Managed Security Services , AI/ML , Leadership The CISO shortage: Finding leadership without a leader May 13, 2026 Share By Paul Wagenseil Created with SocialSight AI. Cybersecurity has a leadership problem. While large enterprises may employ full-time chief information security officers (CISOs), most small and medium-sized businesses cannot afford one. Yet SMBs face many of the same threats as larger organizations: ransomware , supply-chain compromise, regulatory scrutiny, cyber-insurance requirements, and increasingly sophisticated AI-driven attacks. This discrepancy is part of what many security experts call the " security poverty line ," a growing divide between organizations that can afford strategic cybersecurity leadership, pricey security tools, and highly-paid security operations center (SOC) staffers, and those forced to operate without them. Sophos' white paper " From Security Operations to Security Leadership " notes that only one in 10,000 companies and other organizations globally employs a CISO. Many smaller businesses try to address this shortfall by hiring part-time "fractional" CISOs who must divide their attention among several organizations, or "virtual" CISOs who are occasionally consulted on important matters. But the better solution might to be to have AI-assisted security leadership services delivered through managed service providers (MSPs) and managed security service providers (MSSPs). This approach, exemplified by Sophos' CISO Advantage program, combines automation, analytics, and human expertise to provide practical, continuous CISO-level guidance at a scale and cost that many SMBs can afford. Why a shortage of CISOs exists, and its repercussions The shortage of experienced security leadership is not getting better. According to the 2026 CISO Report from Cybersecurity Ventures, sponsored by Sophos, there are now about 35,000 full-time CISOs worldwide. That's an increase of 9% from the 32,000 counted in 2023, but it barely makes a difference when compared to the estimated 300 million to 600 million businesses worldwide, the vast majority of which are SMBs . That's a shame, because a capable CISO does far more than manage technology. A good CISO translates cyber risk into business terms, prioritizes security investments, aligns controls with compliance frameworks , communicates with executives and insurers, and creates long-term security strategy. Most SMBs can't justify the salary, staffing, and operational support required for a full-time executive-level security leader. So many organizations operate reactively, buying cybersecurity tools or trying to implement strategies and frameworks without fully understanding how those efforts might contribute to measurable risk reduction. The consequences are serious. The most recent Sophos State of Ransomware report found that 38% of organizations hit by ransomware already knew they had unaddressed security gaps, while 32% of attacks began with unpatched vulnerabilities. The pros and cons of virtual CISOs and fractional CISOs To fill this void, many organizations turn to virtual CISOs (vCISOs) or fractional CISOs. A virtual CISO typically operates remotely to serve multiple customers, offering broad expertise and scalability. This model gives clients access to seasoned professionals who understand compliance frameworks, governance, and incident. However, vCISOs may lack deep familiarity with an organization's culture, workflows, and business priorities. And because they support multiple clients simultaneously, incident-response times during emergencies may vary. Fractional CISOs also serve multiple customers but attempt to solve some of these limitations by embedding more deeply into each client organization on a part-time basis. A fractional CISO may attend leadership meetings, develop closer operational relationships, and align security decisions more directly with business strategy. But fractional models also have tradeoffs. Availability can still be limited, especially when a widespread incident hits multiple clients at once. In practice, many SMBs that employ virtual or fractional CISOs find themselves balancing cost, continuity, and strategic depth. Why an AI-assisted CISO-substitute service delivered by an MSP or MSSP might be best AI-assisted security leadership services represent an emerging middle ground. Sophos CISO Advantage, announced following Sophos' acquisition of Arco Cyber , aims to combine AI-driven analytics, continuous control validation, threat intelligence, and human oversight delivered through MSPs and MSSPs. Rather than replacing human leadership entirely, these platforms scale security expertise through automation. Agentic AI continuously evaluates controls against frameworks such as NIST CSF and NIS2, highlights gaps, validates whether controls actually reduce risk, and generates executive-ready reporting. MSPs and MSSPs then provide the human guidance needed to interpret findings, prioritize action, and align decisions with business objectives. This model may significantly narrow the security poverty gap because it distributes high-level strategy and planning across organizations that could never afford a traditional CISO. Sophos explicitly positions MSPs and MSSPs as the "force multiplier" that can scale governance and risk management services without creating unsustainable operational burden. With Sophos CISO Advantage and similar services, AI becomes the analytical engine while service providers contribute human judgment, contextual understanding, and accountability. Organizations gain access to continuous risk assessment , compliance alignment, and strategic guidance at a cost structure far below a full executive hire. An In-Depth Guide to AI Get essential knowledge and practical strategies to use AI to better your security program. Learn More Paul Wagenseil Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com. Related Managed Security Services Google unveils new features for its Unified Security platform Paul Wagenseil April 28, 2025 As the RSA conference kicked off, Google announced several new features for its Unified Security platform, including an AI-powered security operations center. Managed Services 2025 SC Awards Finalists: Best Managed Security Service SC Staff April 8, 2025 Managed Security Services plays a vital role when considering how organizations prioritize resources to maintain in-house security teams. MDR How two organizations beat the cyber insurance maze Paul Wagenseil March 26, 2025 Boosting digital protections can lead to reduced cybersecurity insurance premiums. Here’s how two firms achieved that after signing up with a managed detection and response (MDR) provider. Related Events Cybercast The Rise of Shadow AIT: From Blind Spots to Real-Time Insight On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe You can skip this ad in 5 seconds