A named CISO, AI-augmented — strategy your board can read.
TL;DR. Always human-led: a named CISO owns the relationship. AI covers roughly 80% of the production — evidence, reports, control tracking — so the human time goes to strategy, board communication and the audit interface. On-prem AI, no cloud data exposure.
What this is about
A full-time CISO is out of reach for most Mittelstand companies, and a part-time consultant who shows up quarterly can't carry the operational load. We split the work the right way: a named human CISO owns strategy, governance, board reporting and the audit room; the platform produces the evidence, reports and control tracking underneath. NIS2 couples security to governance — so the output is board-ready by design.
How we run it
The CISO works from platform reports generated on-prem (no cloud data exposure), so the underlying evidence is current rather than reconstructed before a meeting. We deliver the governance cadence: risk register, statement of applicability, control tracking, board updates, and the NIS2 execution pack. When an audit or incident needs presence, on-site days are available. The human decides; the platform does the production.
When it fits
Companies under NIS2 or pursuing ISO 27001 that need senior security leadership without a full-time hire. Boards that want security reported in their language, with evidence behind it. Organisations whose audits keep escalating into projects because the evidence is never ready.
What we don't do
We don't send a generic consultant with a checklist. We don't expose your governance data to a public cloud model. We don't let audits become annual fire drills — the evidence is continuous.
What you can hand off
-
Named CISO
A human owner for strategy, governance and the board relationship — AI-augmented, not AI-replaced.
-
Board-ready reporting
Security reported in board language, with current evidence behind every claim.
-
NIS2 execution pack
The structured set of obligations, controls and evidence NIS2 expects, kept current.
-
Continuous control tracking
Risk register, statement of applicability and controls maintained on-prem, not reconstructed pre-audit.
-
On-site audit days
Presence for audits, incidents and regulatory meetings when interviews or sign-off need a person in the room.
Engagement facts
| Model | Human-led (named CISO required) · AI covers ~80% of production |
|---|---|
| Data exposure | On-prem AI · governance data does not leave the perimeter |
| Onboarding | NIS2 execution pack, mandatory |
| On-site | Audit/incident days available |
| Capacity | 4–5 customers per CISO; experienced operators up to 8 |
| Frameworks | NIS2, ISO 27001, DORA, BSI Grundschutz |
Asked before the briefing
-
Is this a real person or an AI?
A real, named CISO owns the engagement. AI handles roughly 80% of the production — evidence, reports, control tracking — so the human time goes where judgement matters. -
Where does our governance data sit?
On-premise AI. Your governance and evidence data does not leave the perimeter to a public cloud model. -
How many customers does one CISO carry?
Four to five typically; experienced operators up to eight. That cap is deliberate — board work doesn't scale infinitely. -
Does this prepare us for ISO 27001 and NIS2?
Yes. Control tracking, statement of applicability, risk register and the NIS2 execution pack are maintained continuously, so audits don't become projects.
Senior security leadership, without the full-time hire.
We show how a named CISO plus on-prem evidence production keeps your board informed and your audits boring.