Yannick H.,
Too Long; Didn't Read
Many Swiss SMEs have competent IT teams, but no security leadership. This becomes apparent when a major customer requests proof of security, the insurer requires an ISMS, or an incident occurs. A fractional CISO closes this gap without the cost of a full-time position. If you're not sure whether you have this problem, this article includes a simple screening question.
Imagine this.
A Swiss company, 100 employees. IT team of three people. Infrastructure runs stably, backups exist, the MSP monitors the network. Everyone is good at their job.
Then comes a potential major client from the financial sector. Due diligence questionnaire. Question 14: "Please name your security officer and the current version of your Information Security Policy."
Silence.
Not because the company is negligent. But because no one has that role.
What distinguishes IT operations and security leadership
Both are necessary. But they are different functions.
IT operations keeps systems running: patches, backups, helpdesk, cloud infrastructure, monitoring. IT teams handle this daily, and most do it well.
Security leadership asks different questions: What are our biggest risks? How do we explain our security posture to the board of directors? What happens in an incident? What compliance requirements do we have, and are we prepared for them?
These are not technical questions. They are strategic. And they come up in meetings IT teams rarely have on their calendar: board of directors, procurement committee, conversations with the cyber insurer, external audits.
In our experience, this is what happens: IT answers these questions to the best of its knowledge, but without the mandate to set priorities. The company has a security posture, but no security strategy.
This is the security leadership gap.
Three situations where the gap becomes visible
Compliance requests from customers or partners
Enterprise customers, especially in finance and healthcare, increasingly demand evidence. A documented ISMS. An up-to-date risk assessment. Sometimes a pentest report. Sometimes a questionnaire with 120 questions.
Who answers that for you?
If the answer is "someone in IT who has time right now," it either costs the deal or several weeks of unplanned work. We've seen both.
The insurance renewal
Cyber insurers ask different questions now than three years ago. Documented ISMS, responsibilities for security matters, tested backup processes, an incident response plan.
If you can't answer these questions, you either get no contract or a significantly higher premium. Sometimes both.
The incident
Everyone hopes to avoid it. But if it happens: Who decides which systems should be shut down? Who communicates with management? Who coordinates with the MSP, the insurer, external forensic specialists?
Without clear security leadership, an incident becomes improvised crisis management. The result is more expensive and more chaotic than necessary.
What a Fractional CISO changes concretely
A Fractional CISO is not a full-time role. Typically, it is one to two days per week. That is enough to:
conduct a documented risk assessment
build a pragmatic ISMS that is actually lived in the company
make security topics understandable to management
answer compliance questionnaires in a structured and reliable way
serve as the coordination point in an incident
support investment decisions in security tools
The IT team continues doing what it does well. The Fractional CISO complements the function that was missing.
What we regularly observe: the IT team is relieved. They can focus on their actual job instead of answering questions they were not tasked with.
For whom it makes sense, and for whom it doesn't
Not every company needs this.
Under 30 employees, hardly any regulatory requirements, no enterprise customers with their own security requirements: often an MSP with a security focus is enough.
If, on the other hand, you work in a regulated environment, process customer data, are reviewed by large clients, or are entering a growth phase that requires more governance: then security leadership is no longer an optional add-on.
The litmus test is simple: Is there someone in your company who can answer the question "What is our current security strategy?" without getting into trouble for it?
If the answer is hesitant, you know where you stand.
To the point
IT operations keeps systems running. Security leadership ensures that security has a strategy, responsibilities are clear, and the company remains able to act in an emergency.
For most Swiss SMEs between 50 and 300 employees, this is the missing building block. And it is cheaper than most people think.
If you'd like to assess whether a Fractional CISO is the right fit for you, we'd be happy to talk.
