vCISO vs internal CISO: when each model actually fits
The virtual CISO model is going to be over-sold for the next eighteen months. The reason is straightforward: it is the easiest service for a boutique cybersecurity firm to package and the most defensible answer to a mid-market company that knows it needs cybersecurity leadership but cannot justify a full-time senior hire. We offer the service ourselves. We also turn it down when the company in front of us would be better served by hiring an internal CISO. This article is about the criteria we use to decide.
We will not address the largest enterprises (more than 1.500 employees, multiple jurisdictions, dedicated security functions across many domains). At that scale the question is not vCISO vs internal CISO; it is CISO plus deputy CISO plus head of security operations plus head of GRC, and a vCISO does not fit the conversation. We will address the realistic mid-market European company: 80 to 800 employees, one to three jurisdictions, a security team that today is between zero and four people.
What both roles actually do (and what neither does)
Before comparing, it helps to be precise about what a CISO function is for. In a mid-market context, the function covers, at minimum:
- Risk and compliance ownership. Translation of regulation (NIS2, GDPR, sector-specific) into a programme the company can execute.
- Governance. Reporting line to the management body, board-level briefings, alignment with audit and legal.
- Strategy. A 12 to 36-month cybersecurity roadmap with budget, milestones, and a clear definition of what "good enough" means for this company.
- Operational accountability. Final responsibility for the controls in place, even when the operations are delegated to a team or a managed service provider.
- External representation. Conversations with regulators, with clients' security teams during sales cycles, with insurers, with auditors.
What a CISO is not, in a mid-market context, is the engineer who configures the SIEM, the analyst who triages the alerts, the consultant who runs the pentest, or the lawyer who reviews the data processing agreement. The role is leadership; the work is delegated.
Whether the leadership is virtual or internal, the function is the same. The question is which delivery model fits which company.
When a vCISO is the right answer
A vCISO works when three conditions hold simultaneously.
Condition 1 · The cybersecurity programme is in build mode, not run mode
A vCISO is an excellent fit when the company is setting up its cybersecurity programme for the first time, or when an existing programme has drifted and needs structural rework. The work is heavy on design, on framework selection, on policy writing, on governance setup, on the first round of risk assessment. These activities benefit from external perspective and from someone who has seen the same patterns in 30 other companies.
A vCISO is a poor fit when the programme is in steady-state run mode and the dominant work is operational continuity, incident handling, and small incremental improvements. The friction of an external leader updating themselves on company context every two weeks erodes effectiveness.
Condition 2 · The company can absorb a fractional presence
A vCISO is typically engaged for 1 to 5 days per month, sometimes with peaks during incident response or audits. This requires that:
- The management body accepts a leader who is not physically present every day.
- There is at least one internal person (often called a "security champion" or "head of IT security operations") who can carry day-to-day issues between vCISO sessions.
- Communication patterns are mature: documented decisions, asynchronous updates, a calendar that respects external engagement.
Companies where the executive team requires daily face time, or where every cybersecurity decision needs the leader in the room, are not vCISO companies. They are internal CISO companies that should be told so.
Condition 3 · The economics genuinely favour fractional engagement
A fully loaded internal mid-market CISO (salary, social contributions, equipment, training budget) is a meaningful fixed cost on the company's P&L. A vCISO engagement at 3 days per month is, at typical mid-market boutique rates, a fraction of that fixed cost, the size of that fraction depending on the engagement scope. We do not publish numbers in this article because the realistic ratio depends genuinely on location, seniority bracket, and engagement intensity. The honest test is whether the proposed vCISO scope and the proposed internal CISO scope are comparable; if they are, the fractional engagement comes out clearly ahead on cost.
If the work genuinely fits in 3 to 5 days per month, the economics favour vCISO. If the work has been compressed into 3 days per month because the budget did not stretch further, the company is paying for a leader and getting a part-time consultant. That is the worst of both worlds.
When an internal CISO is the right answer
The mirror image of the above. An internal CISO is the right answer when one or more of the following hold:
Reason 1 · The regulatory load justifies daily presence
NIS2 essential entities in sectors with continuous regulatory engagement (energy, healthcare, financial infrastructure) tend to need a leader who is in the room every day. The notification clock, the supervisory dialogues, and the sector-specific obligations do not fit a 3-days-per-month cadence comfortably.
