DRAFT — This article is in progress. Content is placeholder only.
At some point in a scale-up's growth, the CTO realises they need someone senior thinking about security. The product handles customer data. Investors are asking questions. A compliance requirement has appeared. The options on the table look the same everywhere: hire a CISO, hire security engineers, bring in a managed security service. None of them quite fit. This article is about a fourth option — one that several of our clients have used to build a serious security program without hiring a security headcount.
Why the standard options often do not work for scale-ups
Most security advisory options are designed for enterprise budgets. A CISO is a C-suite executive role with C-suite compensation. A managed security service provider monitors your infrastructure but does not understand your business or your custom applications. A vCISO sounds like a middle ground but often delivers advice without implementation. That is useful if you have a team to implement it, and less useful if you do not.
What a scale-up security program actually needs
A scale-up at the point of needing serious security typically needs four things simultaneously: a clear understanding of its actual risks, the engineering capability to address them, ongoing governance as things change, and a way to communicate security status to leadership and stakeholders. A single hire rarely covers all four. The question is how to assemble the capability without building a security department.
The advisory-plus-delivery model
The model that works for most scale-ups combines strategic advisory with hands-on delivery. Not advice and a list of recommendations — but advice, and then implementation of what the advice recommends. The person helping you understand your risks should also be able to help you address them. Over time, this looks like a part-time security function. Regular engagement, ongoing threat modeling, engineering support, and direct access to leadership when security decisions need to be made.
What to build internally, what to outsource
The goal is not permanent dependence on external security support — it is building genuine internal security capability while using external expertise for the work that benefits most from independence and specialisation. The internal team owns security culture and process. External experts provide threat modeling depth, independent assessment, and specialist skills that are genuinely difficult to hire for.
Signs it is time to change your approach
A few signals tend to indicate that informal security is no longer adequate. Compliance requirements that are not clearly met, due diligence questions you cannot answer confidently, security findings that your team cannot prioritise, or a growing feeling that you do not really know what your risk profile looks like. Any of these is worth taking seriously.
A CISO is not the only way to get serious security capability. For most scale-ups at the point of needing it, a better fit is an advisory-plus-delivery model that combines strategic guidance with practical implementation, running on an ongoing part-time basis. If you are at the point where you know you need to take security more seriously but are not sure what the right structure looks like, this is a conversation we have often.
Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →