The risks and benefits of starting a vCISO practice

There is a definite trend of MSPs shifting into security. There are a number of very good reasons for this, including the fact that other services traditionally offered are becoming commoditized, as well as the increasing threat that SMEs and SMBs are facing when it comes to cyber attacks.

MSSPs and MSPs are well placed to offer security services: they generally have the experience, knowledge, and expertise on the team, and they are the trusted “go to” partners of their clients, including for cybersecurity-related products and services.

With malware automation, phishing kits on the dark web, and heavier security at enterprises, it’s SMEs and SMBs who are in attackers’ sights. And while larger enterprises have the resources to support a full-time CISO, other companies do not have this luxury.

Small and medium-sized businesses are therefore increasingly seeking vCISOs (Virtual CISOs), with an understanding that their cybersecurity posture is critical to their ongoing success – and in many cases, survival. Larger businesses are also forcing smaller suppliers to comply with ever-more complex security certifications and regulations, adding urgency to the need for a vCISO.

Who do they turn to for these more strategic security services? Naturally, the first people they speak to are their trusted MSP and MSSP.

For these service providers, they can see the demand increasing, and want to supply such services for several reasons; of course, this is a tremendous commercial opportunity, but it also touches on why many of these service providers started; to help businesses navigate IT-related challenges, where cybersecurity has become challenge number one.

Many of these MSPs and MSSPs want to provide vCISO services – seeing the incredible benefits of offering such services – but many feel they can’t, citing the risks involved.

So what exactly are the risks and benefits of starting a vCISO practice?

A vCISO practice: the risks

We’ll start with the risks of opening a vCISO practice within your existing organization.

First off, it’s widely known that many vCISO processes are manual and labor-intensive. Running gap analyses, or assessing which frameworks need to be complied with for example, takes a lot of time – time that MSPs and MSSPs often just don’t have.

Second, cybersecurity talent is scarce and expensive. Most service providers don’t have the required skills in-house, and while they might have a couple of CISO-level employees, they do not have enough to aggressively scale that part of the business.

Another challenge is that every customer is different, making the whole process problematic to scale. Additionally, processes and outputs are hard to standardize, and sharing knowledge is not easy.

Budgets are also a risk that service providers are up against. Customers’ budgets for cybersecurity are notoriously tight, especially the SMBs and SMEs traditionally serviced by this sector.

It’s not all doom and gloom however. There are several very attractive benefits to starting a vCISO practice, and indeed many MSPs and MSSPs have done just that.

The benefits of starting a vCISO practice

There is a huge and growing demand from SMB and SME customers for vCISO services, and the first organizations they approach are their MSPs or MSSPs.

This presents a brand new revenue stream for service providers, one that is recurring and is relatively stable in the long run.

It also serves to differentiate MSPs or MSSPs from the competition; by offering vCISO services, they now have a unique angle in a very crowded space.

These benefits are compelling, but the risks – particularly when it comes to scaling – might still be weighing on the thought process for many service providers. Happily, there are technologies out there that give access to the benefits while mitigating the risks. vCISO platforms, for example, allow MSPs and MSSPs to automatically scale their offering, without a massive investment in resources, providing all the tools necessary to make their vCISO practice a success. Just imagine you could reduce the time required for a risk assessment from 40-80 hours, to just 2-4 hours. Or if you could have a standardized customer-facing report that tracks your progress with one click. Imagine you could automatically create a remediation plan with task priorities and timelines. And wouldn’t it be great if you could see your customers’ current status vis-à-vis security frameworks such as NIST or CIS, and compliance requirements such as HIPAA or PCI-DSS – again with just one click – and get an actionable plan for closing the gaps. Luckily, this is the new reality for service providers when they use a vCISO platform.

This is confirmed by vCISO platform users who have seen significant results and have leveraged such a platform to grow their business. Carlos Rodriguez, CEO of CA2 Security, notes that “Once we started using a vCISO platform, we never looked back! We use it with our Fractional CISO Service clients to assess risk and monitor progress and in some cases as a communication tool with the executive leadership team.” He continues that “In addition, we have also streamlined our Risk and Compliance Assessment Service that we deliver to our clients with accurate visibility into cyber risk that helps us deliver an actionable remediation roadmap.”

Getting started with a vCISO practice

In short, starting a vCISO practice can be extremely rewarding, and doesn’t have to be as threatening as some may think. Provided you’re using a vCISO platform, it can be simple, seamless, and a game changer for your business.

Now is the time to get started. Demand for vCISO services is exploding, and those taking advantage of this trend are going to be strongly positioned for future growth.