Interview: External CISO on the real cybersecurity challenges of medium-sized businesses

Cyberattacks, new regulations, rising expectations from customers, insurers, and management: information security is no longer a niche IT topic. Many medium-sized companies realize this at the latest when an insurer demands detailed evidence or a customer requires specific security standards. Those who neglect information security risk not only data, but also trust and business success.

We spoke with our Chief Information Security Officer (CISO), who regularly supports medium-sized companies as an external CISO-as-a-Service. A conversation about everyday reality and why pragmatism is often more important than perfection.

Mr. N., you work as an external CISO for several medium-sized companies. What do you encounter most frequently at the moment?

In short: overwhelm. Not due to a lack of interest, but because of complexity. The threat situation is increasing, while at the same time new requirements are emerging from laws and guidelines such as NIS2, from insurers, or from corporate guidelines. Many companies feel they have to act on several fronts at once – without a clear order of priority. They know they have to do something – but they don't know where to start or how to prioritize.

NIS2 is currently a big issue. How do you specifically support companies with the requirements of the directive?

NIS2 is initially a major challenge for many small and medium-sized enterprises. At first glance, the requirements seem very abstract and it is difficult to know where to start. My approach is pragmatic: I first look at which obligations are really relevant, then review the existing processes and measures, and identify possible gaps and weaknesses. Together with the company, we prioritize what needs to be addressed immediately and where there is still some leeway. The aim is not to implement every regulation 1:1, but to realistically assess risks and define measures that also work in everyday life. 

It is important that management is deeply involved from the outset, not only because the directive requires it, but also so that the measures are actually implemented. In this way, NIS2 can be meaningfully integrated into existing security management without becoming a purely paper project.​

Where are the biggest weaknesses in medium-sized businesses?

Rarely in technology alone. Classic measures such as firewalls and backups are usually in place. More critical are missing structures and resources. Understanding of guidelines is incomplete, and analyses and improvements are only carried out irregularly. There is a lack of clear roles and personnel with cybersecurity expertise. Information security often hangs “somewhere” between IT, management, and compliance without a real owner. As an ISO, I fill this gap as an independent role that bundles responsibility and continuously drives the issue forward.

How do you typically start with new customers?

With a solid gap analysis. I want to understand: Where does the company stand today? What specific requirements apply – regulatory, contractual, insurance-related? And what is realistically feasible? It is crucial to assess risks from a business perspective, not just from an IT perspective. First, we create transparency about the need for action and priorities, then we develop a robust roadmap and move on to targeted implementation. This makes security plannable and no longer a matter of guesswork.

Many managing directors fear bureaucracy. Are they right to?

This concern is understandable but unfounded if approached correctly. Guidelines must work in everyday life, and risk analyses should support decisions, not block them. My approach is always: as much structure as necessary, as little overhead as possible. Regular reports to management may seem tedious at first glance, but they create trust –both internally and externally, for example with insurers or supervisory bodies. Good reporting focuses on the essentials: clarity. No technical details, just answers to three key questions: Where do we stand? Where are the biggest risks? What do we need to do next? Decision-makers in medium-sized companies in particular appreciate this because they receive concrete recommendations for action instead of abstract standards and theoretical guidelines.

What role does top management play in your projects?

A central one. Security is a management task. I see myself as a sparring partner for the management: neutral, independent, but clear on the issues and always with an eye on what is feasible. Medium-sized corporate groups in particular demonstrate how important it is to have a uniform framework that creates structure without ignoring the individual characteristics of the individual companies. 

From our own experience as part of the Possehl Group, we know how differently positioned companies within a holding company function and what challenges this entails. Many of the concepts we use with customers today have previously proven themselves in projects within the group. This practical approach helps us to meet management where they are in reality, with implementable solutions.​

How do employees react to an external ISB?

Surprisingly positive. I bring experience from many organizations, am not part of internal politics, and am often perceived as a moderator. It is important to communicate on an equal footing and remain practical. Awareness-raising only works if it is realistic, not judgmental.

What distinguishes a good CISO-as-a-Service from traditional consulting?

Continuity. I don't just show up with a PowerPoint presentation and then leave. I provide ongoing support to companies, review progress, adapt priorities to new requirements, and keep the topic present in day-to-day business. And I don't work alone: I have a team of specialists behind me. From technical security to strategic management. This is a major advantage for medium-sized companies: broad expertise without having to maintain it themselves on a permanent basis or constantly coordinate new service providers.

Finally, what is your most important advice for IT and business decision-makers?

Don't wait for the perfect moment. Many hesitate because they believe they first have to set everything up completely and perfectly. That is one of the most common mistakes. In practice, it is enough to start neatly: clarify responsibilities, assess risks honestly, and then improve step by step. Cybersecurity is not a project with an end date, but a process that grows with the company. Those who accept this and stick with it regularly make better decisions – and reduce stress and uncertainty in the long term.

What really matters in practice

The discussion clearly shows that the biggest challenges in cybersecurity for medium-sized businesses today lie less in a lack of technology than in a lack of structure, transparency, clear prioritization, and unambiguous responsibility. This is where the involvement of an external information security officer proves its worth. Not as a controller or theorist, but as someone who brings order to the topic, makes risks understandable, and acts as a translator between IT, management, insurers, and regulators.

A good ISO does not think in terms of standard chapters, but in terms of decisions: What is really critical? What needs to happen now? What can be deliberately put on hold? They ensure that information security does not remain a reactive crisis issue, but becomes an ongoing, controllable process. With clear responsibilities and measures that also work in everyday life.

This is particularly crucial for medium-sized companies. They don't need a maximalist security strategy, but pragmatism and reliability. An external CISO who provides regular support and has access to broad expert knowledge can fill this gap and thus become a reliable sparring partner for both IT and management.

More information on a CISO-as-a-Service   

If you don't know where to start.

In our webinar “Check Your Security Status,” you will receive a practical overview of different cybersecurity assessments. We share proven approaches from SMEs, for SMEs – and show you how you can develop your security strategy efficiently and purposefully.