{"id":20908,"date":"2026-06-24T11:00:00","date_gmt":"2026-06-24T11:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/?p=20908"},"modified":"2026-07-09T16:14:54","modified_gmt":"2026-07-09T16:14:54","slug":"part-time-ciso-what-can-be-outsourced-and-what-must-remain-in-house","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/06\/24\/part-time-ciso-what-can-be-outsourced-and-what-must-remain-in-house\/","title":{"rendered":"Part-Time CISO: What Can Be Outsourced and What Must Stay In-House"},"content":{"rendered":"<p style=\"color:#69d8ed;font-size:0.9em;margin:0 0 16px;padding:0;\">6 Min. Read<\/p>\n<p><strong>The mechanical engineering company with 120 employees does not need a full-time CISO position. What it needs since the new BSIG is someone who prepares the risk measures, documents them, and supplies the executive management with decision templates. An external part-time CISO for two days a month sounds like the pragmatic solution. Many offerings gloss over the crucial point: The service provider may perform the security work. The organizational responsibility of the executive management nevertheless remains in-house.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li><strong style=\"color:#69d8ed;\">The specialist work is delegable:<\/strong> A vCISO can handle strategy, ISMS setup, risk analysis, audit preparation, and reporting. As a market term, the role is not defined in law.<\/li>\n<li><strong style=\"color:#69d8ed;\">The organizational duty is not delegable:<\/strong> Section 38 BSIG obligates the executive management of particularly important and important entities to implement the risk measures and monitor their implementation. The leadership\u2019s own training also remains with the management.<\/li>\n<li><strong style=\"color:#69d8ed;\">Wording matters:<\/strong> The German law speaks of implement and monitor. The term \u201capprove\u201d used in many commentaries originates from Article 20 of the NIS2 Directive. Anyone who conflates the two cites the wrong provision in an audit.<\/li>\n<li><strong style=\"color:#69d8ed;\">The model fails at the interface:<\/strong> Without an internal anchor, clear escalation, and an offboarding plan, external expertise creates a governance gap that becomes visible in an audit.<\/li>\n<\/ul>\n<\/div>\n<p style=\"font-size:0.88em;color:#b8c5ce;margin:20px 0 32px 0;border-top:1px solid rgba(230,227,218,0.12);border-bottom:1px solid rgba(230,227,218,0.12);padding:10px 0;\"><span style=\"color:#69d8ed;font-weight:700;text-transform:uppercase;font-size:0.72em;letter-spacing:0.14em;margin-right:14px;\">Related:<\/span><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/23\/which-decision-rights-of-the-ciso-must-be-documented-in-writing\/\" style=\"color:#333;text-decoration:underline;\">Which Decision Rights of the CISO Must Be Regulated in Writing<\/a>&nbsp;&nbsp;<span style=\"color:#ccc;\">\/<\/span>&nbsp;&nbsp;<a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/19\/why-the-iso-certificate-alone-is-not-enough-for-the-bsi\/\" style=\"color:#333;text-decoration:underline;\">Why the ISO Certificate Alone Is Not Enough for the BSI<\/a><\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">What a vCISO Delivers and What the Market Term Does Not Regulate<\/h2>\n<p><strong>What is a vCISO?<\/strong> A vCISO or CISO-as-a-Service is the external staffing of the CISO function by a service provider, usually on a monthly retainer or daily rate rather than as a permanent employee. It assumes the strategic management of information security at the executive level without becoming part of the executive management.<\/p>\n<p>In practice, the mandate covers a clear set of tasks. The vCISO establishes or further develops the information security management system, writes policies, conducts risk analyses, and prepares for internal and external audits. This also includes awareness concepts, incident playbooks, and regular reporting to the executive management. As a rough guide without a fixed standard, the scope ranges from half to a few person-days per month, billed as a flat fee or on an as-needed basis. There are no fixed market prices; provider figures vary widely.<\/p>\n<p>The conceptual distinction is important. The external information security officer operates the ISMS operationally; the vCISO steers strategically at the executive level. In smaller organizations the lines blur because one person wears both hats. For governance, the title does not matter-what counts is the task profile and the question of who ultimately answers to the supervisory authority.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Section 38 BSIG: What the Executive Management Cannot Buy<\/h2>\n<p>The new BSIG has been in force since December 6, 2025, and replaced the previous version from 2009. For the role question, Section 38 is the key lever. It obligates the executive managements of particularly important and important entities to implement the risk management measures to be taken pursuant to Section 30 and to monitor their implementation. Section 30 lists the ten minimum measures for this purpose, ranging from risk analysis to cryptography and supply chain security.<\/p>\n<p>At this point, a close look at the wording is worthwhile. The German law speaks of implement and monitor. The term \u201capprove,\u201d used in many commentaries, originates from Article 20 of the NIS2 Directive and corresponds to the English \u201capprove.