Chapter 1: Building a vCISO offering
Recap from Introduction to vCISO Services: Why Service Providers want to Offer vCISO Services
vCISO services are especially attractive to MSPs and MSSPs as they address a growing need from their clients for proactive cyber resilience and compliance management while offering the potential to grow recurring revenues.
The primary benefits for clients include:
The primary benefits of offering vCISO services include:
- Additional revenue streams
- Opportunity to upsell more products and services to existing clients
- Increased profit margins (one person managing multiple clients)
- Improved client security
- Greater differentiation from competition
- Enhanced client engagement and loyalty: Many vendors offering vCISO services claim that providing these services enhances their client intimacy allowing them direct contact with clients’ top management.
Where to Begin: What to Offer and to Whom
You’ve decided to offer vCISO services—great! The next step is structuring them. This chapter explores the tiers of vCISO offerings (more details below). By using the following assessment, you’ll be able to identify which services to provide and to whom, and then the three tiers will take you through the specifics of what to offer in each service level. Let’s dive in.
There are two main pathways to offering vCISO Services:
- Upsell to your existing clients
- Expand to new clients
It may be effective to focus on existing clients first as an established relationship already exists, along with a clear understanding of their business needs. Begin by following these six steps to prioritize which clients to begin with.
Considerations to help structure your vCISO Offerings
Determine if you are already providing any form of vCISO services. Many MSPs and MSSPs offer partial vCISO solutions that can be expanded into comprehensive vCISO services.
You can take the below assessment to see where you are:
- Do you currently manage your clients’ security?
- Do you offer risk assessment or manage risk over time?
- Do you support clients with compliance readiness?
- Do you set a security strategy or write internal security policies?
- Do you generate remediation plans?
- Do you generate incident response plans?
- Do you offer security awareness and training?
- Do you communicate the security status to your clients’ management?
If you answered “yes” to four or more of these questions, you can most likely bundle your existing offering as a vCISO package. Surprisingly, you might be closer to a vCISO offering than you might think.
By leveraging your existing relationships, vCISO services can efficiently meet previously unmet needs, allowing you to grow your revenue through targeted upselling. This approach enables you to maximize the potential of your current clients before focusing on attracting new clients.
3 Levels of vCISO offerings
After identifying which of your existing clients are well-suited for vCISO services, you can review which vCISO offering is a good fit for them.
There are three main types of vCISO offerings:
| Basic | Intermediate | Advanced |
| Governance, Risk & Advisory | Governance, Risk, Advisory & Compliance | Fractional CISO |
Approximately 90% of MSPs fall into the first two categories of vCISO services. The third category, however, is built on relationships and trust, where the CISO must have strong confidence in the MSP or MSSP. This makes it largely dependent on the service providers’ reputation.
Many MSPs are unaware that there is a basic tier for vCISO services. They often invest in Governance, Risk and Compliance (GRC) tools and manage compliance but overlook security management. By not highlighting this capability, they miss out on potential opportunities. It’s important to understand that service providers can offer vCISO services without needing a compliance tracking tool.
