Cybersecurity has a leadership problem. While large enterprises may employ full-time chief information security officers (CISOs), most small and medium-sized businesses cannot afford one.
Yet SMBs face many of the same threats as larger organizations:
ransomware, supply-chain compromise, regulatory scrutiny, cyber-insurance requirements, and increasingly sophisticated AI-driven attacks.
This discrepancy is part of what many security experts call the "
security poverty line," a growing divide between organizations that can afford strategic cybersecurity leadership, pricey security tools, and highly-paid security operations center (SOC) staffers, and those forced to operate without them.
Sophos' white paper "
From Security Operations to Security Leadership" notes that only one in 10,000 companies and other organizations globally employs a CISO.
Many smaller businesses try to address this shortfall by hiring part-time "fractional" CISOs who must divide their attention among several organizations, or "virtual" CISOs who are occasionally consulted on important matters.
But the better solution might to be to have AI-assisted
security leadership services delivered through managed service providers (MSPs) and managed security service providers (MSSPs).
This approach, exemplified by Sophos' CISO Advantage program, combines automation, analytics, and human expertise to provide practical, continuous CISO-level guidance at a scale and cost that many SMBs can afford.
Why a shortage of CISOs exists, and its repercussions
The shortage of experienced security leadership is not getting better. According to the
2026 CISO Report from Cybersecurity Ventures, sponsored by Sophos, there are now about 35,000 full-time CISOs worldwide.
That's an increase of 9% from the 32,000 counted in 2023, but it barely makes a difference when compared to the estimated
300 million to
600 million businesses worldwide, the
vast majority of which are SMBs.
That's a shame, because a capable CISO does far more than manage technology. A good CISO translates cyber risk into business terms, prioritizes security investments, aligns controls with
compliance frameworks, communicates with executives and insurers, and creates long-term security strategy.
Most SMBs can't justify the salary, staffing, and operational support required for a full-time executive-level security leader. So many organizations operate reactively, buying cybersecurity tools or trying to implement strategies and frameworks without fully understanding how those efforts might contribute to measurable risk reduction.
The consequences are serious. The most recent Sophos
State of Ransomware report found that 38% of organizations hit by ransomware already knew they had unaddressed security gaps, while 32% of attacks began with unpatched vulnerabilities.
The pros and cons of virtual CISOs and fractional CISOs
To fill this void, many organizations turn to virtual CISOs (vCISOs) or fractional CISOs. A virtual CISO typically operates remotely to serve multiple customers, offering broad expertise and scalability. This model gives clients access to seasoned professionals who understand compliance frameworks, governance, and incident.
However, vCISOs may lack deep familiarity with an organization's culture, workflows, and business priorities. And because they support multiple clients simultaneously,
incident-response times during emergencies may vary.
Fractional CISOs also serve multiple customers but attempt to solve some of these limitations by embedding more deeply into each client organization on a part-time basis. A fractional CISO may attend leadership meetings, develop closer operational relationships, and align security decisions more directly with business strategy.
But fractional models also have tradeoffs. Availability can still be limited, especially when a widespread incident hits multiple clients at once. In practice, many SMBs that employ virtual or fractional CISOs find themselves balancing cost, continuity, and strategic depth.
Why an AI-assisted CISO-substitute service delivered by an MSP or MSSP might be best
AI-assisted security leadership services represent an emerging middle ground. Sophos CISO Advantage, announced following
Sophos' acquisition of Arco Cyber, aims to combine AI-driven analytics, continuous control validation, threat intelligence, and human oversight delivered through MSPs and MSSPs.
Rather than replacing human leadership entirely, these platforms scale security expertise through automation. Agentic AI continuously evaluates controls against frameworks such as NIST CSF and NIS2, highlights gaps, validates whether controls actually reduce risk, and generates executive-ready reporting. MSPs and MSSPs then provide the human guidance needed to interpret findings, prioritize action, and align decisions with business objectives.
This model may significantly narrow the security poverty gap because it distributes high-level strategy and planning across organizations that could never afford a traditional CISO. Sophos explicitly positions MSPs and MSSPs as the "force multiplier" that can scale governance and risk management services without creating unsustainable operational burden.
With Sophos CISO Advantage and similar services, AI becomes the analytical engine while service providers contribute human judgment, contextual understanding, and accountability. Organizations gain access to continuous
risk assessment, compliance alignment, and strategic guidance at a cost structure far below a full executive hire.
