Finding cyber security talent keeps getting harder.1 Experienced professionals are expensive, hard to find and quickly poached by larger organisations. For businesses that can’t outbid larger competitors for scarce full-time hires, rethinking traditional approaches to security leadership is proving successful.
The tech talent squeeze keeps tightening
Australia is projected to need 3.5 million technology, finance and business professionals by 2030 – almost 450,000 more than today – with critical shortfalls in areas such as cyber security, artificial intelligence and cloud computing.1 The traditional approach – hiring a full-time CISO to handle everything from board reporting to incident response – is no longer feasible for many organisations.
Even when you succeed in hiring someone, you’re asking one person to cover an impossibly broad remit. They need to speak fluently to the board about risk, design security architecture, respond to incidents, ensure regulatory compliance and stay current with emerging threats. It’s rare for an individual to excel at all of this, and those who can command salaries that put them beyond the reach of many organisations.
Keeping them is a challenge, too. 50% of organisations report a struggle to retain cyber security talent as demand rises.2 With larger organisations actively recruiting security talent, it can be difficult to retain skilled professionals long enough to achieve meaningful change. You can invest in hiring and onboarding, only to start the cycle again.
What do organisations actually need?
While many organisations require cyber security leadership, justifying the investment in a full-time senior role remains challenging. What they do need is strategic oversight – someone who can assess their current security posture, identify priorities, ensure compliance requirements are met and translate technical risks into language the board understands.
They also need access to specialist capabilities when required – penetration testers who can probe for vulnerabilities, incident responders who know how to contain breaches and compliance experts who understand specific regulatory frameworks such as the SOCI or Essential Eight requirements.
A different model for security leadership
The full-time CISO model assumes you can find all this expertise in one person. Fractional security leadership works differently. In practice, this means working with a senior security professional who understands your business and coordinates access to specialist expertise when needed. Rather than one person attempting to cover everything, the model separates strategic oversight from specialist execution.
For smaller organisations, this might be a few hours monthly for roadmap guidance and board reporting. Larger or more complex environments may need more intensive engagement, particularly around compliance.
The practical difference is the breadth of expertise. Deep technical knowledge of penetration testing comes from a specialist who does it regularly. Regulatory compliance advice comes from someone focused on those frameworks. The fractional leader coordinates these different capabilities around your organisation’s priorities.
This is the thinking behind Nexon’s Virtual CISO (vCISO) service – strategic security leadership that understands your specific risk profile and business context, providing guidance across your security posture, operational resilience and day-to-day security operations.
Because your vCISO works within Nexon’s broader security team, when you need specialist capabilities – penetration testing, incident response, compliance expertise or security operations support – you’re engaging people who already understand your environment, not external consultants starting from scratch.
The vCISO advantage
Broader perspective from cross-industry work
Fractional security leaders typically work across multiple organisations and industries. They see what works, what doesn’t and how others solve similar challenges. That breadth of experience is harder to find in a single hire focused solely on one organisation.
Continuity when people move on
When people leave, security projects can lose momentum. Fractional arrangements backed by a team mean you’re not entirely dependent on one person staying in their role. The knowledge and relationships are embedded in a team, not tied to a single individual.
Scaling to match demand
Some periods require intensive work – preparing for audits, responding to incidents or rolling out new controls. Other periods need lighter oversight. Fractional engagement can adjust to actual requirements rather than paying for full-time capacity that’s not always needed.
When it makes sense (and when it doesn't)
Fractional security leadership isn’t the right answer for every organisation. Large enterprises with complex 24/7 operations typically need a dedicated CISO and internal security teams. Highly regulated industries may face requirements that demand full-time leadership presence and deep organisational knowledge.
It doesn’t solve Australia’s cyber security talent shortage,2 which persists at every level.
However, for organisations with limited internal security expertise and growing compliance pressures, vCISO addresses a practical gap: strategic leadership and specialist capabilities without the risk exposure that comes from lacking in-house security resources, or the overhead of building an entire security function.
For organisations considering this approach, the starting point is an assessment of your current security posture to identify the gaps, opportunities and priorities that matter most.
For more information about vCISO services and assessing your security posture, contact us at nexon.com.au/nexon-cyber.
Garth Sperring is General Manager – Network & Cyber at Nexon Asia Pacific.
References:
Future Skills Organisation:Future Skills Organisation: Workforce Plan 2025: Pathways to Impact, 2025
ISACA: State of Cybersecurity 2025
More articles to explore
