CISO: External or Internal? Pros and Cons for Mid-Market Companies

Why You Need a CISO

The Information Security Officer — often called CISO (Chief Information Security Officer) or IT Security Officer — is the person who keeps your ISMS running. ISO 27001 doesn't require a specific job title but demands that responsibilities for information security are clearly assigned and that someone takes operational control of the ISMS.

In practice, this comes down to a central person responsible for the following tasks:

• Building, operating, and continuously improving the ISMS
• Conducting and updating the risk assessment
• Coordinating measure implementation
• Preparing and supporting audits (internal and external)
• Training and awareness for employees
• Reporting to management
• Advising on security-relevant decisions
• Serving as the point of contact for security incidents

This is a role that requires expertise, organizational skills, and assertiveness. The critical question for many mid-market companies is: Should this role be filled by an internal employee or by an external service provider?

When Does a CISO Become Mandatory?

In many cases, the question of whether you need a CISO is already answered before you ask it:

ISO 27001: The standard requires the assignment of roles and responsibilities for information security. A certifiable ISMS without a designated CISO is practically unthinkable.

NIS2: The NIS2 implementation law requires affected organizations to implement systematic risk management. Although the directive doesn't literally mandate a "CISO," a responsible person for implementation is de facto required.

TISAX: In the automotive sector, a designated Information Security Officer is an explicit requirement.

Critical infrastructure and regulated industries: Operators of critical infrastructure must designate a contact person for IT security to the BSI.

Even if you're not subject to an explicit obligation, an ISMS without a CISO is like project management without a project manager: theoretically conceivable, practically doomed to fail.

Internal CISO: Advantages and Challenges

An internal CISO is an employee of your organization who takes on the role of Information Security Officer full-time or part-time. In many mid-market companies, it's the IT manager, an experienced system administrator, or a quality management professional who takes on the topic in addition to their existing responsibilities.

Advantages of an Internal CISO

Deep understanding of the organization. An internal employee knows the business processes, the IT landscape, the corporate culture, and the informal structures. They know which departments are cooperative and which need convincing. They know the systems not just from documentation but from daily use. This implicit knowledge is difficult for external consultants to build — and only over a long time.

Constant availability. The internal CISO is on-site, approachable, and embedded in daily operations. When an employee has a question about document classification, when IT wants to introduce a new system, or when a suspicious incident is reported, the internal CISO is reachable without scheduling an appointment or creating a ticket.

Continuity. An internal employee accompanies the ISMS for years and builds cumulative understanding of the security posture. They know the history: why certain decisions were made, which risks were accepted in the past, and which measures proved effective. This continuity is valuable for the ISMS's evolution.

Organizational integration. As an employee, the CISO participates in meetings, learns about organizational changes early, and can proactively incorporate information security into decision-making processes — rather than being informed after the fact.

Stronger identification. An internal CISO has a personal interest in the ISMS's success because it's their area of responsibility. The motivation to truly bring the system to life is generally higher than for someone managing multiple clients simultaneously.

Challenges of an Internal CISO

Qualification. Information security management requires specialized knowledge that most IT staff don't inherently possess. ISO 27001, risk management, auditing, regulatory requirements, and technical security measures are distinct disciplines that must be learned. Qualifying an internal CISO typically involves basic training (3 to 5 days), practical experience through ISMS setup, ongoing professional development, and potentially a certification (ISO 27001 Lead Implementer or Lead Auditor).

The investment in qualification pays off long-term but means significant expenditure in the first year — EUR 5,000 to 10,000 for training plus the time the employee dedicates to it.

Conflicts of interest. This is one of the most critical points. When the IT manager is simultaneously the CISO, they're evaluating their own work. They're supposed to identify risks that may trace back to shortcomings in their department. They're supposed to demand measures that burden their own team. And they're supposed to uncover deficiencies in the internal audit that arose under their responsibility.

This conflict of interest is not a theoretical problem — it's a point auditors regularly raise. ISO 27001 requires that the independence of the internal audit is ensured. If the CISO is also responsible for IT, at minimum the internal audit must be conducted by a different person.

The cleanest solution is to position the CISO organizationally outside the IT department — as a staff position reporting directly to management. In mid-market companies, however, this isn't always feasible simply because there aren't enough people available.

