Governance · Board · NIS2 / DORA / ISO 27001
Internal CISO vs vCISO: when each one fits and how to combine them without overpaying
The CISO function is no longer optional for regulated organisations: NIS2 holds the management body accountable, DORA requires an independent ICT risk function, ISO 27001 expects documented governance. The question is not whether you need the role; it is how to implement it with the resources you have. Here we break down cost, profile, regulatory fit and the hybrid models that work.
The committee that takes the decision
Simple mental rule: an internal CISO brings day-to-day presence, absorbed context and team relationship. A vCISO brings senior expertise, external perspective and predictable cost. Below 1,500 employees, vCISO is usually reasonable; above that, an internal CISO tends to make sense. In between, hybrid models are the most common answer.
Internal CISO
What it brings
- Daily presence, absorbed context
- Team building and security culture
- Multi-year continuity
- Deep relationship with all functions
- Immediate 24×7 availability
vCISO
What it brings
- Senior expertise without full-time cost
- Cross-sector perspective
- Predictable and flexible cost
- Start in 4-6 weeks, not 4-6 months
- Coverage from day one
Comparison table
Indicative figures for a mid-sized organisation in a regulated sector in Spain. Detail varies with sector, scope and maturity of the security team.
| Dimension | Internal CISO | vCISO |
|---|---|---|
| Stabilised annual cost | €130-200k (all in) | €40-90k (4-8 days/month) |
| Time to onboard | 4-6 months (selection + ramp-up) | 4-6 weeks |
| Dedication | Full-time | Part-time, committed and predictable |
| Equivalent experience | Variable depending on budget | Typically 10-20 years of CISO track record |
| Board access | Yes, weekly or continuous | Yes, monthly/bi-monthly + ad hoc |
| Incident availability | Immediate | Agreed SLA (hours) |
| Continuity and turnover | Risk of departure with no immediate replacement | Contractual continuity; provider covers absences |
| Sector perspective | Deep in one sector | Transversal across several sectors |
| NIS2/DORA fit | Yes, with proper documentation | Yes, if dedication and traceability are appropriate |
| Strongest at | Depth and team building | Senior expertise and rapid start |
The hybrid models that work
Most regulated mid-market organisations end up with a mixed model. These three patterns cover the vast majority of real engagements.
Hybrid A
vCISO + internal lead
vCISO at the helm with part-time dedication; internal security lead (mid-level) as daily operational arm. Reasonable coverage for 50 to 800 employees with moderate budget and serious regulatory obligations.
Hybrid B
vCISO as bridge to internal
vCISO for 12-24 months while the business case is built, the ideal profile is shaped and selection runs. The vCISO takes part in interviews, defines the role and runs an orderly handover when the internal CISO joins.
Hybrid C
Internal CISO + vCISO advisor
Full-time internal CISO with an external vCISO as monthly sounding board, or for high-impact decisions (M&A, large-scope certifications, serious incidents). The internal CISO gains a second senior opinion without full-time cost.
Common mistakes in the decision
- Confusing vCISO with an external consultant. A consultant arrives for a project and leaves; a vCISO is a permanent figure with partial presence. The difference shows up in continuity and the board relationship.
- Assuming NIS2 or DORA require an internal CISO. They do not. They require a function with authority, knowledge and traceability. A properly scoped vCISO covers both, provided dedication and documentation are adequate.
- Engaging a vCISO with insufficient dedication. Two days a month is not enough for a regulated organisation of 500+ employees. Dedication must match real scope, not the available budget.
- Outsourcing and disappearing from the risk. The management body remains accountable under NIS2. The vCISO executes; the board decides and answers. If the board does not engage, the model does not work.
- Hopping from consultant to consultant. Three different consultants in 18 months generate more cost and less outcome than a vCISO with a stable relationship. Continuity drives value, not hours.
- Expecting an internal junior to cover the function. The CISO function demands seniority. An internal junior can be a great security lead but cannot bring what a CISO with 15 years of track record brings to the board.
