Martin Hořický
Partner • Digital Services
CISOaaS - CISO as a Service
Strategic cybersecurity leadership
Increasing regulatory demands (e.g. DORA, NIS2) and the growing complexity of IT environments are forcing financial institutions to rethink their cybersecurity management models. CISO as a Service provides access to an experienced security leader without the need for a full-time internal hire.
An external CISO (Chief Information Security Officer) becomes a key part of risk management – ensuring regulatory compliance, leading security strategy, training staff, and representing the institution to supervisory author
What is CISO as a Service - and why is traditional IT leadership no longer enough?
Unlike a typical IT manager or security technician, an external CISO:
- Provides strategic leadership in security – from policy and risk management to incident response.
- Ensures compliance with DORA, NIS2, GDPR and communicates with regulators (e.g. CNB, ECB).
- Has experience with building and maintaining ISMS based on ISO/IEC 27001, managing third-party risk, training, testing, and crisis planning.
Operates independently and objectively, often with a broader sectoral perspective.
What do DORA and NIS2 require from security governance?
01
Clear assignment of roles and responsibilities in ICT security.
02
Continuous risk analysis and resilience testing, including recovery planning.
03
Security awareness training, oversight, and incident reporting.
04
Functional governance, involving senior management and regulators.
Benefits of CISO as a Service:
Regulatory Compliance
- fulfilment of DORA, NIS2, GDPR, ISO/IEC 27001 requirements
- preparation for audits and inspections (CNB, ECB, national authorities)
- reduction of sanction risks and reputational impact
Strategic Risk Management
- security governance and strategic roadmap
- supplier risk and third-party assessments
- development and review of policies and control frameworks
Efficiency and Cost Optimization
- access to expert leadership without full-time hire
- scalable engagement tailored to organizational needs
- reduced costs for recruitment and staff training
Objectivity and Expertise
- independent perspective without vendor lock-in
- certified experts (CISSP, CCISO, CISM, etc.)
- cross-sector experience and regulatory insight
Incident Management
- crisis scenario planning and tabletop exercises
- rapid response to security incidents
- enhancing operational resilience and recovery
Awareness and Training
- staff and leadership training programs
- building a strong security culture
- raising threat awareness and user accountability
How does the cooperation work?
Initial Assessment
Analysis of current cybersecurity posture, regulatory gaps and needs.
Strategy & Planning
Development of security roadmap and governance model.
Implementation
Rollout of policies, controls, metrics, training and testing.
Reporting & Communication
Reporting to management, audits, and regulators.
Incident Response & Crisis management
Defining scenarios, plans, and simulations.
Continuous Oversight
Ongoing security leadership, risk reviews and audit preparedness.
Why work with BDO?
- Regulatory Expertise
- We understand DORA, NIS2, ISO/IEC 27001, GDPR, and the expectations of both European and national supervisory authorities.
- Independence & Trust
- We do not sell proprietary technology – we offer truly objective and trustworthy security management.
- Scalable Service
- Our offering ranges from advisory and mentoring to full CISO role coverage, whether on a monthly or multi-year basis.
- Certified expertise
- Our professionals hold certifications including CCISO, CISSP, OSCP, CRTP, eCPPT, BSCP, CEH, CRT, CPSA and more. They have hands-on experience from banks, insurance companies, and ICT service providers.