Capacity conflicts. In most mid-market companies, the CISO takes on the role alongside their regular responsibilities. This works as long as ISMS work has manageable scope. But once a certification audit needs preparation, a security incident occurs, or regulatory requirements increase, the CISO finds themselves in a conflict between operational duties and the ISMS.

Management must realistically assess how much time the CISO needs for their role — and actually free up that time. If the CISO officially has 20 percent of their working time for the ISMS but operational tasks consistently take priority, the ISMS will suffer.

Dependency on one person. If the sole internal CISO leaves the company, they take all their ISMS knowledge with them. Proper documentation mitigates the problem, but the implicit knowledge of connections, backgrounds, and contexts is still lost. A deputy arrangement — a second person who at least knows the basics of the ISMS — is therefore strongly recommended.

External CISO: Advantages and Challenges

An external CISO is a service provider who fills the role of Information Security Officer for your organization. They typically work on the basis of a service contract, visit the company regularly (monthly or quarterly), and are available between visits by email or phone.

Advantages of an External CISO

Immediately available expertise. An external CISO brings experience that's rarely found internally in mid-market companies. They've already built ISMS systems, supported certifications, conducted risk assessments, and know the typical pitfalls. Instead of investing months in qualifying an internal employee, you get an experienced professional from day one.

Broad experience from various organizations. An external CISO typically works with multiple clients across different industries. This means they know best practices that go beyond your company's horizon. They know which approaches have worked at comparable organizations and which haven't. This cross-cutting experience is hard for an internal employee who knows only one ISMS to match.

Independence. An external CISO has no internal loyalties and no fear of speaking uncomfortable truths. They're more likely to tell management that certain risks are unacceptable or the IT department that their backup strategy is insufficient. This independence is particularly valuable during risk assessment and internal audits.

No long-term personnel commitment. You don't need to create and fill a position, train an employee, or risk the CISO leaving the company. The service contract governs the scope and can be adjusted or terminated as needed.

Access to a broader network. External CISO providers typically have a network of colleagues, auditors, and specialists they can draw upon when needed. If you have a specific technical question — about NIS2 in a particular industry or about technical security measures — an external CISO can often provide a qualified answer faster.

Challenges of an External CISO

Limited availability. An external CISO isn't in the office daily. Typically, the engagement covers 2 to 5 days per month, depending on the contract and company size. Between on-site visits, they're reachable by email or phone but not in real-time. When a security incident requiring immediate action occurs, the response time of an external CISO can be a problem.

That's why every organization working with an external CISO needs an internal contact person who can answer everyday questions and initiate first response measures in an emergency. The external CISO doesn't replace internal responsibility — they complement it.

Less organizational knowledge. An external CISO will get to know your organization, but they'll never develop the same intuitive understanding as a long-term employee. Informal structures, unspoken rules, and the nuances of corporate culture are only partially accessible to an outsider. This can lead to proposed measures that are technically correct but difficult to implement in the organization's specific reality.

Dependency on the service provider. If the external CISO terminates the contract or the service provider goes out of business, you need to find a replacement quickly. Transitioning to a new external CISO or building an internal one takes time and can temporarily impact the ISMS.

Therefore, ensure that ISMS documentation doesn't exist only in the external CISO's head but is completely and traceably stored in the ISMS tool or your organization's documentation. A good external CISO documents their work so that a successor can seamlessly take over.

Costs with increasing demand. If the scope of CISO activities grows — for example because new regulatory requirements emerge or the organizational structure becomes more complex — costs for the external CISO increase proportionally. Beyond a certain point, an internal CISO may be more economical.

Acceptance within the organization. Some employees struggle to accept instructions or recommendations from someone who's "just" an external consultant. The external CISO has no authority to issue directives and must earn their authority through competence and persuasion. Management can support this by clearly communicating the external CISO's role and equipping them with the necessary authority.

The Hybrid Model

In practice, a hybrid model has proven effective for many mid-market companies, combining the strengths of both approaches: an internal employee serves as the operational contact and coordinator, while an external service provider takes on the professional responsibility and strategic management of the ISMS.

How the Hybrid Model Works

Internal coordinator. An employee — often from IT or quality management — takes on the role of internal contact for information security. They gather information, coordinate measure implementation, handle day-to-day inquiries, and serve as the first point of contact for security incidents. They don't need to be a certified expert but should have a solid basic understanding of information security.

