Why hire a part-time CISO ?

Cyber threats no longer only affect large companies. In an ever-changing digital landscape, SMEs are just as exposed to attacks and acts of cybermaliciousness, whether internal or external.

But hiring a cybersecurity expert is an investment that not all companies can afford: as pointed out in a study by CESIN (Club des Experts de la Sécurité de l’Information et du Numérique), the average salary for a CISO in France is €96,543. In Luxembourg, this figure is estimated to be around €120,000 for the same profile, according to recruitment firm Hays.

There is an additional difficulty: experienced profiles are rare, and turnover in the profession, fueled by active talent hunting and the stress associated with recurring incident management, means that a CISO stays in the same position for an average of only 3.7 years within the same company.

To address these issues, Rcarré, through its subsidiary Rsecure, offers a shared CISO service that companies can use according to their needs.

What is the role of a shared CISO? What are their day-to-day tasks? How do you select the right profile, one that will adapt to the challenges and operations of your company?

Rcarré shares some answers and feedback in this article.

What is a part-time CISO, or shared CISO ?

A CISO (Chief Information Security Officer) is an expert in governance and cybersecurity. When performing their duties on demand, on a timeshare basis, they work with several public and private organizations, depending on their clients’ projects and needs.

This flexible approach allows companies, particularly SMEs, to benefit from solid expertise in the field of IT security without the constraints of hiring a full-time employee.

The on-demand CISO can intervene on an ad hoc basis, for example for an audit or compliance assignment (GDPR, NIS 2, ISO 27001), or on a long-term basis to steer the compliance strategy and strengthen a company’s cybersecurity posture in the long term.

In concrete terms, the shared-time CISO is a versatile expert. They wear several hats: IT governance strategist, employee trainer, and operational liaison for technical teams.

Their experience, acquired in a variety of sectors, enables them to provide the necessary perspective and a neutral view of the situation, which they share with management. This position allows them to be relevant and pragmatic on a daily basis during their assignments.

What are the responsibilities of an outsourced CISO ?

The role of the part-time CISO is to analyze, decide, act, and move the company forward on all matters related to IT security.

Identify cybersecurity risks

The main mission of the shared CISO is to identify IT security risks that threaten your business. To do this, they carry out technical and organizational audits, propose action plans, and oversee the implementation of recommended tools and solutions.

In the event of an incident, the CISO acts as crisis coordinator: they liaise with service providers and technical experts, organize post-mortem investigations, and reduce the impact of the attack on your business.

The consequences of a cyberattack on a business are usually felt for weeks, sometimes months. The proactive approach of an experienced CISO prevents minor vulnerabilities from turning into major crises.

Raise awareness among employees

One of the CISO’s tasks is also to establish a culture of security within the company. Fraudulent emails, exploitation of emotional biases: humans remain the weak link in the corporate cybersecurity chain. By training employees to recognize fraud attempts, adopt best practices, and increase their vigilance, the outsourced CISO’s information campaign reduces the risks associated with human error.

Ensure regulatory compliance

The CISO is an expert in cybersecurity governance. They are able to support companies in achieving compliance with general and recognized cybersecurity standards and frameworks: GDPR, ISO 27001, DORA, and soon NIS2. The same applies to sector-specific standards such as TISAX in the automotive sector and IEC 62443 in the industrial sector.

A part-time CISO can draft security policies, prepare audits, and ensure that the appropriate security measures are in place to reduce the gap between the current situation and the compliance requirements to which your business is subject.

Managing cybersecurity on a daily basis

The shared CISO is not just an external service provider: they guide, advise, and structure your cybersecurity approach to strengthen it over time.

In coordination with management, they establish a roadmap that will be translated into concrete actions by your IT teams: prioritizing risks, planning audits, deploying cybersecurity solutions, and allocating resources effectively.

To do this, they set up key performance indicators (KPIs) and dashboards: monitoring regulatory compliance, vulnerability remediation, and awareness progress.

Presented to management during steering committee meetings (COMEX/CODIR), these dashboards provide SMEs with a clear and up-to-date overview of their cybersecurity posture.

Ensuring business continuity

According to the Risk Barometer published by insurer Allianz in 2025, 49% of companies consider cybersecurity incidents to be the primary risk to their business continuity.

As the person responsible for information system security, the CISO ensures the continuity and sustainability of your operations. They actively participate in drafting continuity and disaster recovery plans (PCA/PRA) to ensure a quick restart after an incident or cyberattack.

Backup strategy, infrastructure resilience, deployment of detection solutions on workstations and servers (antivirus, EDR, firewalls, etc.): the CISO ensures that every decision made is aligned with your compliance and security objectives and supports your business continuity.

By documenting their actions, the CISO meets the traceability requirements of most standards and regulations. During an audit or investigation, for example following a cyberattack, you will be able to demonstrate the cybersecurity measures implemented by your company.

How to choose a part-time CISO ?

Choosing a part-time CISO is not a trivial decision. It directly influences the security and business continuity of your company.

Therefore, rather than simply selecting a service provider, you need to choose a local partner capable of supporting management in transforming cybersecurity challenges into concrete actions.

Select an experienced profile

Although they have a technical background, shared CISO services are primarily IT security project managers. Their methodology, processes, and interpersonal skills must be proven.

Is the service provider senior or junior? Have they already deployed cybersecurity measures in companies similar to yours, or in the same industry? What were the results?

As an IT security expert for SMEs, our subsidiary Rsecure offers a CISO-as-a-service and supports companies in a variety of sectors, including regulated professions such as finance.

Prioritize responsiveness and proximity

While flexibility is one advantage of shared CISO support, responsiveness remains an important criterion.

In the event of an incident, the CISO must be able to quickly coordinate the response in order to limit the impact of the crisis. Take the time to discuss the terms of intervention, response times, and the service provider’s availability.

The Rcarré group has several sites in Luxembourg, France, and Belgium. Our response capabilities and experience in IT incident management enable us to respond quickly in the event of a crisis.

The shared CISO : the solution for strengthening and managing IT security in SMEs

Vous avez besoin de recruter un CISO à temps partagé ? Prenez contact avec nos équipes pour découvrir comment nos experts peuvent vous accompagner.