“Everyone plays a part in cybersecurity because people are the human firewall.”—Steve Cairns, Fractional IT leader at Freeman Clarke.
As cyber threats grow in scale and sophistication, businesses of all sizes are under pressure to strengthen their defences. Yet for many small and medium businesses (SMBs), hiring a full-time Chief Information Security Officer (CISO) isn’t realistic.
Enter the fractional CISO: a flexible approach that gives companies access to expert cybersecurity leadership without the full-time cost. But with attackers becoming more strategic, leveraging tools like AI, and targeting smaller suppliers to reach larger organizations, how can security leaders keep pace?
We spoke with Steve Cairns, a fractional CIO, CTO, CISO, and board advisor at Freeman Clarke. Beginning his career in software development, he moved into project and service management, leading teams in large organizations across Asia Pacific, Europe, and the US. He is an expert in cloud systems and AI, deploying them for multiple companies. Now, in a fractional role, he draws on his experience to work part-time with several organizations to improve their security posture.
In this discussion, we explore the fractional approach to cybersecurity and IT leadership, why it’s important for everyone in an organization to follow best security principles, regardless of seniority and how to respond effectively to a cyber-attack.
Many small and mid-sized businesses are not able to justify the cost of a full-time CISO. How can they still access the right level of cybersecurity leadership and expertise to protect their organization effectively?
That’s partly why the concept of a fractional leader emerged. Many small or medium-sized enterprises (SMEs) have an IT manager who’s risen through the ranks and hit their ceiling—someone capable but not a true leader, not sitting at the board table, yet still expected to handle IT and cybersecurity.
A fractional leader offers a cost-effective alternative: you pay a high day rate, but only for a day or half-day a week, and in return you gain access to someone with deep experience, often with a corporate background.
There’s also the option of a virtual CISO. This is a third-party service, rather than an individual who embeds themselves in the organization. There are plenty of models now that give you access to expertise you may not have in-house, without the cost of a full-time senior hire.
Ultimately, the crucial step is putting a CISO at board level. Only then can they understand business objectives, financial pressures, and competing investment priorities, and make a compelling case for cybersecurity funding. With that strategic alignment, organizations stand a far better chance of being prepared for future attacks.
We often think of cyberattacks as targeting the biggest organizations, but attackers are increasingly turning their attention to smaller suppliers and service providers within the supply chain. Why are these smaller businesses becoming such appealing targets, and what can companies do to strengthen their defenses across the entire supply chain?
Smaller companies are often less experienced and assume they “fly under the radar,” thinking attackers only go after the big payouts. But over time, cybercriminals have increasingly targeted small and mid-sized businesses because they still offer rewards; and usually have weaker-defenses. These organizations often lack dedicated cybersecurity teams, don’t fully understand what protections they need, and pay less attention to basic-security practices.
Many are family-run or have grown informally, carrying a culture that doesn’t prioritize strong credentials or two-factor-authentication. They may delay upgrading equipment or patching systems because of cost, time, or limited resources. As a result, they simply don’t have the maturity, money, or capacity to keep their environments up-to-date and secure. It’s also common for them to operate without cyber insurance, assuming they won’t be targeted. So, when an attack does happen, the impact can be devastating – they struggle to recover operationally and financially.
Hackers increasingly look for the weakest link. Large corporations are harder to breach, and therefore aren’t as interesting. So, attackers focus on the supply chain and smaller, more vulnerable businesses that provide easier access and far fewer barriers.
Social engineering remains one of the most common causes of breaches. What practical steps can companies take to ensure that their people become a line of defense rather than the weakest link?
I think you have to really embed a security culture in the organization, and that starts with training. It used to be once or twice a year—mainly to tick the cyber-insurance box—but now it’s becoming a monthly routine with videos and updates to keep risks in front of mind, especially around phishing and stolen credentials. People also need to feel safe making mistakes. They might fail a test or click the wrong link, but it’s all part of the learning curve and part of protecting the business.
It has to come from the top, too. I’ve seen leaders assume they’re exempt from basic protections like two-factor authentication because it feels inconvenient, while insisting everyone else uses it. They don’t realize that leaders are often the prime targets. One of my clients learned this the hard way: the CEO reused a simple password across shopping sites and social media. When one of those platforms was breached, attackers used the same password on their business email—which had no two-factor authentication—and got in. I now use that as a real-world example: nobody gets a pass. Everyone plays a part in cybersecurity because people are the human firewall.
You can have every tool, patch, and monitoring system in place, but it only takes a convincing phone call from someone pretending to be IT support or even a utility provider to catch someone off guard. You should be checking them, not the other way around. It’s a mindset; what you practice at home should be what you practice at work, at every level.
And when people fail training tests or phishing simulations, the point isn’t to embarrass them. It’s to understand why they slipped, retrain them, and help them recognize suspicious emails and verify anything that feels off. It’s ultimately a culture shift; helping people build the habit of spotting red flags and checking before they trust.
Even with the best tools in place, preparation must be the key. If a company found all its systems encrypted by hackers tomorrow morning, what should its immediate priorities be—and how can it prepare for that scenario in advance?
First, I would contain the issue. Take the affected systems offline so an intruder can’t keep wreaking havoc if they are still on the system. But remember, attackers are often inside the environment long before you notice, quietly observing who matters and where to strike to get the best payback.
