Not all vCISOs are solving the Same Problem

A response to "What Should Boards Demand from a vCISO?" by RM2 Security

Why this post?

A post crossed my feed this week that I want to respond to — not because it's wrong, but because it's right about something that doesn't apply to most of the companies I work with. And that distinction matters. The post by Robert Yaus at RM2 Security makes a sharp argument: boards should demand more than security activity from their vCISO. They should demand risk governance — a Board Pack, a Five-Question Scorecard, quarterly risk trends, tabletop exercise results, metrics dashboards with leading indicators. If your vCISO can't deliver this, you don't have governance. You have optimism.

He's right. For the companies he's writing for. But I work with a different kind of company. And I think there's a conversation worth having about what a vCISO actually means at different stages of a company's growth.

Two Very Different Jobs

Last week I was sitting with a CTO at a 60-person B2B SaaS company. They're ISO 27001 and SOC 2 certified. Smart team. Real product. Growing enterprise pipeline.

We were going through their internal audit findings. Six nonconformities, none of them catastrophic, but all of them real: roles and responsibilities not clearly assigned, infosec objectives defined but not measurable, insufficient resources formally allocated to the ISMS, a risk register with control references from the superseded 2013 version of the standard rather than the 2022 version they're certified against.

An external auditor is arriving in 8 weeks. None of these findings have a documented root cause, corrective action, or corrective action plan yet.

This is what the work actually looks like for most European scaleups post-certification. Not board packs and tabletop exercises. Getting the program to run the way the certificate says it does.

The RM2 article describes a governance-oriented vCISO — someone who operates like a real CISO inside a mature organisation, influencing executives, presenting to boards, driving risk decisions under pressure. That's a real and valuable role.

What I do — what most of my clients need — is a compliance-oriented vCISO. Someone who helps a 30 to 200 person SaaS company achieve certification, make that certification operationally real, and keep it defensible as the business grows. Different job. Different buyer. Different definition of success.

Why This Distinction Matters for Scaleups

When a Series B founder or CTO reads an article saying their vCISO should be delivering quarterly risk trend reports and board-level metrics dashboards, one of two things happens. Either they think they're doing it wrong and feel anxious about a problem they don't actually have yet. Or they dismiss the whole category as not relevant to their stage.

Both reactions are a mistake.

The governance-oriented vCISO work described by RM2 is genuinely important — but it's important when you have a board with formal oversight responsibilities, a mature security program that needs strategic direction, and the organisational complexity to justify it. That's not where most of my clients are. They're trying to close their first €500K enterprise deal without getting knocked out in security review. They're trying to pass their first renewal audit without their CTO spending three months on it.

There's also a supply reality. The governance-oriented vCISO — someone who has genuinely sat in the CISO seat, navigated regulatory inquiries, presented under pressure to a public company board — commands serious fees. Full-time, that profile costs €150K or more annually in Europe. Even fractionally, you're looking at rates that most scaleups can't justify at their stage.

The compliance-oriented vCISO exists precisely because that profile is inaccessible to the companies that need security leadership most. It's not a compromise. It's the right tool for the job.

Where the Two Types Meet

Here's the nuance I want to be honest about: these aren't permanently separate categories.

A company that starts with a compliance-oriented vCISO — getting certified, building the program, making controls operational — will eventually grow into needing governance-oriented leadership. When the board starts asking about cyber risk. When a major incident forces fast decisions. When the enterprise pipeline is large enough that security becomes a board-level topic, not just a sales obstacle.

The transition point is different for every company. But it exists.

Good vCISO work includes being honest with your client when you've reached that transition. When the job has evolved beyond your remit and what they need is someone with a different profile and a different mandate. That's not a failure — it's what a trusted advisor does.

I had that conversation with a client last year. They'd grown past the point where compliance management was the primary need. They needed someone who could represent security at board level and make risk decisions that affected the whole business. I helped them find the right profile. That's the job.

So Which One Do You Need?

If you're a founder or CTO reading this, here's a simple way to think about it.

You probably need a compliance-oriented vCISO if: you're pursuing ISO 27001 or SOC 2 to unblock enterprise sales, you've recently certified and need to make the program operationally real, your security team is thin or nonexistent, and the primary driver is customer requirements rather than board mandate.

You probably need a governance-oriented vCISO if: you have a board with formal security oversight responsibilities, you're in a regulated sector with direct regulatory exposure, you've had a significant security incident, or your security program is already mature and needs strategic direction rather than implementation support.

Most European B2B SaaS scaleups at Series A or B are in the first category. Most companies at Series C and beyond, or in heavily regulated sectors, are moving toward the second.

The RM2 post is worth reading. The Five-Question Scorecard is a genuinely useful framework — I've started using a version of it myself with clients who are ready for it. But "not all vCISOs are equal" cuts both ways. The right question isn't just whether your vCISO can deliver board-level governance. It's whether that's actually the job you need done right now.

For most of the companies I work with, it isn't. And that's fine.

Paolo Carner is the founder of BARE Consulting, a cybersecurity compliance consultancy helping European B2B SaaS scaleups achieve ISO 27001 and SOC 2 certification. He holds CISSP, CCSP, and ISSMP credentials and has 15+ years of enterprise security experience.