THREAT BRIEFING · 15.07.2026 DEENFRES

Strategy & Governance

Part-Time CISO: What Can Be Outsourced and What Must Stay In-House

By Benedikt Langer · June 24, 2026 · 12 min read

The mechanical engineering company with 120 employees does not need a full-time CISO position. What it needs since the new BSIG is someone who prepares the risk measures, documents them, and supplies the executive management with decision templates. An external part-time CISO for two days a month sounds like the pragmatic solution. Many offerings gloss over the crucial point: The service provider may perform the security work. The organizational responsibility of the executive management nevertheless remains in-house.

Key Takeaways

  • The specialist work is delegable: A vCISO can handle strategy, ISMS setup, risk analysis, audit preparation, and reporting. As a market term, the role is not defined in law.
  • The organizational duty is not delegable: Section 38 BSIG obligates the executive management of particularly important and important entities to implement the risk measures and monitor their implementation. The leadership’s own training also remains with the management.
  • Wording matters: The German law speaks of implement and monitor. The term “approve” used in many commentaries originates from Article 20 of the NIS2 Directive. Anyone who conflates the two cites the wrong provision in an audit.
  • The model fails at the interface: Without an internal anchor, clear escalation, and an offboarding plan, external expertise creates a governance gap that becomes visible in an audit.

Related:Which Decision Rights of the CISO Must Be Regulated in Writing  /  Why the ISO Certificate Alone Is Not Enough for the BSI

What a vCISO Delivers and What the Market Term Does Not Regulate

What is a vCISO? A vCISO or CISO-as-a-Service is the external staffing of the CISO function by a service provider, usually on a monthly retainer or daily rate rather than as a permanent employee. It assumes the strategic management of information security at the executive level without becoming part of the executive management.

In practice, the mandate covers a clear set of tasks. The vCISO establishes or further develops the information security management system, writes policies, conducts risk analyses, and prepares for internal and external audits. This also includes awareness concepts, incident playbooks, and regular reporting to the executive management. As a rough guide without a fixed standard, the scope ranges from half to a few person-days per month, billed as a flat fee or on an as-needed basis. There are no fixed market prices; provider figures vary widely.

The conceptual distinction is important. The external information security officer operates the ISMS operationally; the vCISO steers strategically at the executive level. In smaller organizations the lines blur because one person wears both hats. For governance, the title does not matter-what counts is the task profile and the question of who ultimately answers to the supervisory authority.

Section 38 BSIG: What the Executive Management Cannot Buy

The new BSIG has been in force since December 6, 2025, and replaced the previous version from 2009. For the role question, Section 38 is the key lever. It obligates the executive managements of particularly important and important entities to implement the risk management measures to be taken pursuant to Section 30 and to monitor their implementation. Section 30 lists the ten minimum measures for this purpose, ranging from risk analysis to cryptography and supply chain security.

At this point, a close look at the wording is worthwhile. The German law speaks of implement and monitor. The term “approve,” used in many commentaries, originates from Article 20 of the NIS2 Directive and corresponds to the English “approve.” The legislator has therefore deliberately formulated more strongly than the EU standard. Implement means more than consent: The management must ensure that the measures are effectively introduced and operated with resources and anchoring. It keeps their effectiveness under continuous review. An external service provider can prepare this. The responsibility for it lies with the executive management.

Two further paragraphs make the limits of delegation clear. Section 38 (2) links a culpable breach of duty to the liability of the members of the executive management toward their own entity, in accordance with the rules of the applicable corporate law. And paragraph (3) requires that the members of the management regularly participate personally in training courses to be able to identify and assess cyber risks. An external party may conduct the training, but participation by the governing bodies remains mandatory. A vCISO may provide training; however, he cannot substitute for the participation of the organs. Anyone who believes that compliance has been outsourced with the retainer has missed the core of the provision.

Role Allocation: Externally Operational, Internally Responsible

The clean split follows a simple line. Everything that is specialist work can move outward. Everything that concerns decision-making, resource allocation, and proof of monitoring stays inside. The following overview assigns the typical tasks.

Task Delegable externally? Remains internal Rationale
Risk Analysis and Catalog of Measures Yes, creation and maintenance Exec. mgmt: Evaluation, implementation decision, monitoring evidence Implementation and monitoring pursuant to Section 38 rest with the management
ISMS, Policies, Documentation Yes, conception and templates Exec. mgmt: Anchoring, enforcement Paper without internal enforcement does not pass an audit
Management Reporting Partially, report creation Exec. mgmt: Review, corrective action Monitoring is a management duty and must be demonstrable
Initial Incident Response (operational) Yes, contractually deliverable as an IR service Internal: Decision, escalation Operational response is delegable; decision-making authority remains in-house
Notification in Case of a Significant Incident Partially, submission supportable Entity and exec. mgmt: Obligation and approval The reporting obligation under Section 32 applies to the entity, not the consultant
Budget and Investments No Exec. mgmt Resources and risk acceptance are executive management responsibilities
Training of the Executive Management No, only conduct Exec. mgmt personally Section 38 assigns the training of the management personally

A point from organizational theory belongs here. The security function should not be housed in the IT department, because otherwise the same unit builds and controls. The BSI specifically identifies this delegation into the IT department as an anti-pattern and holds the executive management responsible. An independent security function is therefore best practice, not a legally prescribed reporting line. A vCISO who reports directly to the executive management fits this logic. A vCISO who is dumped on the IT manager merely reproduces the role conflict with external personnel.

