CISO positions are not inexpensive ones to hire for, so does your enterprise really require one? Mid-sized companies tend to get caught in the thick of this confusion.

In metro areas, like San Francisco, CISO salaries top out around $380,000, although it’s possible that some are paid even more for their skills. Yet, despite the high cost, nearly 40% of companies choose to have a CISO role.

Considerations that companies may wish to examine in determining whether or not to include a CISO within the executive team include the value of trade secrets and IP, whether or not the organization is subject to specific regulatory requirements, where an organization is within its digital transformation process, and geography.

“Midsized companies in the European Union are more likely to have appointed a security officer due to the GDPR regulation, which affects every size of a company in the EU,” writes Security Boulevard. If your organization has plans to expand internationally, then a CISO may be the right direction for you.

In the event that a full-time CISO role isn’t a reasonable proposition, for budgetary reasons or otherwise, consider a virtual CISO (also known as a vCISO). These positions are typically offered as remote and part-time.

A vCISO usually has extensive industry experience, and has encountered a wide array of security configurations in the past. These individuals should be able to communicate a business’s risks to management, and to recommend potential mitigation strategies.

For additional information on protecting your IT infrastructure and on the standard qualifications of a vCISO, visit Forbes.