Security LeadershipSecurity Operating ModelFractional CISO

Your Head of IT is doing five security jobs. Don't hire a CISO for all of them.

Behzad Motaghi14. juni 202611 min læsetid

Denne artikel er på engelsk. Jeg rådgiver på både dansk og engelsk, så hvis dansk passer dig bedre, så skriv til bm@accelcomply.com.

Five years ago a growing company's security work fit on one desk because it was mostly one kind of work: keep the lights on, patch the servers, manage access. Today that same desk holds AI governance, NIS2 evidence, customer security questionnaires, vendor risk reviews, and an insurance renewal that reads like an audit. Same desk. Same person. Five jobs. The instinct is to hire a CISO. The instinct is wrong.

A Head of IT I spoke with recently described his worst week of the year. In five days he fielded a NIS2 supplier questionnaire from his biggest customer, an insurer asking whether the company used AI in any customer-facing decision, a renewal asking for endpoint detection across the company's devices, and a board member who wanted one slide on whether the company was secure. He is good at his job. None of those four things is his job, exactly, and all four are now his job. The overload is real, but it is not a missing-CISO problem. It is five distinct jobs bundled under one title. Two need senior judgment you can rent, two should stay with the person already doing them, and one should become a system rather than a job. Here is how I would split it.

The five jobs hiding inside “someone owns security”

Start by naming the work honestly, because “security” is hiding five different things on that one desk.

First, AI governance. Someone has to decide whether the company is a provider or a deployer under the EU AI Act, write a usable policy for the AI tools staff already use, and keep an inventory of which tools touch what data. Article 4 of the AI Act, the AI-literacy duty on providers and deployers, has applied since 2 February 2025, so this is not a future problem.

Second, NIS2 evidence and supervisor readiness. Denmark's NIS2 law has been in force since 1 July 2025, and Digitaliseringsstyrelsen, the supervisor for the Danish digital sector, has begun sending questionnaires to in-scope entities, including data centres. The work is producing the evidence, mapping the company against the measures, and being able to show who is accountable.

Third, customer security questionnaires. Most enterprise buyers send one, they are getting longer, and many now have a dedicated AI section. Someone answers them, usually under deal pressure, usually from scratch.

Fourth, vendor and third-party risk. NIS2 includes supply-chain security, so in-scope companies have to address the security of their relationships with direct suppliers. In a 2026 ISC2 member consultation, around three quarters of respondents said they were only somewhat prepared, or not prepared, to act if a key supplier were flagged as high-risk.

Fifth, the operational baseline. MFA on everything, endpoint detection, tested backups, an incident runbook, and the evidence pack the cyber-insurer now asks for at renewal. Many cyber-insurance applications now expect enforced MFA and endpoint detection, and gaps can affect eligibility, pricing, or terms.

Several of these became recurring work for growing companies only recently. Now they all land on the same person, and that person is usually a capable Head of IT who never signed up to be a compliance function, an AI lawyer, and a sales-engineering resource at the same time.

Should you hire a CISO, fractional or not, to do all five?

The reflex is to find one person to take the whole pile away. A full-time Head of Security. Or, when the budget will not stretch to a seven-figure loaded cost, a fractional one.

That reflex treats “security” as a single role when it is really a portfolio of five jobs with nothing in common except the label. Hand all five to one new hire and you usually get the worst of both ends. The operational baseline does not fill a senior person's week, so you are overpaying for a checklist. The strategic calls, AI Act classification and the board-facing NIS2 posture, are episodic and high-stakes, so a single overloaded person tends to rush them between questionnaires. You have not removed the overload. You have rebadged it and attached a bigger invoice.

Fractional leadership is a genuinely good answer for part of this, and I have written separately about when the fractional model fits and when it does not. But the decision is not “a person, yes or no.” The decision is per job. So look at the five jobs one at a time and ask a sharper question for each: does this need senior judgment, can it stay where it is, or should it stop being a job at all?

Which security jobs actually need senior judgment?

Two of the five are episodic, expensive to get wrong, and reward someone who has done them before. These are the ones worth renting senior judgment for, whether through a fractional arrangement, a scoped advisory engagement, or a few well-used days.

The first is AI Act classification. Many growing companies panic about the AI Act because they assume the heavy obligations apply to them. Often they do not. If you only use AI inside third-party tools like Copilot or a SaaS feature, as intended, you are usually a deployer, not a provider, unless you rebrand or substantially modify the system, and a large part of the provider burden falls away. Getting that classification right, documenting it, and standing up the Article 4 literacy evidence is a short, scoped exercise for someone who has done it, and an open-ended source of anxiety for someone who has not. This is judgment work, not volume work.

The second is NIS2 and board posture. Denmark's supervisor is now active for the digital sector, and for in-scope companies NIS2 puts accountability on the management body, which has to approve the security measures and oversee them, not on an IT job title. Someone senior has to decide what the company's risk posture actually is, what evidence backs it, and how to say it to a board in one slide that survives a follow-up question. That is not a task you delegate to whoever has capacity. It is the kind of call where having seen a dozen of them is the entire value.

Both of these are intermittent. Neither fills a week. Both are exactly what senior, part-time judgment is for. Rent them.

Which security jobs should stay in-house?

Two more of the five are recurring, checklist-driven, and already sit with the right person. Outsourcing them is paying senior prices for work a capable in-house owner can run with a clear playbook.

The operational baseline is the obvious one. MFA on every account, endpoint detection on every device, backups you have actually tested by restoring, a written incident runbook, and the documentation your insurer wants to see. None of this needs a CISO title. It needs ownership, a checklist, and a calendar. Your Head of IT is usually the best-placed person in the company to run it, because they already know the estate. What they need is not a boss above them. It is permission to treat this as a defined, finite job rather than an open-ended worry.