Next, communicate across the organization. Everyone needs to know there’s been a breach and that you’re activating your response plan. You also need clear ownership: someone to coordinate the overall response, someone else to communicate (this needs to be someone who isn’t working at containing it), and the IT team focused solely on containing the technical side. That coordination may include briefing the board, contacting your cyber-insurance provider, or bringing in external partners to help.
All of this assumes you already have a plan; that’s where many companies are failing right now. They don’t have a playbook and they’ve never rehearsed an attack scenario. Beyond the usual protections like firewalls, patching, and user training, you need to practice your response. Run tabletop exercises, involve the right people, and be clear on who is taking responsibility and who does what.
If the attackers are a known group—especially state-backed—external experts on cyber breaches can guide you. You don’t want your CEO or CFO negotiating with hackers; they may feel pressured to pay when that might not be the right move. Even if you recover your data, it can still be sold on, and the attack can continue if vulnerabilities aren’t fixed.
Finally, ensure you can recover. That means strong, immutable backups are definitely kept completely separate with an air gap from your operational systems. Also, make sure you test your ability to restore. Running servers at 80–90% capacity leaves no room to recover anything when you need it. You need a clean, isolated environment ready to bring the business back online.
AI is playing a growing role in almost every area of life. How are cybercriminals using AI to enhance their attacks, and how can organizations use the same technology to strengthen their defenses?
AI is a powerful tool for automating tasks that were traditionally done by hand. It’s creating huge efficiencies in business processes. Unfortunately, that same capability also applies to automating phishing attacks; AI can now craft and send highly convincing emails. These messages can look almost identical to the company they’re impersonating. Give it a real email, and it can recreate the branding, colors, logos, and fonts and you may not be able to notice a difference, even with a keen eye.
Voice cloning is another growing threat. You might get a call where you’re asked to repeat a phrase or have a seemingly useless conversation. What they’re really trying to do is capture your voice so it can be reproduced later saying something you never said. We are seeing this happen with families i.e., a son or daughter calling a parent frantically asking for money. In those situations, it’s always best to hang up and call the person back using a number you trust.
Deepfakes are another area evolving fast. There have already been cases where someone has joined a video call like this, and the person on-screen wasn’t real; it was a deepfake sitting in on a board meeting, quietly listening to highly sensitive information.
AI has dramatically lowered the barrier to entry for cybercrime. Hacking groups on the dark web can now buy ready-made tools or AI-generated prompts that help them carry out attacks. It costs them very little, and the payoff often far outweighs the investment.
But AI is also becoming a key defense. Many cybersecurity tools now use AI to monitor network traffic and spot suspicious behavior. Instead of relying solely on humans, you can train AI to understand what “good” looks like so it can flag anomalies for the IT team. It can even hunt for threats, identify common email addresses or IPs tied to attacks, pinpoint their origin, and block incoming data from those regions.
AI can also help companies create policies for staff, computers, internet use, and AI itself; documents that can be shared across the organization. Instead of spending money to bring in an expert to write a security policy, organizations can use AI to draft one that’s tailored to their needs.
So, while AI brings enormous benefits in the fight against cybercrime, the reality is that we’re heading toward a future where it’s AI versus AI. I don’t think many humans will be involved and it’s a very new world we’re stepping into from what we have been used to.
The role of a CISO carries a huge amount of responsibility—protecting an organization’s data, reputation, and often its very survival. How do you manage the personal pressures of that role, and what advice would you give to cybersecurity leaders who may feel the weight of that responsibility on their own shoulders?
The first thing I’d say is that cybersecurity is a team sport. It may feel like the head of IT or IT security carries the full load, but responsibility should be shared even at the top; CEO, chairman, the whole board. That’s why it’s important that the CISO has a seat at the board table, advising on risks and ways to attack them.
No one person should shoulder it all. Responsibility should be shared and delegated into the technology teams. If you work with a managed service provider, part of their job is patching, reporting, and flagging anomalies; again, taking pressure off the CISO.
I’m fortunate at Freeman Clarke to have peer support. I’m one of a hundred fractional leaders, and having colleagues at the same level to share experiences and swap ideas with makes a huge difference. That’s one of the real benefits of the fractional model: you’re never on your own. You really do feel you’ve got a support network.
With a strong peer network, clear delegation to technical teams, and a board that understands the risks, invests properly, and participates in things like tabletop exercises and playbook planning, the weight doesn’t fall solely on the shoulders of the CISO.
Finally, the CISO needs to be a well-rounded person—able to keep perspective and stay resilient in what can be a brutal role. Exercise, healthy habits, balance—all those classic things matter. Businesses often don’t grasp the pressure CISOs are under, and their successes can go unnoticed, while blame comes fast when something goes wrong.
What keeps you motivated and inspired in such a constantly evolving and high-stakes environment?
For me, this is one of the most rewarding parts of my job. My interest in technology started in the 1980s after watching WarGames. The idea of ethical hacking—of someone trying to break into a government system just to play a game—fascinated me, and that curiosity never left me.
Despite the challenges—balancing board responsibilities, aligning with business objectives, managing organizational risks, implementing controls, training employees on threats like phishing, and maintaining playbooks for incidents—the reward of seeing a business grow and thrive without a cyber incident is immensely satisfying. It’s a dynamic, ever-changing field, and yes, it can be a little scary, which is why you need support around you.
Why not read further insights from other CISOs:
