By Mario Bouchard, M. Adm., CISSP — President, InfoSec Sécurité de l'information Inc.

Imagine for a moment that your company had no CFO. No one to sign the financial statements or explain the numbers to the board. No one to say, "We can't afford to do this project that way, but here's how we could do it differently."

Sounds absurd? Of course it does. No serious organization would operate without someone who has the full financial picture.

Yet in cybersecurity, that's exactly where most small and mid-sized businesses find themselves. Technicians manage the firewalls. Vendors send reports. But there's no one with the full picture, no one translating technical risk into business decisions. That role is the CISO.

What a CISO Actually Does

CISO stands for Chief Information Security Officer. But the title matters less than what the person actually does day to day.

A CISO is not a technician who configures firewalls. Nor is it an auditor checking boxes on a compliance spreadsheet.

A CISO is the bridge between your technical team and your executive committee. It's the person who can sit in a board meeting and explain, in business terms, what your cybersecurity risks mean for your operations, your reputation, and your regulatory compliance.

In practice, a CISO does three things that no other role in the organization does:

They translate. They take a technical risk (for example, "our privileged access isn't segmented") and turn it into language the board understands: "If an attacker gets in, they have access to everything, including customer data and payroll systems."

They prioritize. With limited budgets, they determine where to invest to reduce the most risk. Not everything. The right things first.

They align. They make sure security moves at the same pace as the organization's projects, rather than blocking them. Cybersecurity becomes a delivery accelerator instead of a roadblock.

The Numbers Behind the Urgency

The vast majority of SMBs operate without any form of dedicated cybersecurity leadership. No CISO, no security director, no one whose primary responsibility is security. Cybersecurity is "everyone's job," which, in practice, means it's no one's priority.

Meanwhile, attacks aren't slowing down. The Verizon Data Breach Investigations Report 2025 shows that SMBs are targeted roughly four times more frequently than large organizations. And according to IBM, the average cost of a data breach reached $4.88 million USD in 2024, a 10% increase in a single year.

But the most revealing number for understanding the value of a CISO is this: IBM reports that organizations facing a critical shortage of security staff pay an average of $1.76 million more per breach than those with adequate teams.

This is a leadership problem, not a technology problem.

A Wednesday Morning Without a CISO

Wednesday, 7:45 AM. Your IT director calls. The tone is unusual.

"We have a problem. Email has been down since last night. I think it's ransomware."

You ask: "What do we do?" Silence. Your IT director is competent. They manage the network, the workstations, the patches. But coordinating a cybersecurity incident response? Deciding whether to notify regulators? Calling the insurance carrier? Communicating to employees? That's not their role. They have neither the training nor the authority to make those decisions.

So you start making calls. Your managed IT provider. Your lawyer. Your cyber insurance carrier. Each one asks questions you can't answer: "Do you have an incident response plan?" "Which systems are affected?" "Is personal data involved?"

No one in the organization has the full picture. The IT director knows the servers. The operations director knows the business processes. HR knows the employee data. But no one can connect all of it and make informed decisions under pressure.

Result: the first 48 hours (the most critical) are lost to phone calls, confusion, and reactive decisions. The insurer asks for evidence of preventive measures. Your lawyer wants to know if you have an incident register. Your IT provider is working on restoration, but no one is coordinating the whole response.

That's the cost of not having a CISO. It's not a cost that shows up in a budget. It's a cost that reveals itself on a Wednesday morning.

What It Costs, In Dollars and In People

IBM puts the average cost of a breach at $4.88M USD. But for a 200-person SMB, the math looks different. Direct costs (system restoration, forensic investigation, legal counsel, notifications) can easily reach several hundred thousand dollars. Order of magnitude (IBM): even with a modest number of compromised records, the average cost of $164 USD per record adds up fast.

But the costs we always forget are the human costs. The IT director who hasn't slept in 72 hours. The communications manager fielding calls from worried customers. The CEO who has to answer to the board without fully understanding what happened.

And after the crisis? Burnout. Guilt. The "I should have seen this coming." Studies show that IT professionals who go through a major cybersecurity incident experience elevated rates of post-traumatic stress and professional burnout.

A CISO doesn't prevent every incident. But they make sure the organization knows what to do when one happens. That the first 48 hours aren't wasted. That someone has the full picture and the authority to act.

Why Your SMB Probably Doesn't Have a CISO

The reason is simple: the salary. In North America, a full-time CISO commands a base salary typically ranging from $150,000 to $250,000 USD, and that's before benefits, continuing education, and certifications. For an SMB of 150 to 400 employees, that's a significant investment for a role that didn't even exist in the company's vocabulary five years ago.

