It appears that 2024 will be the year of the virtual CISO.
A vCISO is a part-time or on-call chief information security officer. They typically are a good fit for SMBs that need security guidance and a way to deal with changing requirements, but don’t have the budget to hire a permanent CISO.
Many SMBs are turning to MSPs to satisfy their vCISO requirements. A staggering 86% of MSPs and MSSPs plan to offer vCISO solutions in 2024, up from only 5% in 2021, according to a recent survey by Cynomi.
Rick Norberg
Well-Positioned Opportunity
MSPs are in a unique position to provide comprehensive vCISO services. Since they have had to become security experts to keep customers safe, they know the lay of the land. They also know their customers well.
Cost is another factor in MSPs’ favor. They know the customers’ businesses and already have good working relationships, so the administrative overhead is lower than for a consultancy. MSPs can even leverage efficiencies and economies of scale by bundling vCISO services with other services, explained Rick Norberg, CEO of Vertikal6, a managed IT services provider.
“If we are already providing security services on top of our primary MSP offering, we already have a baseline for CISO services. It’s not like you’re starting from scratch with an initial assessment.”
MSPs can sweeten the pot with combination discounts and incentives, in addition to giving clients the chance to amortize improvements over months.
“Everything is negotiable,” said Ian Thornton-Trump, CISO at Octopi Managed Services.
Ian Thornton-Trump
These factors make an MSP’s vCISO opportunity as attractive for them as for their customers. Margins are similar to that of other MSP services, but the potential for extra business makes up for it, Norberg said.
Even vCISOs outside of the MSP world understand that it makes sense to turn to an existing services provider for vCISO services, said Russell Eubanks, a faculty member at IANS Research, instructor at SANS Institute, and founder and CEO of Security Ever After.
“If a company has a relationship with an MSP and they trust them, it likely feels safer to extend a relationship versus creating a new relationship.”
Making the vCISO Play
There are two ways MSPs can prepare to offer vCISO services: Use a pre-built platform or develop a program on their own.
Russell Eubanks
The pre-built approach works through vendors like Cynomi or Vanta, software-based platforms aimed specifically at MSPs that provide everything from client management to billing help. They also help with automated compliance management, risk assessments and remediation workflows, continuous monitoring, and automated security training workflows.
To advance beyond that, these platforms can help MSPs create their own offerings.
Norberg is considering combining the platform approach as he reworks Vertikal6’s vCISO offering, which the company first began offering about two years ago after developing it independently, he noted.
“Customers were asking for these services that were outside of the traditional services we had offered, so we started to engage in more in-depth conversations with them about security.”
Vertikal6’s vCISO offerings initially were more ad hoc; Norberg wants to productize it in a more managed services way. His goal is to roll out the revamped vCISO offering in early 2024.
Being a ‘Guide in the Wilderness’
Thornton-Smith also has learned quite a bit since Octopi Managed Services began providing vCISO services.
One of his biggest lessons: Existing customers provide an easier pathway to market vCISO services because the relationship has been built.
For example, a legal client that Octopi had been working with for a few years wanted to open a second branch and provide more flexibility around remote working. The customer turned to Octopi to ensure that the new set-up would pass compliance and security scrutiny.
Through that back door, Octopi began providing vCISO services for that company, Thornton-Smith shared.
“Customers want a guide in the wilderness to ensure security, and they know their MSP will provide a true partnership.”
Image: iStock
