From MSP to vCISO: 5 Steps to vCISO Success

In today’s rapidly evolving cybersecurity landscape, the role of a CISO is pivotal for any organization. However, not every company can afford a full-time CISO. This is where vCISO services come into play, offering a cost-effective solution for robust cybersecurity oversight.

The demand for vCISO services is skyrocketing. According to a 2022 ConnectWise report, 94% of SMBs would consider using or switching to a new MSP if they offered the “right” cybersecurity solution. In response, 67% of MSPs and MSSPs plan to offer vCISO services by the end of 2024. This growing market presents a prime opportunity for MSPs and MSSPs to expand their services and provide critical security leadership to their clients.

To capitalize on this opportunity, MSPs should avoid common pitfalls. We sat with Jesse Miller to discuss five steps MSPs can take in the first 100 days to offer successful vCISO services. For more actionable tips, watch the full webinar.

5 Steps to vCISO Success in the First 100 Days

The following are five steps MSPs and MSSPs should do in the first 100 days with a new client. These steps can be used as a pathway to success. They are in order, while there will be some overlap, each step should generally waterfall into the next.  For example, you may start with parts of step 2 while finishing up parts of step 1. 

Step 1: Research (Days 0 -30)

Conducting thorough research and collaborating closely with stakeholders, to discuss and address their needs and security gaps is crucial for grasping your client’s specific security requirements and desires. It’s vital to involve management and ensure they comprehend the importance of cybersecurity, thereby encouraging the implementation of essential measures. 

In Jesse’s words, “You’re [going to] be able to speak the language of the business.” This entails looking beyond mere tools and gaining a profound understanding of the business and its needs.

The process involves several steps:

1. Meet with Management: Initiate the process of discussing and identifying the business’s most critical assets, referred to as the “crown jewels.” 
2. Identify Critical Assets: Determine which aspects of the business are critical. This includes understanding which line-of-business applications are in use.
3. Assess Data Storage: Audit how and where the data is stored.
4. Evaluate Impact of Downtime: Investigate the implications of key systems being offline for different durations (e.g., 7 days, 14 days) or being unrecoverable.
5. Understand Business Impact: Discuss what these potential downtimes or data losses would mean for the business.

Continuous learning is important at this stage. Meet with various departments, stakeholders, management, IT, and other relevant teams to identify and gain access to the right tools and systems. Review vulnerability management reports, and conduct threat intelligence research specific to the client’s industry or vertical and the threat actors targeting them. Analyze all the reports for past security incidents and how they were handled. Review vendor management processes to identify third-party risks. Gathering this information will allow you to create a comprehensive picture of the current security environment, which is crucial for developing an effective security strategy.

Step 2: Understand (Days 0 – 45)

Use tools and platforms to conduct a thorough security risk assessment with various stakeholders, including customers, IT, and engineering teams. This step helps to create a clear picture of the client’s security posture, identify potential risks, and determine the necessary measures to mitigate them. Once the client’s current state is identified, short-term and long-term security needs can be determined based on the findings from the risk assessment. 

This process should include a formal gap analysis to highlight the differences between the current state and the desired security posture. Utilize established cybersecurity frameworks like NIST to benchmark the organization’s security practices against industry standards. 

Present your findings from a three-filter process: 

• Risk Without Services: Show clients their risk levels without any security measures, which typically remains high (around 90%).
• Risk With Basic Services: Illustrate the risk reduction achieved by basic security services, bringing it down to approximately 60-70%, but highlighting remaining critical issues.
• Customized Risk Mitigation: Provide a tailored plan to achieve an acceptable level of risk, showing specific steps to further reduce the risk and improve the security posture.

This sets the stage for developing a targeted remediation plan that aligns with the client’s risk appetite and business goals.

Step 3: Prioritize (Days 15 – 60)

Use a prioritization framework to address the most critical issues first, ensuring that the client’s most significant vulnerabilities are mitigated promptly. Define specific, measurable, achievable, relevant, and time and budget-bound goals for the security initiatives. Develop a detailed work plan that outlines the necessary steps, timelines, responsible parties, and expected outcomes. Document identified risks along with their likelihood and impact on security and budget. 

It’s important to present your plan without overwhelming clients. 

Key points include:

1. Immediate High-Impact Wins: Focus on the top three critical actions to improve security right away.
2. Long-Term Improvement Plan: Spread out additional necessary actions over the next year to avoid overwhelming the client and users.

This ensures that you develop a steady revenue and profit pipeline by providing valuable security services, creating a virtuous cycle where clients become more secure and MSPs are fairly compensated. The goal is a win-win scenario where both MSP and client benefit, with improved security for the client and sustainable profitable growth for the MSP.

Step 4: Execute and Monitor (Days 30 – 80)

Outline the execution of the security plan and set up continuous monitoring processes. Automation and tools can streamline this process, reducing the time and effort required to manage security tasks while ensuring consistent protection. Monitoring is just as important, if not more important, than the initial setup. 

As Jesse puts it, “If we have the right controls in place, and we’ve identified the systems that we need to focus our attention on to make sure that we are safe, we can be resilient against an attack.”

Implement automated systems to handle routine security tasks, such as password resets, report generation, and vulnerability scans. Focus on quick, high-impactful wins to build momentum, demonstrate early success, and establish the ROI. Regularly update and refine security policies based on real-time data and ongoing assessments. Establish a cadence for external scanning and reporting to track improvements and highlight risk reductions over time. By continuously managing and adjusting your remediation plans, you ensure that security measures remain effective and responsive to evolving threats.

Step 5: Report (Days 45 – 100)

This step underlines the importance of comprehensive reporting for MSPs and their clients. Jesse recommends creating tailored reports for different audiences, such as detailed reports for IT managers and summarized and colorful reports for executives and boards. These reports should highlight improvements, identify ongoing risks, and offer clear next steps. 

When presenting a report about the attack vector score, you want to tell a story: “We were a 2.2. Then after three months, we became a 3, and now we’re a 5.4.” Start with good news to build confidence and then address areas needing improvement. 

This demonstrates a positive trend. Management loves understanding trends. In leadership positions, it’s critical to know whether there is a trend towards the right direction or not.  And that is followed by understanding on what needs to be done to continue or start trending positively. Communicate progress at least once a month to maintain transparency and keep the urgency of cybersecurity initiatives at the forefront. Conduct additional assessments periodically to measure progress and realign strategies with the organization’s evolving needs and threat landscape. Use standard reporting templates to ensure consistency and ease of understanding for executives. 

The ultimate goal is to create a continuous improvement cycle, ensuring that security measures align with business needs and demonstrate tangible value to stakeholders. This approach helps MSPs position themselves as trusted advisors, fostering strong, profitable client relationships.

Elevate Your MSPs and MSSPs with vCISO Services

Accelerate your vCISO journey with expert onboarding tips from information security specialist Jesse Miller who shares practical strategies and real-life case studies of successful vCISO implementations. These insights will provide you with actionable strategies to implement immediately, helping you to enhance your service offerings and establish your cybersecurity services.

Don’t miss out on these insights—watch now and build yourself up for vCISO success.