Where the Model Breaks in Audits and in Real Incidents

The weaknesses of a vCISO model rarely lie in technical expertise. They lie at the interfaces. Five typical breaking points recur.

No internal standing. If no internal contact person with authority is designated, no one on site can make decisions in the event of an incident. The external expert is stuck on the phone while an incident is already running in the system.

Availability at the limit. A retainer covering eight hours on five days does not cover an incident at 10 p.m. The reporting obligation under Section 32 requires an initial notification without undue delay, at the latest within 24 hours after becoming aware of a significant incident, once the joint reporting channel is operational. This clock runs for the entity, not for the service provider.

Conflict of interest. The same provider acts as vCISO and at the same time sells penetration tests, audits, or implementation projects. Advice and evaluation then lie in one hand. An independent review or a clean separation of roles resolves this.

Monitoring gap despite expertise. The vCISO escalates a risk, the executive management does not respond, no one documents the decision. In the audit, the gap appears at the management level even though everything was provided from a technical standpoint.

Loss of knowledge at contract end. When the mandate ends, ISMS documentation, risk register, and decision logs are often missing. The successor or the next auditor sees a void where steering had just been in place.

For Which Companies the Part-Time CISO Fits

The model is not a universal tool. It fits very well in certain constellations and poorly in others. The following comparison aids an honest self-assessment.

Fits rather when Fits less well when
50 to 500 employees, low to medium security maturity 24/7 incident responsibility without an internal team
ISMS setup or audit pressure, but no full-time need High confidentiality or OT production without an internal anchor
Transition phase until an internal role is filled Complex group structure with management reporting and subsidiaries
Executive management with time budget for reviews and their own training Expectation of outsourcing compliance entirely without internal effort

In regulated industries with their own supervisory expectations, the combination of vCISO and an internal security officer is usually more sustainable than an external mandate alone. One provides the steering, the other keeps the knowledge and responsiveness in-house.

Getting Started: How to Integrate a vCISO Cleanly

A viable model is created in a few clear steps. First: define the mandate in writing, including tasks, person-days per month, response times, and the explicit note that no representation of the executive management is transferred. Second: place the reporting line directly to the executive management rather than to IT management. Third: designate an internal anchor for day-to-day operations and initial incident response. Fourth: establish an escalation and reporting matrix with the deadlines from Section 32, in which the executive management is listed as the decision-maker. Fifth: conduct a quarterly review with minutes that records the status of measures, open risks, and budget requirements.

Two things need to be planned separately. The training of the executive management pursuant to Section 38 runs independently of the retainer so that the organizational duty is visibly fulfilled. And the offboarding plan with handover of documentation, risk register, and access credentials is best included in the contract already before it is needed. A good vCISO makes the executive management capable of acting. He does not make them free of liability. Anyone who clarifies this at contract conclusion saves themselves the expensive realization in the audit that external expertise does not replace internal responsibility.

Frequently Asked Questions

Each question is closed. A tap unlocks the answer.

Can I as a managing director completely delegate my NIS2 obligations to an external vCISO?

No. Section 38 BSIG obligates the executive management to implement the risk measures, monitor their implementation, and regularly participate personally in training. A vCISO can prepare and steer this work. The organizational ultimate responsibility remains with the management. This does not replace legal advice in individual cases; the interpretation depends on the legal form and organization.

Do I need a vCISO or is an external security officer sufficient?

An information security officer fits when what is primarily missing is the operational operation of the ISMS. A vCISO fits when strategic connection to the executive management and governance are missing. Many Mittelstand companies start with an officer and add a vCISO once audit and management pressure increases.

Is the external vCISO personally liable under Section 38 BSIG?

Section 38 addresses the members of the executive management. The vCISO is liable contractually under his service contract, not as a substitute governing body. Only in the case of an explicit and effective assumption of management functions does this shift, which is uncommon in practice.

What does a vCISO cost for the Mittelstand?

There are no binding standard values. Providers bill as a monthly flat fee or on a daily rate; the ranges differ significantly depending on scope and maturity level. It makes sense to compare several offers on the basis of the agreed task catalog rather than a flat market price.

Editor’s Recommended Reading

Editor’s Picks

Editor’s PickWhich CISO Decision Rights Must Be Set Out in WritingEditor’s PickNIS2 after the deadline: Now the BSI supervision beginsEditor’s PickNIS2 for Mid-Sized Firms: Achievable Steps, Avoidable Mistakes

More from the MBF Media Network

Digital ChiefsGeopolitics Meets the Data Center Roadmap: What CIOs Must Secure NowMyBusinessFutureEU AI Act from August 2026: What labelling obligations really affect SMEscloudmagazinXFS4IoT Meets the Cloud: The ATM Becomes a Platform

Further reading

News · July 2, 2026

When Attackers Are Faster Than the Patch

Between disclosure and exploitation of a vulnerability, only days often pass today. The State of Vulnerabilities Report 2026 reveals what matters now.

A magazine by Evernine Media GmbH