Yannick H.,
Too Long; Didn't Read
Medium-sized companies face a dilemma: They need professional security leadership but cannot justify a full-time CISO with an annual salary of CHF 250,000+. CISO-as-a-Service solves exactly this problem – you get senior expertise at 30-50% of the cost, without recruitment stress and with immediate availability. In this article, we show you how the model works in practice and when it makes sense for your company.
The CISO Dilemma in Mid-Sized Businesses
Do you know this situation? Your CFO asks about the security budget, the board wants to know how protected you are against ransomware, and your IT manager is juggling day-to-day operations and "somehow security too".
Welcome to the club.
We see this at almost every mid-sized company we advise. The challenge is real: you need someone who thinks about cybersecurity strategically, can communicate with the board, and prioritizes your security investments. But a full-time CISO?
The salary alone is CHF 200'000 to 300'000. Plus benefits. Plus recruitment, which takes 4-6 months. Plus the risk that the person leaves again after two years.
For a company with 150 employees, that is... hard to justify.
(And honestly: many full-time CISOs get bored in mid-sized companies. The exciting projects are missing, the budgets are limited, and after a year the foundational work is done.)
Figure: The CISO dilemma – high demand for security expertise with limited resources
What CISO-as-a-Service really means
Let’s clear up a misconception: CISO-as-a-Service is not "someone who drops by occasionally and gives advice".
It is strategic security leadership on demand.
That means concretely:
Strategic level:
Development of a security strategy that fits your business
Annual security roadmap with clear priorities
Budget planning and ROI justification for security investments
Risk-based decisions instead of feature checklists
Governance level:
Security policies that people actually read (and follow)
Clear responsibilities for security within the company
Incident response processes before the emergency happens
Vendor management for security providers
Communication level:
Board presentations in business language (not tech jargon)
Quarterly updates with understandable risk metrics
Translation between the IT team and executive management
Crisis communication during incidents
Operational support:
Review of security projects and architecture decisions
Support during audits (ISO 27001, FINMA, NIS2)
Incident response leadership in an emergency
Vendor evaluations and contract negotiations
What does this look like in practice?
Forget the image of the consultant who shows up once a month and delivers PowerPoints.
A typical CISO-as-a-Service engagement with us looks like this:
Weekly rhythm
One to two days per week – that is the sweet spot for most mid-sized businesses.
That sounds like little, but think about it: a full-time CISO may spend only 20% of their time on strategic tasks. The rest goes to meetings, admin, and day-to-day operations.
With focused expertise each week, you get more strategic output than with a full-time CISO who gets lost in the daily grind.
Typical activities could include:
Call with IT leadership – current topics, open questions, weekly prioritization
Deep dive into a focus topic – for example, review of the backup concept, preparation of the executive presentation, or assessment of a new security solution
As needed: immediate availability for critical questions or incidents
Monthly rhythm
One strategy meeting (90 minutes) to review the roadmap
Security dashboard update for executive management
Review of ongoing security projects
Quarterly rhythm
Executive management presentation on the security status
Risk assessment update
Budget review and planning for the next quarter
When does CISO-as-a-Service make sense?
Not every company needs an external CISO. Here are the scenarios where this model delivers the most value:
Scenario 1: "We are growing fast and security is not keeping up"
In three years, you have scaled from 50 to 200 employees. IT has grown, but security has always been "we’ll do that later".
Now the first enterprise customers are sending security questionnaires. Your IT manager cannot handle that on the side. But a full-time CISO is still overkill.
CISO-as-a-Service helps here because: You quickly build a basic structure that grows with the company. We establish the fundamentals, develop a roadmap, and scale the engagement as you become larger.
Scenario 2: "Regulation is forcing us to act"
NIS2. ISO 27001. FINMA circulars. Data protection revision.
Suddenly you need someone who understands what all of this means for you – and what it does not. Someone who can speak with auditors on equal footing.
CISO-as-a-Service helps here because: You cannot wait 6 months for a new CISO when the compliance deadline is in 9 months. We know the requirements and know what is actually being checked.
Scenario 3: "We had an incident and do not want to go through that again"
After a ransomware attack or data leak, security suddenly becomes a top management issue. The executive team wants security – but what exactly?
CISO-as-a-Service helps here because: We bring incident experience and know which measures truly provide protection. No knee-jerk reaction, but structured improvement.
Scenario 4: "We are a PE portfolio company and need to deliver"
Private equity expects security governance, clear risk reporting, and exit readiness. This is not a nice-to-have, but part of value creation.
CISO-as-a-Service helps here because: We speak the PE language and know what due diligence teams want to see. Security maturity increases the exit multiple.
