vCISO or Security Manager?
- Susan Sons
- Dec 5, 2025
- 4 min read
"I'd like one medium cybersecurity, please." isn't an order that will actually produce anything you want to buy. It will also never come with a side of fries. Yet it's how many small or medium enterprise clients approach a cybersecurity provider. Having some idea what you need going in can make the selection process go smoother, and ensure that you're putting your limited cybersecurity dollars to their most effective use.
This post walks you through one important decision point: do you need a virtual CISO (also called a fractional CISO), or a cybersecurity manager?
Definitions:
A cybersecurity manager is someone who manages IT and/or cybersecurity staff to ensure that controls are implemented across a network or tech infrastructure. In a large enterprise security team, several full-time cybersecurity managers report to the CISO, or Chief Information Security Officer, taking responsibility for different areas of controls or operations. In a small or medium enterprise, there's often one more generalist cybersecurity manager -- full-time or fractional -- who handles it all.
A virtual CISO (vCISO) is the fractional version of a CISO role, often leveraged by smaller organizations that don't have a large enough cybersecurity operation to justify a full-time CISO.
vCISO or Cybersecurity Manager:
The activities of these two roles vary greatly, so before you hire, think hard about what you really need:
Area | vCISO Role | Cybersecurity Manager Role |
|---|---|---|
Strategy | A vCISO can set a cybersecurity strategy for the organization that is appropriate to the organizational mission, business strategy, structure, regulatory environment, and resources. They are a true executive who can understand your unique position and risks, building the right approach from a combination of lessons learned and first principles. | A cybersecurity manager can design a strategy to apply controls to a particular environment or infrastructure, but they are not an executive. The cybersecurity manager focuses on your technology, not your business. |
Policy | A vCISO can craft policy that is effective for the organization and appropriate to support the decisions the organization may need to make under pressure in a future crisis. They're looking at the whole organization's information security needs, when physical security isn't covered by its own executive, not just the digital stuff. | A good cybersecurity manager is good at the technical segment of policy work: security operations procedures, password policies, etc. but they are again focused on the technology, not the business. |
Controls | A vCISO will be active in selecting a baseline control standard and strategizing around what combination of controls will meet both regulatory and security needs, but they won't be implementing technical controls themselves. | A cybersecurity manager can oversee the implementation of controls, and even assist with their implementation. |
Operations | A vCISO will build a staff that carries out day-to-day cybersecurity operations, and develop that staff to improve over time. | A cybersecurity manager will keep a hand in day-to-day cybersecurity operations to ensure quality, but they may not be experienced in managing and developing a staff without the support of a CISO. |
Relationships | A vCISO is a true executive who will build relationships with your executive team and that team's stakeholders, whether that's a board of directors, a parent organization, or PE firm. They typically come with their own network, making collaboration-building and recruiting easier. | Cybersecurity managers should be adept at working with their peers in other departments -- for example, collaborating with legal to get security requirements in place for a vendor -- but aren't executives and may not be skilled in the consensus-building and silo-crossing work of an executive. |
Leadership | A vCISO should be a leader inside the organization and out, representing your organization to others and setting the tone for organizational cybersecurity within the org, with the help of your business leadership. | A cybersecurity manager should be a leader of technical staff within the org, and their technology communities outside the org. |
Advice | A vCISO advises on the operation of the cybersecurity program, as well as the overall strategy and position the organization takes to cybersecurity risk, fitting that in with every other risk the organization must care about. They're comfortable reporting and briefing at the executive and board levels. | A cybersecurity manager advises on technical controls, technology choices, and procedures. Most aren't prepared to communicate at a board level, but the good ones can report on their area of responsibility to the organization's executives. |
Mergers and Acquisitions | A good vCISO is equipped to do cybersecurity due diligence if you are planning to make acquisitions, or to get your organization's cybersecurity in shape so that you may be acquired. | A cybersecurity manager can run you through cybersecurity questionnaires and describe controls to help if you are being acquired, but their involvement should be limited to questions about specific controls they have implemented. |
Conclusion:
A vCISO or a cybersecurity manager can be a valuable asset in getting a small or medium enterprise cybersecurity built, or on track and moving in a new direction. However, if you are in a position to afford only one or the other, choose carefully.
Choose a vCISO if your organization needs the right cybersecurity direction and strategy defined, if there are open questions about policy or how to marshal limited resources, or if board-level communications or M&A are among your potential futures. Also note that several compliance regimes require a CISO be part of your cybersecurity program.
Choose a cybersecurity manager if the organization-level and strategy questions have been answered, if you know what your risk decisions are and you want to focus on the implementation of controls and the conduct of day-to-day operations.