Reason 2 · The company is on an M&A path
A company that is being prepared for acquisition or that is acquiring others needs a CISO who can sit through due diligence, integration planning, and post-acquisition consolidation. Those activities are calendar-intensive and demand continuity. A vCISO can support the work, but the named leader of the function during a transaction should be internal.
Reason 3 · The cybersecurity programme is already mature
If the company has a well-documented programme, a stable team of 3 to 8 people, and the work is dominated by continuous improvement and operational excellence, an internal CISO leading and growing the team is a better investment than an external leader rotating in fractionally.
Reason 4 · The culture rewards visible accountability
In some company cultures, the cybersecurity leader needs to be present in every product launch meeting, every client onboarding, every architecture review. That is not bad culture; it is a specific operating model. A vCISO will not match it.
When neither is the answer
We have, on a small number of occasions, advised companies that they did not need a CISO yet. The criteria for "not yet" are narrow: the company is small enough (under 50 employees), the regulatory exposure is genuinely low, the data sensitivity is genuinely low, and there is a senior IT leader who can carry the cybersecurity function as part of their role with external advisory on specific topics.
This is the honest conversation that some boutique firms will not have, because every conversation they pass on is revenue they lose. We pass on the conversation when it is the right thing to do. It does happen.
The hybrid model and why it usually fails
A pattern we see often is the hybrid: an internal cybersecurity leader of mid-seniority, plus a senior vCISO on retainer for strategy and board interface. On paper this combines the best of both. In practice, it works in two scenarios and fails in many others.
It works when the roles are crisply separated (the internal lead owns operations and incident response, the vCISO owns strategy and board interface) and when there is mutual respect and clear escalation rules.
It fails when the boundary is fuzzy, when the internal lead resents the vCISO's authority over board access, or when the board cannot tell who is responsible for a given decision. We have seen this fail expensively in three engagements we walked into as the replacement.
A decision framework in one page
| Question | If yes, lean vCISO | If yes, lean internal CISO |
|---|---|---|
| Programme is in build or restructuring mode | Yes | |
| Programme is in steady-state run mode | | Yes |
| 3-5 days per month genuinely fits the work | Yes | |
| Work requires daily presence | | Yes |
| Sector has continuous regulatory dialogue | | Yes |
| Sector is moderate-regulation B2B | Yes | |
| Company is on an M&A path | | Yes |
| Company has a stable security team of 3+ | | Yes |
| Company has a 0-1 person security team | Yes | |
| Budget genuinely supports fractional engagement | Yes | |
| Budget was compressed to fit fractional pricing | | Yes |
| Board culture accepts non-resident leader | Yes | |
| Board culture demands resident leader | | Yes |
If your tally pulls strongly to one side, the decision is made. If it splits, the conversation is more nuanced and probably requires an external perspective from someone with no commercial interest in the answer.
> "We have lost vCISO engagements to companies that hired an internal CISO after our diagnostic conversation. We do not consider those losses. We consider them well-placed engagements." — IBL internal review, 2026
What we do at IBL
We offer vCISO engagements at three intensities: 1 day per month (light governance only), 3 days per month (typical mid-market scope), and 5 days per month (with peak weeks during audits and incidents). We turn down engagements where we believe an internal CISO is the right answer; in those cases, we can help with the search and the role definition for a one-off fee.
If you want a conversation about whether a vCISO fits your company, write to [email protected]. We answer within one business day.
---
Ibida Black Level S.L. is a boutique cybersecurity advisory firm headquartered in Málaga, Spain, with an operational team in Romania. We focus on mid-market European companies that prefer technical honesty to vendor packaging. We were founded in 2026; we do not invent a longer history.
Related reading
- Awareness programs that actually work: 5 metrics that stop being theatre (cluster Q4)
- Tier-1 vs tier-2 cybersecurity vendors: how to choose by company size
- NIS2 self-assessment: 25 questions to check if your company complies (cluster Q3 pillar)
Tags: vciso, leadership, mid-market, decision-framework, cybersecurity-management, governance