CISO-as-a-Service: How medium-sized companies benefit from external security expertise

The CISO Dilemma in Medium-Sized Businesses

Do you know this? Your CFO asks about the security budget, the board wants to know how you're protected against ransomware, and your IT manager is juggling day-to-day business along with "somehow also security".

Welcome to the club.

We see this in almost every medium-sized company we advise. The challenge is real: You need someone who thinks strategically about cybersecurity, can communicate with the board, and prioritizes your security investments. But a full-time CISO?

The salary alone is CHF 200,000 to 300,000. Plus benefits. Plus recruitment, which takes 4-6 months. Plus the risk that the person might leave after two years.

For a company with 150 employees, that's... hard to justify.

(And honestly: Many full-time CISOs get bored in medium-sized companies. The exciting projects are missing, budgets are limited, and after a year the groundwork is done.)

Figure: The CISO dilemma – high demand for security expertise with limited resources

What CISO-as-a-Service Really Means

Let's clear up a misunderstanding briefly: CISO-as-a-Service is not "someone who drops by occasionally and gives advice".

It is strategic security leadership on demand.

Specifically, this means:

Strategic Level:

• Developing a security strategy that fits your business

• Annual security roadmap with clear priorities

• Budget planning and ROI justification for security investments

• Risk-based decisions instead of feature checklists

Governance Level:

• Security policies that people actually read (and follow)

• Clear responsibilities for security within the company

• Incident response processes before the worst-case scenario happens

• Vendor management for security providers

Communication Level:

• Board presentations in business language (not tech jargon)

• Quarterly updates with understandable risk metrics

• Translation between IT team and management

• Crisis communication during incidents

Operational Support:

• Review of security projects and architectural decisions

• Assistance in audits (ISO 27001, FINMA, NIS2)

• Incident response leadership in case of emergencies

• Vendor evaluations and contract negotiations

What Does This Look Like in Practice?

Forget the image of a consultant who shows up once a month to give PowerPoint presentations.

A typical CISO-as-a-Service engagement with us looks like this:

Weekly Rhythm

One to two days per week – this is the sweet spot for most medium-sized businesses.

That sounds like little, but think about it: A full-time CISO might spend 20% of their time on strategic tasks. The rest is taken up by meetings, admin, and daily business.

With focused expertise each week, you get more strategic output than with a full-time CISO who is bogged down in daily stress.

Typical activities could include:

• Call with IT management – current issues, open questions, weekly prioritization

• Deep dive into a focus topic – for example, reviewing the backup concept, preparing the management presentation, or evaluating a new security solution

• If needed: Immediate availability for critical questions or incidents

Monthly Rhythm

• One strategy meeting (90 minutes) to review the roadmap

• Security dashboard update for management

• Review ongoing security projects

Quarterly Rhythm

• Management presentation on the security status

• Risk assessment update

• Budget review and planning for the next quarter

When Does CISO-as-a-Service Make Sense?

Not every company needs an external CISO. Here are the scenarios where the model brings the most value:

Scenario 1: "We're growing fast and security can't keep up"

You've scaled from 50 to 200 employees in three years. IT has grown, but security was always "we'll do that later".

Now the first enterprise customers are coming with security questionnaires. Your IT manager can't handle that on the side. A full-time CISO, however, is still overkill.

CISO-as-a-Service helps here because: You quickly build a basic structure that grows with the company. We establish the basics, develop a roadmap, and scale the engagement as you grow.

Scenario 2: "Regulations are forcing us to act"

NIS2. ISO 27001. FINMA circular. Data protection revision.

Suddenly you need someone who understands what all this means for you – and what it doesn't. Someone who speaks on equal terms with auditors.

CISO-as-a-Service helps here because: You can't wait 6 months for a new CISO when the compliance deadline is in 9 months. We know the requirements and what is really being audited.

Scenario 3: "We experienced an incident and don't want it to happen again"

After a ransomware attack or data leak, security suddenly becomes a top management issue. The management wants security – but what exactly?

CISO-as-a-Service helps here because: We bring incident experience and know which measures really offer protection. No knee-jerk reactions, but structured improvement.

Scenario 4: "We are a PE portfolio company and need to deliver"

Private equity expects security governance, clear risk reports, and exit readiness. This is not a nice-to-have but part of value creation.

CISO-as-a-Service helps here because: We speak the PE language and know what due diligence teams want to see. Security maturity increases the exit multiple.