\u201d The legislator has therefore deliberately formulated more strongly than the EU standard. Implement means more than consent: The management must ensure that the measures are effectively introduced and operated with resources and anchoring. It keeps their effectiveness under continuous review. An external service provider can prepare this. The responsibility for it lies with the executive management.<\/p>\n<p>Two further paragraphs make the limits of delegation clear. Section 38 (2) links a culpable breach of duty to the liability of the members of the executive management toward their own entity, in accordance with the rules of the applicable corporate law. And paragraph (3) requires that the members of the management regularly participate personally in training courses to be able to identify and assess cyber risks. An external party may conduct the training, but participation by the governing bodies remains mandatory. A vCISO may provide training; however, he cannot substitute for the participation of the organs. Anyone who believes that compliance has been outsourced with the retainer has missed the core of the provision.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Role Allocation: Externally Operational, Internally Responsible<\/h2>\n<p>The clean split follows a simple line. Everything that is specialist work can move outward. Everything that concerns decision-making, resource allocation, and proof of monitoring stays inside. The following overview assigns the typical tasks.<\/p>\n<div style=\"overflow-x:auto;-webkit-overflow-scrolling:touch;margin:16px 0 32px 0;\">\n<table style=\"width:100%;min-width:600px;border-collapse:collapse;margin:0;font-size:0.95em;\">\n<thead>\n<tr style=\"border-bottom:2px solid #69d8ed;\">\n<th style=\"text-align:left;padding:10px 12px;\">Task<\/th>\n<th style=\"text-align:left;padding:10px 12px;\">Delegable externally?<\/th>\n<th style=\"text-align:left;padding:10px 12px;\">Remains internal<\/th>\n<th style=\"text-align:left;padding:10px 12px;\">Rationale<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Risk Analysis and Catalog of Measures<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Yes, creation and maintenance<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Exec. mgmt: Evaluation, implementation decision, monitoring evidence<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Implementation and monitoring pursuant to Section 38 rest with the management<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>ISMS, Policies, Documentation<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Yes, conception and templates<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Exec. mgmt: Anchoring, enforcement<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Paper without internal enforcement does not pass an audit<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Management Reporting<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Partially, report creation<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Exec. mgmt: Review, corrective action<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Monitoring is a management duty and must be demonstrable<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Initial Incident Response (operational)<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Yes, contractually deliverable as an IR service<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Internal: Decision, escalation<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Operational response is delegable; decision-making authority remains in-house<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Notification in Case of a Significant Incident<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Partially, submission supportable<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Entity and exec. mgmt: Obligation and approval<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">The reporting obligation under Section 32 applies to the entity, not the consultant<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Budget and Investments<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">No<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Exec. mgmt<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Resources and risk acceptance are executive management responsibilities<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;padding:10px 12px;\"><strong>Training of the Executive Management<\/strong><\/td>\n<td style=\"text-align:left;padding:10px 12px;\">No, only conduct<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Exec. mgmt personally<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Section 38 assigns the training of the management personally<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>A point from organizational theory belongs here. The security function should not be housed in the IT department, because otherwise the same unit builds and controls. The BSI specifically identifies this delegation into the IT department as an anti-pattern and holds the executive management responsible. An independent security function is therefore best practice, not a legally prescribed reporting line. A vCISO who reports directly to the executive management fits this logic. A vCISO who is dumped on the IT manager merely reproduces the role conflict with external personnel.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Where the Model Breaks in Audits and in Real Incidents<\/h2>\n<p>The weaknesses of a vCISO model rarely lie in technical expertise. They lie at the interfaces. Five typical breaking points recur.<\/p>\n<p><strong>No internal standing.<\/strong> If no internal contact person with authority is designated, no one on site can make decisions in the event of an incident. The external expert is stuck on the phone while an incident is already running in the system.