Related services at Hard2bit
vCISO
Part-time, committed CISO function for regulated organisations.
View →
ISO 27001
Governance framework the CISO/vCISO articulates with discipline and evidence.
View →
NIS2
Management body obligations and the risk function requirements.
View →
DORA
Independent and competent ICT risk function for the financial sector.
View →
Managed SOC and MDR
The operational layer the CISO/vCISO supervises.
View →
In-house SOC vs managed SOC
Build vs buy on the operational layer, complementary to governance.
View →
Frequently asked questions
What exactly is a vCISO?
A vCISO (virtual CISO) is a senior professional who takes on CISO duties in an organisation that does not need or cannot afford a full-time internal CISO. They work part-time (typically 2-8 days per month), bring experience equivalent to a CISO with 10-20 years of track record, and maintain continuity with the board, security operations and regulators. They are not a consultant who comes and goes: they are a permanent figure with partial presence.
How much does an internal CISO cost, and a vCISO?
An internal CISO with relevant experience for a regulated sector starts at €90-140k gross salary in Spain, before variable pay, benefits and social charges. Total employed cost typically sits at €130-200k per year. A vCISO at 4-8 days per month sits around €40-90k per year, with no social charges or benefits. The economic gap is real, but the models are not directly comparable: they cover different levels of dedication.
For what size of organisation does a vCISO make sense?
The sweet spot sits between 50 and 1,500 employees, especially in regulated sectors (financial, healthcare, public sector, critical industry, B2B SaaS). Smaller organisations usually rely on point consulting; larger ones typically justify an internal CISO by operational volume. vCISO also fits as a bridge: growing organisations that do not yet have the mass for an internal CISO but already carry regulatory obligations.
Do NIS2 or DORA require an internal CISO?
Neither framework demands a specific named role. NIS2 (article 20) holds the management body accountable and requires people with the capacity and knowledge to meet the obligations. DORA (articles 5-6) requires an ICT risk management function with independence and competence. A vCISO with appropriate dedication and documented traceability covers both requirements. What they do demand is that the role has board access, decision authority and real availability during incidents.
What is the main risk of a vCISO instead of an internal CISO?
The main risk is the lack of day-to-day presence. An internal CISO absorbs context, corridor conversations and internal dynamics that a vCISO does not see. The most resilient way to mitigate that is a hybrid model: vCISO at the helm, with an internal manager or lead (junior or mid-level) as the operational arm. The vCISO brings seniority, governance and board relationship; the internal lead guarantees daily presence and execution.
What gets delivered and how is a vCISO measured?
A sensible service agreement includes: a 12-18 month roadmap with quarterly milestones, attendance at board meetings monthly or bi-monthly, documented governance (policies, risk maps, audit plan), incident availability with an SLA, and quantitative progress reporting. The measure is not 'vCISO hours' but outcome delivery: certifications closed, risks remediated, regulatory evidence produced.
When should an organisation migrate from vCISO to internal CISO?
Three signals: when the organisation crosses 1,500-2,000 employees, when the security area exceeds 10-12 headcount, or when an operation appears that demands sustained daily presence (active M&A, deep cloud transformation, regulated international expansion). A well-negotiated vCISO helps the transition: prepares the profile, takes part in the selection and runs an orderly handover.
How does a vCISO engagement start at Hard2bit?
We begin with a diagnostic session (1-2 days) covering current maturity, regulatory obligations, board priorities and technical dependencies. From that comes an initial roadmap and a realistic dedication agreement. After the first 90 days we hold a checkpoint with the board to validate focus and adjust what is needed. The service renews on annual commitments with clear exit clauses.
Do you need the CISO function without the full cost?
In 30 minutes we review your organisation size, the regulatory obligations that apply, the state of your security team and propose a sensible dedication: pure vCISO, hybrid model or preparation for an internal CISO. We do not sell what does not fit.