And there's another obstacle, more subtle. In many organizations, cybersecurity responsibility has fallen on the shoulders of whoever manages IT, by default, not by choice. The IT director or IT manager does their best, but they're already carrying network management, user support, and infrastructure projects. Adding strategic cybersecurity (governance, compliance, board and insurer relations) means asking one person to do two full-time jobs.

The issue is capacity, not competence.

The Regulatory Reality Has Changed the Equation

Across North America, privacy and data protection regulations are tightening. In Canada, PIPEDA governs federal privacy obligations, while provinces like Quebec have enacted even stricter requirements. Quebec's Law 25 (Bill 64), fully in effect since September 2024, requires every organization holding personal information to designate a privacy officer, maintain an incident register, conduct privacy impact assessments for certain projects, and notify the regulator and affected individuals when an incident presents a risk of serious harm.

In the United States, the patchwork of state privacy laws continues to expand. California's CCPA/CPRA, Virginia's CDPA, Colorado's CPA, and a growing list of state-level requirements create a complex compliance environment, particularly for organizations operating across borders.

In theory, the designated privacy officer can be anyone in the organization. In practice, when an incident occurs, that person needs to understand both the technical dimensions (which systems are affected, which data is at risk) and the legal dimensions (do we need to notify the regulator? the affected individuals?).

That's exactly the profile of a CISO.

These laws don't say "you need a CISO." But they create a set of obligations that, taken together, draw the exact outline of the role: someone who understands security, governance, and compliance, and who can report to leadership.

The penalties make cybersecurity leadership far less optional than it was before. Quebec's Law 25 alone carries administrative sanctions up to $10 million or 2% of worldwide revenue, and criminal penalties up to $25 million or 4% of worldwide revenue. In the U.S., FTC enforcement actions and state-level penalties add further incentive.

The Option Most SMBs Don't Know About Yet

There's a third path between "not having a CISO" and "hiring an executive at $200,000+." It's the virtual CISO model, or vCISO (also called fractional CISO).

A vCISO is a seasoned cybersecurity professional who takes on the security leadership role for your organization, part-time. They sit on your committees, support your IT team, prepare your roadmap, engage with your board and insurers, all on a mandate scaled to your needs and budget.

This isn't a consultant who shows up, drops a 200-page report, and disappears. It's a partner who invests in your organization, understands your reality, and moves security forward at the pace of your projects.

The vCISO model is gaining traction rapidly among SMBs that realize they need security leadership but can't justify a full-time hire. It's a structural trend, driven by growing demands from insurers, clients, and regulators alike.

Monday Morning: The Questions to Ask

You don't need to wait for an incident to take action. Here are five questions to ask your team this week. If no one can answer clearly, that's a signal:

"If ransomware hits tomorrow morning, who coordinates our response, step by step?" Not who calls the IT provider. Who leads the whole effort: communications, business decisions, regulatory notification?

"When our board or insurers ask about our security posture, who answers?" If the answer is "we improvise," you've identified a gap.

"Is our IT director also carrying responsibility for strategic cybersecurity? Is that realistic?" The question isn't whether they're competent. It's whether they have the capacity to add this role on top of everything they already do.

"Do we have a cybersecurity roadmap, or are we reacting incident by incident?" A plan, even a simple one, changes everything. But someone has to own it.

"If we had a data breach involving personal information, do we know our notification obligations?" Whether it's PIPEDA, a provincial law like Quebec's Law 25, or a U.S. state privacy law, someone in the organization needs to know the answer before the incident happens.

If these questions make you uncomfortable, that's normal. They make most executives uncomfortable. The important thing is to answer them before a Wednesday morning answers them for you.

Need Cybersecurity Leadership?

If your organization needs cybersecurity leadership for compliance, governance, or simply to sleep a little better at night, explore our vCISO services.

You can also explore our privacy compliance consulting and strategic cybersecurity advisory services.

Mario Bouchard is President of InfoSec Sécurité de l'information Inc., a strategic cybersecurity consulting firm based in Quebec City. With over 30 years of experience, he helps CISOs and IT leaders turn cybersecurity into a delivery accelerator rather than a roadblock. infosecurite.com

Sources

IBM — Cost of a Data Breach Report 2024 (Ponemon Institute, published July 2024). Average breach cost: $4.88M USD. Impact of security staffing shortage: +$1.76M per breach. Average cost per record: $164 USD. Based on 604 organizations across 16 countries. ibm.com/reports/data-breach (PDF)
Verizon — 2025 Data Breach Investigations Report. Frequency of attacks against SMBs compared to large organizations. verizon.com/dbir
Privacy Legislation — Quebec's Law 25 (phased in, final phase effective September 2024). Administrative sanctions: up to $10M or 2% of worldwide revenue. Criminal penalties: up to $25M or 4% of worldwide revenue. Canada's PIPEDA and evolving U.S. state privacy laws (CCPA/CPRA, CDPA, CPA). legisquebec.gouv.qc.ca