What you can realistically expect
Within 3 months:
Clear security strategy documented
Risk register with business impact assessment
First quick wins implemented (usually Identity & Access Management)
Board understands security risks in business language
Within 6 months:
Security governance established (policies, responsibilities)
Incident response plan tested
Vendor landscape optimized (often 20-30% cost savings)
Employees made aware (not just through boring e-learning modules)
Within 12 months:
Security incidents reduced by 40-60%
Audit findings reduced by 50%+
Security budget used more efficiently (25-35% more impact per franc)
Company ready for certifications or M&A reviews
The cost reality
Let’s talk about money. Transparently.
Full-time CISO (internal employee):
Salary: CHF 220'000-280'000
Additional costs (benefits, infrastructure): ~30%
Recruitment: CHF 40'000-60'000 (headhunter)
Onboarding: 3-6 months to full productivity
Total Year 1: CHF 350'000-400'000
CISO-as-a-Service (1-2 days/week):
Monthly flat fee: CHF 8'000-10'000
No recruitment costs
Productive from day 1
Scalable as needed
Total Year 1: CHF 96'000-120'000
That is more than 50% less than an internal CISO. And you can get started immediately.
(Of course, this calculation only works if 4 hours per week are enough. For companies with 500+ employees or in heavily regulated industries, an internal CISO may be the better choice.)
When CISO-as-a-Service is NOT a fit
We are honest: this model is not suitable for every company.
Not suitable if:
You need security leadership for more than 2-3 days per week (then full-time is better)
Your security requirements are highly specialized (e.g. OT security in critical infrastructure)
You need someone who is on-site every day
Your company culture fundamentally rejects external consultants
Well suited if:
You have 50-500 employees
Security is important, but not your core business
You want to start quickly without recruitment effort
You need flexibility (sometimes more, sometimes less engagement)
You value objective, vendor-neutral advice
How we work
A few words about how we approach CISO-as-a-Service at ODCUS – because not all providers work the same way.
Business-first
We do not start with a 200-point checklist, but with a question: what are your business risks?
Then we look at which of those are relevant to IT security. The result: you invest where it truly matters for your business.
Pragmatic solutions
Perfect security does not exist. And if it did, you could not afford it.
We look for 80/20 solutions: measures that provide maximum protection with manageable effort. No security theater projects that look good but deliver little.
Knowledge transfer
Our goal is not to make you dependent on us. We build internal capability and empower your team. Ideally, you will need us less over time – not more.
The first 90 days: what happens concretely?
If you are considering whether CISO-as-a-Service fits your company, here is a look at the typical first three months:
Figure: The first 90 days – from analysis to established security governance
Week 1-2: Understanding
Discussions with executive management, IT leadership, relevant stakeholders
Document analysis (existing policies, network diagrams, contracts)
Understand the company’s risk profile
Quick assessment of the biggest gaps
Week 3-4: Prioritizing
Business-oriented risk assessment
Identification of the "crown jewels" (what must absolutely not happen?)
First security roadmap with 30-60-90-day goals
Presentation to executive management
Month 2: Laying the foundation
Implement quick wins (often: MFA everywhere, review the backup concept, define emergency contacts)
Set up a security governance framework
Create an incident response plan
First awareness measures
Month 3: Stabilizing
Regular rhythm established
First board reporting
Vendor review started
Roadmap for the next 12 months
The questions we often hear
"How quickly can you start?"
Usually within 2 weeks. No notice periods, no recruitment.
"What if there is an incident – will you be reachable?"
Yes. For critical incidents, we are immediately available, even outside regular hours. That is part of the service.
"Can we adjust the engagement?"
Absolutely. More hours before an audit, fewer during quieter phases. We scale with your needs.
"How does this work with our IT team?"
We do not replace your IT team – we complement it. Your IT manager remains operationally responsible; we bring the strategic security expertise.
"Do we still need internal security resources?"
It depends. Up to around 200 employees, an IT manager plus CISO-as-a-Service is often enough. Beyond that, an internal security analyst whom we guide makes sense.
The next step
If you have read this far, the topic is clearly relevant to you.
Here is what we suggest: a no-obligation conversation. 30-45 minutes.
We listen, ask a few questions, and give you an honest assessment of whether CISO-as-a-Service makes sense for your company – or not. No sales pitch, no pressure.
Sometimes we also recommend: "It is better to hire someone internally." Or: "Start with a security assessment first." Whatever helps most.
Summary
The key takeaways at a glance:
Mid-sized companies need security leadership, but often cannot justify a full-time CISO
CISO-as-a-Service provides strategic security expertise at 50% of the cost
1-2 days of focused expertise per week can have more impact than a full-time CISO lost in the daily grind
The model is especially well suited for growing companies, compliance challenges, and SMEs
Not every company needs an external CISO – when demand is high, internal is better
The first step: A conversation that clarifies what is right for your company. No commitment, no sales talks – just an honest assessment.