External CISO. The external service provider handles strategic management: risk assessment, policy creation, audit preparation, management reporting, and professional consultation on complex questions. They visit the company regularly, work closely with the internal coordinator, and ensure the ISMS meets requirements.

Advantages of the Hybrid Model

Lower internal qualification requirements. The internal coordinator doesn't need a complete CISO education — just good process understanding and communication skills. The external CISO provides the professional depth.

Better availability than purely external. The internal coordinator is available daily and can respond immediately in emergencies, even when the external CISO isn't available.

Knowledge transfer. Over the course of the collaboration, the internal coordinator progressively builds their own competence. The hybrid model thus also serves as a qualification pathway: once the internal coordinator has gained sufficient experience, they can fully assume the CISO role and reduce external support to targeted consulting.

Cost control. You only pay for the professional expertise you actually need, rather than for the constant availability of a highly qualified specialist.

When the Hybrid Model Fits

The hybrid model is particularly suited to organizations that don't have the budget for a dedicated full-time CISO position but still want to operate a professional ISMS. It's well-suited to companies with 50 to 300 employees where information security is an important but not dominant function. And it offers a natural transition: you start with external support and build internal competence until you no longer need the external component — or need it only on a targeted basis.

Realistic Costs of Both Options

The cost question is often the deciding factor. Here's a realistic assessment for a mid-market company with 80 to 150 employees.

Internal CISO: Cost Calculation

Proportional personnel costs. If an existing employee spends 30 to 50 percent of their working time as CISO, at a gross total cost of EUR 70,000 to 90,000 per year (including employer contributions), that corresponds to a cost share of EUR 21,000 to 45,000 per year.

Qualification (first year). ISO 27001 training (3 to 5 days): EUR 2,000 to 5,000. Lead Implementer or Lead Auditor certification: EUR 3,000 to 5,000. Total qualification costs: EUR 5,000 to 10,000 in the first year.

Ongoing professional development. Annual conferences, seminars, online courses: EUR 1,000 to 3,000 per year.

Internal CISO summary:

• First year: EUR 26,000 to 55,000 (proportional personnel costs + qualification)
• From year 2: EUR 22,000 to 48,000 per year (proportional personnel costs + professional development)

External CISO: Cost Calculation

Monthly retainer. Most external CISO service providers work with monthly retainers based on the organization's size and the agreed scope of services.

• Basic package (2 days per month, remote consulting): EUR 1,500 to 2,500 per month
• Standard package (3 to 4 days per month, including on-site visits): EUR 2,500 to 4,000 per month
• Comprehensive package (5+ days per month, close support): EUR 4,000 to 6,000 per month

Additional costs. Initial assessment and gap analysis (one-time): EUR 3,000 to 8,000. Certification preparation (one-time): EUR 2,000 to 5,000. Travel costs for on-site visits: variable.

External CISO summary:

• First year: EUR 23,000 to 61,000 (monthly retainer + initial effort)
• From year 2: EUR 18,000 to 48,000 per year (monthly retainer)

Hybrid Model: Cost Calculation

Internal coordinator (10 to 20 percent time allocation). At a gross total cost of EUR 60,000 to 80,000: EUR 6,000 to 16,000 per year.

External CISO (basic package). EUR 1,500 to 2,500 per month: EUR 18,000 to 30,000 per year.

Hybrid model summary:

• Annual costs: EUR 24,000 to 46,000
• Including initial effort in the first year: EUR 29,000 to 59,000

Cost Comparison at a Glance

The costs are in a similar range, which shows that the decision is not primarily a cost question but a question of fit. Total ISMS costs are dominated by other factors anyway, as the article on ISMS costs details. For those who want to keep tool costs in check: ISMS Lite offers full functionality starting at EUR 500 per year or as a one-time purchase for EUR 2,500 and supports both internal and external CISOs with a shared, traceable documentation base.

Qualification Requirements

Regardless of whether the CISO is internal or external, they must bring certain qualifications. There's no one-size-fits-all solution, but some minimum requirements have become established in practice.

Professional Qualification

Solid knowledge of relevant standards. ISO 27001, ISO 27002, and where applicable industry-specific standards (TISAX, BSI IT-Grundschutz, NIS2) should be familiar. This doesn't mean knowing every sentence by heart, but understanding the structure, requirements, and relationships.

Risk management. The ability to systematically identify, assess, and treat risks is the core competency of a CISO. This requires both methodological knowledge (risk frameworks, assessment methods) and practical experience.

