"The average cyberattack costs for a small- or medium-size business is more than $250,000."
The cost gap: breaches versus CISO salaries
The arithmetic is stark. According to the annual 2026 CISO Report from Sophos and Cybersecurity Ventures, the average cyberattack on a small- or medium-size business (SMB) costs more than $250,000 — roughly the same as the market salary for a chief information security officer (CISO), which the report places between $250,000 and $400,000. Small firms, the analysis notes, often conclude they cannot afford that salary and "roll the dice," exposing themselves to growing and increasingly automated threats.
Why leadership, not just tools, matters
As SMBs migrate to cloud services, remote access, payment systems and third-party vendors, their technical stack now mirrors large enterprises. Yet without senior cybersecurity leadership, defenses often degrade into "a patchwork of tools, checklists, insurance paperwork, and whatever guidance a vendor offers." That approach may win a supplier questionnaire but will not build true resilience: the piece argues the real gap is leadership capable of translating technical vulnerabilities into business priorities, holding vendors accountable, preparing for audits, and briefing executives or boards.
vCISO and fractional CISO: practical definitions and deliverables
The column distinguishes two affordable leadership models. A virtual CISO (vCISO) provides remote, on-demand cybersecurity leadership and typically supports several organizations simultaneously. A fractional CISO (fCISO) is a dedicated, part-time executive more deeply integrated into one organization’s governance, security planning, and day-to-day operations. Both are framed as ways for SMBs to access senior-level expertise at lower cost than a full-time hire.
Suggested minimum deliverables for any credible engagement include an initial risk assessment, a prioritized remediation roadmap, and simple metrics that demonstrate whether security is improving over time. Vetted provider criteria should emphasize proven experience running security programs, independence from vendor incentives and product quotas, and the ability to tie security investment to business risk rather than a checklist of certifications.
Federal levers: CISA, SBA, NIST, Congress, Treasury, and acquisition officials
The authors urge Washington to lower the barrier for SMBs to hire fractional cybersecurity leaders. Specific recommendations include:
- The Cybersecurity and Infrastructure Security Agency (CISA) and the Small Business Administration (SBA) should publish buyer guidance: vetted criteria for evaluating providers, model scopes of work and deliverables, and real-world case studies.
- The National Institute for Standards and Technology (NIST) should recognize vCISO and fCISO models in its SMB-focused Cybersecurity Framework guidance so firms can map the framework’s Govern, Identify, Protect, Detect, Respond, and Recover functions to accountable leadership roles.
- Congress and the Treasury Department should consider targeted tax incentives or credits for qualified cybersecurity leadership services, tied to measurable risk-reduction outcomes — with eligible activities including completing a risk assessment, building an incident response plan, conducting vendor security reviews, running employee training, and producing a remediation roadmap.
- Federal acquisition officials should require contractors handling sensitive government data to demonstrate executive-level cybersecurity oversight — full-time, virtual, or fractional — and extend that expectation down to relevant subcontractors and suppliers, because SMBs are entry points into defense, healthcare, financial, and critical infrastructure supply chains.
What this means for technologists, policymakers, and SMB owners
- Technologists and security teams: Expect greater emphasis on measurable deliverables — initial risk assessments, remediation roadmaps, and simple metrics — as the standard for outside leadership engagements.
- Policymakers and standards bodies: Agencies such as CISA, SBA and NIST can shape procurement behavior by publishing vetted buyer guidance and recognizing leadership models in framework guidance, while Congress and the Treasury could use tax policy to incentivize qualified services tied to outcomes.
- SMB owners and procurement leaders: The recommended buyer criteria and model scopes are intended to make it easier to distinguish executive-level security leadership from vendor resellers, compliance-only consultants, or generic managed services contracts.
The argument is straightforward: the point of hiring a vCISO or fCISO is not merely to get advice, but to secure executive-level ownership of risk priorities, vendor oversight, incident readiness, and communication with owners or boards. With adversaries deploying AI to scale phishing and malware and collecting encrypted data for future decryption, the authors conclude smaller firms—integral parts of defense, healthcare and financial supply chains—need accessible leadership now, not after the next incident forces the issue.