What You Can Realistically Expect

Within 3 Months:

• Clear security strategy documented

• Risk register with business impact assessment

• First quick wins implemented (usually identity & access management)

• Board understands security risks in business language

Within 6 Months:

• Security governance established (policies, responsibilities)

• Incident response plan tested

• Vendor landscape optimized (often 20-30% cost savings)

• Employees sensitized (not just through boring e-learnings)

Within 12 Months:

• Security incidents reduced by 40-60%

• Audit findings reduced by over 50%

• Security budget used more efficiently (25-35% more impact per franc)

• Company ready for certifications or M&A evaluations

The Cost Reality

Let's talk about money. Transparently.

Full-Time CISO (internal employee):

• Salary: CHF 220,000-280,000

• Additional costs (benefits, infrastructure): ~30%

• Recruitment: CHF 40,000-60,000 (headhunter)

• Training: 3-6 months to full productivity

• Total Year 1: CHF 350,000-400,000

CISO-as-a-Service (1-2 days/week):

• Monthly fee: CHF 8,000-10,000

• No recruitment costs

• Productive from day 1

• Scalable as needed

• Total Year 1: CHF 96,000-120,000

That's more than 50% less than an internal CISO. And you can start immediately.

(Of course, this calculation only works if 4 hours per week are enough. For companies with over 500 employees or in highly regulated industries, an internal CISO might be the better option.)

When CISO-as-a-Service Is NOT Suitable

We are honest: The model isn't suitable for every company.

Not suitable if:

• You need more than 2-3 days of security leadership per week (then go for full-time)

• Your security requirements are very specialized (e.g., OT security in critical infrastructure)

• You need someone on-site daily

• Your company culture fundamentally rejects external consultants

Well suited if:

• You have 50-500 employees

• Security is important, but not your core business

• You want to start quickly without recruitment effort

• You need flexibility (sometimes more, sometimes less engagement)

• You value objective, vendor-neutral advice

How We Work

A few words about how we approach CISO-as-a-Service at ODCUS – because not all providers work the same way.

Business-First

We don't start with a 200-point checklist but with one question: What are your business risks?

Then we look at which of these are relevant to IT security. The result: You invest where it truly counts for your business.

Pragmatic Solutions

Perfect security doesn't exist. And if it did, you couldn't afford it.

We look for the 80/20 solutions: Measures that offer maximum protection with manageable effort. No security theater projects that look good but achieve little.

Knowledge Transfer

Our goal is not to make you dependent. We build internal competence and empower your team. Ideally, you'll need us less over time – not more.

The First 90 Days: What Happens Specifically?

If you are considering whether CISO-as-a-Service is right for your company, here's a look at the typical first three months:

Figure: The first 90 days – from analysis to established security governance

Week 1-2: Understanding

• Conversations with management, IT management, relevant stakeholders

• Document analysis (existing policies, network diagrams, contracts)

• Understand the company's risk profile

• Quick assessment of the largest gaps

Week 3-4: Prioritizing

• Business-oriented risk assessment

• Identification of the "crown jewels" (what absolutely must not happen?)

• First security roadmap with 30-60-90 day goals

• Presentation to management

Month 2: Laying the Foundation

• Implement quick wins (often: MFA everywhere, check backup concept, define emergency contacts)

• Set up security governance framework

• Create incident response plan

• Initial awareness measures

Month 3: Stabilizing

• Regular rhythm established

• First board reporting

• Start vendor review

• Roadmap for the next 12 months

The Questions We Often Hear

"How quickly can you start?"

Usually within 2 weeks. No notice periods, no recruitment.

"What if there is an incident – are you reachable?"

Yes. We are immediately available for critical incidents, even outside of regular hours. It's part of the service.

"Can we adjust the engagement?"

Absolutely. More hours before an audit, fewer during quieter periods. We scale to your needs.

"How does it work with our IT team?"

We don't replace your IT team – we complement it. Your IT manager remains operationally responsible; we bring the strategic security expertise.

"Do we still need internal security resources?"

It depends. For up to about 200 employees, an IT manager plus CISO-as-a-Service is often sufficient. Beyond that, a full-time security analyst makes sense, whom we guide.

The Next Step

If you've read this far, you're obviously engaged with the topic.

Here's our suggestion: An informal discussion. 30-45 minutes.

We listen, ask a few questions, and give you an honest assessment of whether CISO-as-a-Service makes sense for your company – or not. No sales pitch, no pressure.

Sometimes we also recommend: "Better hire someone internally." Or: "Start with a security assessment first." Whatever helps the most.

Summary

Key Points at a Glance:

• Medium-sized businesses need security leadership, but often can't justify a full-time CISO

• CISO-as-a-Service offers strategic security expertise at 50% of the cost

• 1-2 days of focused expertise per week can have more impact than a full-time CISO buried in daily stress

• The model is particularly suitable for growing companies, compliance challenges, and SMEs

• Not every company needs an external CISO – with high demand, internal might be better

The First Step: A conversation to clarify what's right for your company. No commitment, no sales talks – just an honest assessment.