According to the 2026 CISO Report from Cybersecurity Ventures, sponsored by Sophos, there are now about 35,000 full-time CISOs worldwide. Most of them are employed by larger enterprises.
Small to mid-sized businesses (SMBs) typically can’t justify the salary, staffing, and operational support required for a full-time executive-level security leader. But there are alternatives that enable SMBs to rent a CISO.
A virtual CISO typically operates remotely to serve multiple customers, offering broad expertise and scalability. This model gives clients access to seasoned professionals who understand compliance frameworks, governance, and incident.
However, vCISOs may lack deep familiarity with an organization’s culture, workflows, and business priorities. And because they support multiple clients simultaneously, incident-response times during emergencies may vary.
Fractional CISOs also serve multiple customers but attempt to solve some of these limitations by embedding more deeply into each client organization on a part-time basis. A fractional CISO may attend leadership meetings, develop closer operational relationships, and align security decisions more directly with business strategy.
But fractional models also have tradeoffs. Availability can still be limited, especially when a widespread incident hits multiple clients at once. In practice, many SMBs that employ virtual or fractional CISOs find themselves balancing cost, continuity, and strategic depth.
A recent SC Media article dives into a promising new category for SMBs: AI-assisted security leadership services which aims to combine AI-driven analytics, continuous control validation, threat intelligence, and human oversight delivered through managed security providers (MSPs) and managed security service providers (MSSPs).
Read the Full Story