<\/p>\n<p><strong>Availability at the limit.<\/strong> A retainer covering eight hours on five days does not cover an incident at 10 p.m. The reporting obligation under Section 32 requires an initial notification without undue delay, at the latest within 24 hours after becoming aware of a significant incident, once the joint reporting channel is operational. This clock runs for the entity, not for the service provider.<\/p>\n<p><strong>Conflict of interest.<\/strong> The same provider acts as vCISO and at the same time sells penetration tests, audits, or implementation projects. Advice and evaluation then lie in one hand. An independent review or a clean separation of roles resolves this.<\/p>\n<p><strong>Monitoring gap despite expertise.<\/strong> The vCISO escalates a risk, the executive management does not respond, no one documents the decision. In the audit, the gap appears at the management level even though everything was provided from a technical standpoint.<\/p>\n<p><strong>Loss of knowledge at contract end.<\/strong> When the mandate ends, ISMS documentation, risk register, and decision logs are often missing. The successor or the next auditor sees a void where steering had just been in place.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">For Which Companies the Part-Time CISO Fits<\/h2>\n<p>The model is not a universal tool. It fits very well in certain constellations and poorly in others. The following comparison aids an honest self-assessment.<\/p>\n<div style=\"overflow-x:auto;-webkit-overflow-scrolling:touch;margin:16px 0 32px 0;\">\n<table style=\"width:100%;min-width:520px;border-collapse:collapse;margin:0;font-size:0.95em;\">\n<thead>\n<tr style=\"border-bottom:2px solid #69d8ed;\">\n<th style=\"text-align:left;padding:10px 12px;\">Fits rather when<\/th>\n<th style=\"text-align:left;padding:10px 12px;\">Fits less well when<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\">50 to 500 employees, low to medium security maturity<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">24\/7 incident responsibility without an internal team<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\">ISMS setup or audit pressure, but no full-time need<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">High confidentiality or OT production without an internal anchor<\/td>\n<\/tr>\n<tr style=\"border-bottom:1px solid rgba(230,227,218,0.12);\">\n<td style=\"text-align:left;padding:10px 12px;\">Transition phase until an internal role is filled<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Complex group structure with management reporting and subsidiaries<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;padding:10px 12px;\">Executive management with time budget for reviews and their own training<\/td>\n<td style=\"text-align:left;padding:10px 12px;\">Expectation of outsourcing compliance entirely without internal effort<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>In regulated industries with their own supervisory expectations, the combination of vCISO and an internal security officer is usually more sustainable than an external mandate alone. One provides the steering, the other keeps the knowledge and responsiveness in-house.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Getting Started: How to Integrate a vCISO Cleanly<\/h2>\n<p>A viable model is created in a few clear steps. First: define the mandate in writing, including tasks, person-days per month, response times, and the explicit note that no representation of the executive management is transferred. Second: place the reporting line directly to the executive management rather than to IT management. Third: designate an internal anchor for day-to-day operations and initial incident response. Fourth: establish an escalation and reporting matrix with the deadlines from Section 32, in which the executive management is listed as the decision-maker. Fifth: conduct a quarterly review with minutes that records the status of measures, open risks, and budget requirements.<\/p>\n<p>Two things need to be planned separately. The training of the executive management pursuant to Section 38 runs independently of the retainer so that the organizational duty is visibly fulfilled. And the offboarding plan with handover of documentation, risk register, and access credentials is best included in the contract already before it is needed. A good vCISO makes the executive management capable of acting. He does not make them free of liability. Anyone who clarifies this at contract conclusion saves themselves the expensive realization in the audit that external expertise does not replace internal responsibility.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Each question is closed. A tap unlocks the answer.<\/p>\n<details>\n<summary><strong>Can I as a managing director completely delegate my NIS2 obligations to an external vCISO?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">No. Section 38 BSIG obligates the executive management to implement the risk measures, monitor their implementation, and regularly participate personally in training. A vCISO can prepare and steer this work. The organizational ultimate responsibility remains with the management. This does not replace legal advice in individual cases; the interpretation depends on the legal form and organization.<\/p>\n<\/details>\n<details>\n<summary><strong>Do I need a vCISO or is an external security officer sufficient?