A recent industry study put a number on something most operations leaders already felt in their gut. There are roughly 35,000 Chief Information Security Officers in the world, and they are spread across an estimated 359 million businesses. That works out to about one security chief for every ten thousand companies. If you run a mid-sized manufacturer, the message in that ratio is blunt. The senior security leader you keep meaning to hire is not coming, at least not at a price or on a timeline that matches your reality.

For years the standard advice was to wait, budget for it, and eventually recruit a security executive the way large enterprises do. Mid-sized manufacturers have quietly stopped following that advice. They watched the hiring race, did the math, and chose to solve the problem a different way. This article is about what they figured out, why it holds up, and why the factory floor and the supply chain made the old model unworkable in the first place.

The thing they actually figured out

Here is the shift, stated plainly. Mid-sized manufacturers stopped treating CISO capacity as a person they had to hire and started treating it as a function they had to distribute. Security leadership, in this view, is not one overworked executive perched at the top of the org chart. It is a set of decisions that get owned across leadership, operations, and supplier relationships, backed by senior expertise brought in at the level the business genuinely needs. The work did not vanish. It got unbundled from the job title. That single reframing is what lets a company with three plants and a lean head office carry real security leadership without pretending it can win a recruiting war against the Fortune 500.

Why one CISO was never built for your factory and its suppliers

A traditional CISO model assumes a fairly contained digital environment: corporate systems, email, some cloud applications, a defined network perimeter. A manufacturer does not live in that world. You run information technology in the office and operational technology on the plant floor, and those two domains speak different languages, fail in different ways, and are often guarded by different people who rarely sit in the same meeting.

Then there is the part most org charts ignore entirely. Procurement owns the vendor relationships. Operations owns plant uptime. IT owns security policy. And the question of whether a component running inside your control systems introduces real risk tends to fall straight through the cracks between those three functions. No one is incentivized to own it, so no one does. This is not a personality problem. It is a structural one, and it is the same reason that security ownership so often fails inside matrix organizations where authority is split across departments that each optimize for their own targets.

Asking one newly hired CISO to parachute into that environment and personally close every gap is a fantasy. The terrain is too wide and too political for a single role. Mid-sized manufacturers noticed this before most consultants did, because they live the consequences directly when a line goes down.

The hiring race they stopped trying to win

Even setting the factory complexity aside, the labor market made the old plan close to impossible. There are well over half a million unfilled cybersecurity roles in the United States alone, and the global shortage runs into the millions. When a qualified security leader does come to market, compensation can exceed a quarter of a million dollars a year before benefits and equity. For a mid-sized manufacturer protecting margins against rising input costs, that single line item is hard to justify and harder to sustain.

The number that should give pause, though, is not the salary. It is the turnover. A 2026 industry report found that roughly three out of four security chiefs are considering a job change, and that the average tenure in the role has fallen to somewhere between 18 and 26 months. Read that again. Even if you win the hiring race, you are likely recruiting for the same position again inside two years, restarting the relationship, the context-building, and the institutional knowledge from zero.

There is a subtler trap in winning, too. When a single executive owns both the security program and the story the board hears about it, you create a quiet conflict of interest. That person’s standing depends on appearing to be in control, which is precisely the wrong incentive when you need honest reporting about what is actually exposed. The CFO quantifies uncertainty for a living and has no reason to soften it. A lone, overstretched CISO carrying the entire narrative does. Distributing the function does more than spread the workload. It separates the people doing the security work from the single voice describing its risk, which makes the board conversation more honest, not less.

What distributed capacity looks like on the ground

In practice, this model usually pairs senior security leadership brought in on a fractional basis with clearly named internal owners for the day-to-day. The external leader sets strategy, builds the program, prepares the company for audits, and translates technical risk into business terms for the board. The internal owners, often people already on the team, handle execution against that direction. Crucially, ownership of specific risks gets assigned to named individuals rather than left floating between departments. Someone owns vendor risk. Someone owns plant-floor access. The question stops falling through the cracks because a person’s name is attached to it.

The cost of getting this wrong is no longer abstract for manufacturers. In 2026, ransomware disrupted operations at major manufacturing names including West Pharmaceutical and Foxconn, the kind of incident that does not just leak data but halts production lines, delays shipments, and pressures safety and quality systems. The year before, the disruptions at Jaguar Land Rover and Marks & Spencer showed how a single outside dependency can stall a business that otherwise looked well defended. None of these were companies that lacked resources. They were companies where the gap between systems, suppliers, and clear ownership opened just wide enough for an attacker to step through.

A distributed model does not make a manufacturer immune. Nothing does. What it changes is recovery readiness and the speed of the decisions that matter in the first hours of an incident, because responsibility was assigned before the crisis rather than improvised during it.

The supply chain is where capacity really gets tested

If there is one area where the old single-CISO model breaks hardest, it is third-party risk. Roughly 70 percent of organizations now describe themselves as very or extremely concerned about cybersecurity risk in their supply chains. More than half of large organizations say supply chain complexity is the single greatest barrier to their cyber resilience, ranking it above direct attacks on their own systems. And software supply chain attacks have climbed roughly threefold in the past year, as attackers learned that compromising one supplier can cascade to hundreds or thousands of customers downstream.

For a manufacturer, the supply chain is not a side concern. It is the business. Every supplier, logistics partner, and software provider is a potential entry point, and the most damaging attacks of the past two years arrived through trusted third parties rather than the front door. Managing that exposure is a continuous discipline, not a once-a-year questionnaire, which is why managing third-party and supply chain risk as you scale has become a board-level conversation rather than a procurement footnote.

This is exactly the kind of risk that a distributed capacity model is built to carry, because it does not depend on one person somehow monitoring every vendor relationship alone. It depends on the function being owned, mapped, and reviewed continuously by people whose job it is. It also explains why so many mid-market security audits quietly fail: they check the company’s own controls while the real exposure sits one layer out, in the suppliers nobody was assigned to watch.

The quiet advantage

What mid-sized manufacturers figured out was never really about saving money on a salary, though it does that. It was about matching the shape of the solution to the shape of the problem. Their risk is spread across IT, OT, procurement, and a sprawling supplier network, so their security leadership had to be spread the same way, owned in pieces by people accountable for each piece, and guided by senior expertise sized to the business.

The companies still waiting for the perfect hire are, in a sense, waiting for a model that was designed for a different kind of organization entirely. The ones who stopped waiting are not less ambitious about security. They are more honest about how their business actually works. If your factory and your supply chain are already distributed, the uncomfortable question is why your security leadership still sits, on paper, in a single empty chair you have not been able to fill. The manufacturers pulling ahead answered that question a while ago. Quietly.