2 audit and explain to the board why investing in backup systems is more important at any given time than implementing a new ERP system. A clear distinction needs to be made between operational security, which operates in the here and now, and strategic security, which is about managing risks, planning for growth and building a long-term security culture.
This is where the concept of a virtual CISO enters the scene as an answer to the needs of companies needing to meet stringent regulatory requirements but not needing a full-time director. Both the EU’s NIS2 directive and the DORA regulation for the financial sector require organisations to have a clear allocation of responsibilities and to prove that security strategies are not only in place but also monitored by a qualified body, making paper-based security no longer sufficient. Incorporating the role of a vCISO within managed services allows SME companies to access enterprise-class expertise, as they gain an expert who works with multiple organisations on a daily basis and is familiar with the latest threat vectors.
The model also brings tangible financial and organisational benefits. Subscription billing is only a fraction of the cost of hiring a full-time expert, while eliminating high recruitment and training costs. What’s more, the solution provides strategic continuity because, while MDR services protect the infrastructure at night, a virtual director by day plans the development of digital resilience, creates procedures and oversees audits. With this approach, the CISO role ceases to be an optional extra and becomes an available service that bridges the gap between complex technology and business objectives.
The skills shortage is a structural challenge that will not go away in the foreseeable future, so instead of fighting windmills in a tough recruitment market, mid-sized companies should redefine their approach to data protection. The future belongs to a hybrid model that coherently combines modern technology based on artificial intelligence, managed operational services running continuously and external strategic oversight. Such an arrangement achieves a level of cyber resilience that was previously beyond the reach of smaller market players. Cyber resilience must not be the prerogative of the largest corporations, but must become a standard available to every business entity, and managed services with a virtual CISO is currently the most pragmatic and economically viable way to achieve this.
It is crucial for IT decision-makers and integrators to analyse the current strategy in view of upcoming regulations. It is worth asking whether there is a clearly defined role within the organisation responsible for security strategy, or whether it relies solely on tools and software. An honest answer to this question can define a company’s resilience for years to come and protect it from serious legal and financial consequences.