Technical foundational understanding. The CISO doesn't need to be a system administrator, but they should understand IT infrastructures, network topologies, cloud services, and common security technologies. Without this foundational understanding, they cannot adequately assess risks or meaningfully prioritize measures.

Knowledge of data protection and relevant regulations. The interfaces between information security and data protection are numerous. A CISO should understand the basics of DSGVO (GDPR) and know which regulatory requirements apply to their organization.

Personal Suitability

Communication skills. The CISO must be able to communicate with management as effectively as with the IT department and business units. They must be able to explain technical matters clearly and enforce security requirements without being perceived as a blocker.

Assertiveness. Information security isn't always comfortable. The CISO must be able to voice uncomfortable recommendations and stand by them in the face of resistance. This requires a certain standing in the organization — created either by the person themselves or through explicit backing from management.

Organizational skill. An ISMS consists of many parallel activities: risk assessments, measure implementation, documentation, training, audits. The CISO must maintain oversight and set priorities.

Formal Certifications

Formal certifications are not mandatory but are a useful quality indicator. The most common are:

• ISO 27001 Lead Implementer: Demonstrates the ability to build and operate an ISMS
• ISO 27001 Lead Auditor: Demonstrates the ability to conduct ISMS audits
• CISM (Certified Information Security Manager): Internationally recognized certification for information security managers
• CISSP (Certified Information Systems Security Professional): Broad certification with a focus on technical security
• BSI IT-Grundschutz Practitioner / Consultant: Relevant when applying BSI IT-Grundschutz

For an internal CISO in a mid-market company, an ISO 27001 Lead Implementer certification is a good starting point. For an external CISO, at least one of these certifications should be present, ideally supplemented by demonstrable project experience.

Decision Guide: Which Model Fits You?

The choice of the right model depends on several factors. Here's a structured decision guide.

An Internal CISO Is Recommended If...

• Your organization has more than 200 employees and the ISMS effort justifies a significant part-time or even full-time position.
• You already have an employee who has the professional aptitude or can be qualified with manageable effort.
• Information security is a strategically important topic for your organization and you want the competence permanently in-house.
• You work in a regulated industry where customers or supervisory authorities expect an internal CISO.

An External CISO Is Recommended If...

• Your organization has fewer than 100 employees and a dedicated CISO position isn't economical.
• You need to start quickly and don't have time to qualify an internal employee.
• No internal person has the professional aptitude and interest in the role.
• You value independence and want to avoid conflicts of interest.

The Hybrid Model Is Recommended If...

• Your organization has 50 to 300 employees and the CISO role is designed as a part-time task.
• You have an internal employee who can serve as coordinator but needs professional support.
• You want to build internal competence long-term but need external expertise short-term.
• You're looking for a pragmatic model that can adapt to changing requirements.

Common Mistakes When Appointing a CISO

Finally, some mistakes that regularly occur in practice and that you should avoid.

Appointing the CISO without authority. A CISO who is formally designated but has no authority to request information, initiate measures, or report to management cannot effectively fulfill their role. The appointment must come with concrete authority and a clear mandate from management.

Leaving the CISO alone. Information security is not a one-person project. The CISO needs active support from management, cooperation from the IT department, and participation from business units. If the CISO has to operate as a lone fighter, the ISMS won't achieve the desired effect.

Forcing information security on the IT manager. The IT manager is an obvious choice for the CISO role but carries the conflict of interest described above. If no other option exists, the conflict of interest must at least be documented and addressed through compensating measures (such as an independent internal audit).

Forgetting the internal part with an external CISO. An external CISO can only work as well as internal support functions. Without an internal contact person who gathers information, coordinates appointments, and serves as a bridge to the organization, the collaboration becomes inefficient and frustrating for both sides.

Planning too little budget. Whether internal or external: the CISO role requires time and resources. A CISO who officially has 10 percent of their working time for information security will not be able to operate an effective ISMS. Plan realistically and adjust the budget as requirements grow.

Further Reading

• Roles and Responsibilities in the ISMS: Who Does What?
• What Does an ISMS Cost? Realistically Estimating Budget, Effort, and ROI
• Building an ISMS: The Complete Guide for Companies with 50 to 500 Employees
• Choosing ISMS Software: What Matters in the Evaluation
• Building a Security Awareness Program: From Mandatory Training to Security Culture