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">An information security officer fits when what is primarily missing is the operational operation of the ISMS. A vCISO fits when strategic connection to the executive management and governance are missing. Many Mittelstand companies start with an officer and add a vCISO once audit and management pressure increases.<\/p>\n<\/details>\n<details>\n<summary><strong>Is the external vCISO personally liable under Section 38 BSIG?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Section 38 addresses the members of the executive management. The vCISO is liable contractually under his service contract, not as a substitute governing body. Only in the case of an explicit and effective assumption of management functions does this shift, which is uncommon in practice.<\/p>\n<\/details>\n<details>\n<summary><strong>What does a vCISO cost for the Mittelstand?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">There are no binding standard values. Providers bill as a monthly flat fee or on a daily rate; the ranges differ significantly depending on scope and maturity level. It makes sense to compare several offers on the basis of the agreed task catalog rather than a flat market price.<\/p>\n<\/details>\n<h3>Editor&#8217;s Recommended Reading<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/23\/which-decision-rights-of-the-ciso-must-be-documented-in-writing\/\">Which Decision Rights of the CISO Must Be Regulated in Writing<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/16\/nis2-after-the-deadline-now-the-bsi-supervision-begins\/\">NIS2 After the Deadline: BSI Oversight Begins Now<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/18\/nis2-compliance-in-medium-sized-businesses-achievable-steps-avoidable-mistakes\/\">NIS2 Compliance in the Mittelstand: Feasible Steps, Avoidable Mistakes<\/a><\/li>\n<\/ul>\n<p><!--ST-LOWER-CARDS lang=en--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/23\/which-decision-rights-of-the-ciso-must-be-documented-in-writing\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/ciso-mandat-entscheidungsrechte-eskalation-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Which CISO Decision Rights Must Be Set Out in Writing<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/06\/16\/nis2-after-the-deadline-now-the-bsi-supervision-begins\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/06\/nis2-after-the-deadline-now-the-bsi-supervision-begins-cover-en-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">NIS2 after the deadline: Now the BSI supervision begins<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/18\/nis2-compliance-in-medium-sized-businesses-achievable-steps-avoidable-mistakes\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/05\/nis2-compliance-mittelstand-umsetzung-praxis-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">NIS2 for Mid-Sized Firms: Achievable Steps, Avoidable Mistakes<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.digital-chiefs.de\/en\/geopolitics-meets-the-data-center-roadmap-what-cios-must-secure-now\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-geopolitik-datacenter-roadmap-lieferkett-8054517-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Geopolitics Meets the Data Center Roadmap: What CIOs Must Secure Now<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/en\/eu-requires-labeling-obligations-for-sme-2026\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-eu-ai-act-2026-kennzeichnungspflichten-m-35346140-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">EU AI Act from August 2026: What labelling obligations really affect SMEs<\/span><\/span><\/a><a href=\"https:\/\/www.cloudmagazin.com\/en\/2026\/06\/16\/xfs4iot-meets-the-cloud-the-atm-becomes-a-platform\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-xfs4iot-cloud-geldautomat-plattform-syna-61345494.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">XFS4IoT Meets the Cloud: The ATM Becomes a Platform<\/span><\/span><\/a><!--\/ST-LOWER-CARDS--><\/p>\n","protected":false},"excerpt":{"rendered":"A virtual CISO takes over the security expertise in medium-sized businesses. However, certain responsibilities under Paragraph 38 of the BSIG (Federal\u2026","protected":false},"author":50,"featured_media":18193,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"Virtual CISO","_yoast_wpseo_title":"Part-time CISO: What Can Be Outsourced and What Must Remain In-house","_yoast_wpseo_metadesc":"Discover how a vCISO handles cybersecurity for SMEs & critical responsibilities under \u00a738 BSIG that remain with management.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/teilzeit-ciso-vciso-delegierbar-bsig-cover-hero-1.jpg","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/teilzeit-ciso-vciso-delegierbar-bsig-cover-hero-1.jpg","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","evm_external_preview_token":"","evm_external_preview_expires":"","_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[258,259],"tags":[],"class_list":["post-20908","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-strategie-governance","category-strategie-governance-en"],"evm_reading_time_minutes":12,"wpml_language":"en","wpml_translation_of":18191,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=20908"}],"version-history":[{"count":2,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20908\/revisions"}],"predecessor-version":[{"id":21037,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/20908\/revisions\/21037"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/18193"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=20908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=20908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=20908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}