Routine vendor triage is the second. You do not need to assess every vendor to the same depth. You need a simple tiering: which vendors touch customer data or production, which are peripheral, and what level of review each tier gets. Once the tiers and the questions are set, the recurring work is administrative, not strategic. Keep it in-house, and pull in senior help only for the handful of vendor decisions that carry real risk.

The one job to systematize, not staff: the questionnaire

That leaves the customer security questionnaire, and it deserves its own category because the usual response, throwing a senior person at it under deal pressure, is the worst possible use of the time.

The cost is never the first questionnaire. It is the fifth, answered from scratch, by your most expensive technical person, while the roadmap waits. The fix is to build the evidence once. Collect your real controls, policies, and evidence in one place. Map them to the frameworks buyers ask about, ISO 27001, SOC 2, NIS2, and add the AI-governance answers that increasingly show up in enterprise templates. After that, each new questionnaire is a bounded review against a source of truth, not a fresh rebuild.

One caution, because it changes how you build the library. Buyers increasingly check the evidence behind the answers, not just the answers. When the same control gets three different descriptions across a thread, procurement reads that as operating risk and the deal slows. So the library has to be honest and consistent. A trust-center tool can help you publish and reuse it, but the tool is not the asset. The library is. Build the library, and the tool becomes a convenience rather than a crutch.

What to do this quarter

A quarter is a practical window to split the ownership and make real progress on all five jobs, without hiring anyone. The sequence matters less than the act of splitting.

Start with a one-page split: list the five jobs, and write a name next to each, who owns it and at what cadence. The exercise itself does most of the work, because it turns a vague sense of being underwater into five finite assignments. Then do the AI Act classification properly, as a short, evidenced exercise, so it stops being a background fear. Stand up the questionnaire evidence library next, because it pays back on the very next deal. Keep the operational baseline and vendor triage where they are, with a checklist and a calendar so they are bounded rather than infinite. And make exactly one external judgment call: get senior eyes on the strategic slice, the AI Act posture and the NIS2 board story, rather than trying to grow that judgment internally overnight.

Notice what is not on that list. A job description. A six-month search. A seven-figure commitment for a role the company may not be able to keep busy. The split is cheaper than the hire it replaces, and it is reversible: when the work genuinely grows into a full-time role, you will know, because the in-house owners will be at capacity and the rented judgment will be running hot. That is the signal to hire. Until then, the hire is a guess.

You don't have a CISO gap

The Head of IT who had the bad week did not need a CISO. He needed permission to stop treating five jobs as one: hand two to someone who has done them before, turn a third into a system, and keep only what was his to begin with. That is not a hiring decision. It is an operating decision, and it costs less than the hire he was about to make.

A CISO hire should be the result of a full-time security job, not the workaround for five unnamed part-time ones. You do not hire your way out of a blurred operating model. You name the work first. Then you decide what deserves a person.

If you want to walk through which of the five jobs sit where for your specific company, you can book a 30-minute scoping call. I would rather tell you that you do not need a hire than sell you one you do not.

Frequently asked

Does NIS2 require a company to have a CISO?

No. For companies in scope, NIS2 makes the management body responsible for approving and overseeing the cybersecurity risk-management measures, but it does not mandate a named full-time CISO. The Danish NIS2 law, in force since 1 July 2025, puts the accountability on management, not on a specific job title. A growing company can meet that duty with senior judgment on the strategic decisions and a clear in-house owner for the operational baseline, documented so a supervisor can see who decides what.

Fractional CISO or in-house for a 100 to 200 person company?

It is not either-or. Most of the security workload at that size splits into operational jobs an in-house Head of IT can own with a checklist, and a smaller strategic slice (AI Act classification, NIS2 and board posture) that benefits from senior judgment you can rent without a full-time hire. Bundling all of it under one new person, fractional or full-time, usually overpays for the operational part and underserves the strategic part. Decide per job, not per person.

What security can a Head of IT realistically own without a security team?

The operational baseline and routine vendor triage. That means MFA on every account, endpoint detection and response, tested backups, a written incident runbook, the evidence pack your insurer now asks for, and a simple tiering of which vendors get which level of review. These are recurring and checklist-driven, and they do not need a CISO title. What a Head of IT should not have to own alone is AI Act classification, NIS2 board-accountability decisions, and the first enterprise security questionnaire from scratch.

What is the minimum AI governance for a company that only uses tools like Copilot and ChatGPT?

First, classify your role. If you only use AI inside third-party tools as intended, you are usually a deployer, not a provider, unless you rebrand or substantially modify the system. That removes many provider obligations, though some deployer duties still apply. You also need an AI literacy measure for staff (AI Act Article 4, in application since 2 February 2025), a short usable policy that says what is allowed and who to ask, and an inventory of which tools touch what data. For most growing companies that is a short, scoped exercise, not a six-month program.

How do you answer enterprise security questionnaires without a compliance team?

Build the evidence library once instead of answering each questionnaire from scratch. Collect your real controls, policies, and evidence in one place, map them to the common frameworks (ISO 27001, SOC 2, NIS2), and add the AI-governance answers buyers increasingly ask for. Then each new questionnaire is a bounded review against your source of truth, not a rebuild each time. Buyers increasingly check the evidence behind each answer, so the library has to be honest. A trust-center tool helps, but the library, not the tool, is what passes scrutiny.

Næste skridt

Lad os finde ud af, hvad du reelt har brug for.

30 minutters afklaringssamtale. Gratis og uforpligtende. Er det ikke et match, siger jeg det og henviser til nogen, det er.

Book en afklaringssamtale