Here’s a brief summary of the three service tiers and the types of clients they’re best suited for:
| Governance, Risk & Advisory | Governance, Risk, Advisory & Compliance | Fractional CISO | |
| Level of effort, cost, expertise | Basic | Intermediate | Advanced |
| Knowledge level | Strategic only (clients are usually not very strategic) | Strategic and tactical | Higher level of strategic and tactical |
| Demand | 90% of SMBs will fall into these two buckets | 90% of SMBs will fall into these two buckets | 5% of SMBs |
| Who is it for? | Companies with less than 1,000 employees, focusing on non-regulated industries | Regulated companies with 500-3,000 employees | Regulated companies with 3,000+ employees |
| Industries | All industries except for government contractors, healthcare, finance, and critical infrastructure | All industries, except for organizations with complex compliance requirements | All industries, including government contractors, healthcare, finance, critical infrastructure |
| Pricing | $1,500 to $8,000 per month | $4,000 to $10,000 per month |
Project based or retainer, varies widely 6-month contract = $100k More lucrative because you’re dealing with larger companies |
| Scope |
Risk assessments Roadmaps Policy writing/reviews |
Risk assessments Roadmaps Policy writing/reviews Compliance management |
Similar scope to the previous bucket, but with higher complexity levels: Risk assessments Roadmaps Policy writing/reviews Compliance management |
| MSP/MSSP Qualifications |
Don’t need to hire a CISO vCISO must have an: Understanding of security/ security controls Understanding of tools being used to manage security Basic understanding of compliance Bonus: 5+ years of experience in security / IT |
CISO hire is recommended to oversee the service but they don’t have to be engaged with every client vCISO must have an: Understanding of security/ security controls Understanding of tools being used to manage security Intermediate understanding of compliance – ability to interpret and implement compliance frameworks (i.e. HIPA) |
CISO or a vCISO that has completed at least 10 complex engagements, is required |
| Service type | Monthly retainer | Monthly retainer |
Short-term project based work Interim engagement while hiring |
| Tools used by the MSP/MSSP | One toolSecurity management tool (i.e. Cynomi) |
2-3 tools Security management tool GRC Project management tool |
Various client & MSP tools |
| Touchpoints with the client | Monthly, quarterly | Varying from weekly to quarterly | Multiple times a week |
| Engagement with board | May be speaking at board meetings | Will probably be speaking at board meetings | Will be working with the board and/or company CISO |
| Liability | Low risk | Medium risk, requires professional insurance | Medium risk, requires professional insurance |
| Ratio of vCISO to clients |
1:30 1 vCISO for up to 30 clients |
1:10 1 vCISO for up to 10 clients |
1:2 1 vCISO for up to 2 clients |
| vCISO engagement team size |
1 person One vCISO |
2 people One vCISO + an additional team member (analyst, project manager, etc.) |
Ranges between 1 person to an entire team, varies by scope |
| Client security/IT makeup |
Client has: IT: MSP/MSSP Security: vCISO |
Client has: IT: In-house or MSP/MSSP Security: vCISO |
Client has: IT: In-house Security: In-house |
| Benefits to the vCISO | Timeline: More immediate ROI, can start working quicklyDifferentiation: Low, more of a commodityProfitable: High rate of returnEfficient: One person can manage multiple clients efficientlyClient retention: Increased client loyaltyUpselling opportunities: Initial IT assessments can uncover sensitive data and highlight potential financial impacts of data breaches. This can be used to sell higher-tier services. |
Timeline: Long term, strategic advantage to specialization Differentiation: High if you specialize Profitable: Higher rate of return if you specialize in an industry vertical Efficient operations: More efficient the more you specialize Client retention: Higher client loyalty Upselling opportunities: Initial IT assessments can uncover sensitive data and highlight potential financial impacts of data breaches. This can be used to sell higher-tier services. |
Timeline: Long term, relationship based engagements Differentiation: Very high, less competition when you work with bigger companies Profitable: Higher value contracts Type of work: More challenging, interesting work Efficient operations: Low efficiency |
| Challenges for the vCISO |
Scope creep – Limiting the scope unless the client goes to a higher-value contract Differentiation – This service is more of a commodity. Difficult to stand out from the competition. |
Scope creep – Ensure you’re only advising and not doing the actual security and making decisions (could also result in liability issues) Potential knowledge gaps with new regulations Balancing customization with efficiency |
Must have a CISO or senior security professional (experienced vCISO) do this Not efficient |
Suggested reading:
- To learn more about how to scale your vCISO revenue, check out Jesse Miller’s PowerGRYD vCISO System and build a vCISO program capable of growing to 7 figures and beyond. Cynomi partners get $250/month off for the first 12 months.
- How to start a vCISO practice
- Riding the vCISO Wave: How to Provide vCISO Services
- 6 Ways to Drive MSP/MSSP Revenue
- How to provide full vCISO services [webinar]
- Start with low hanging fruit:
- MSPs can start with basic vCISO services rather than comprehensive offerings. Begin with simple, strategic security services and gradually upsell to existing clients, identifying those already receiving partial vCISO solutions that can be expanded.
- Assess and segment clients:
- Group clients by industry verticals to understand common needs and compliance requirements. Evaluate client size and security needs to prioritize high-potential clients for upselling strategic security services.
- Build your offering in tiers:
- Understand the three main service buckets for vCISO offerings: Basic (Governance, Risk & Advisory), Intermediate (Governance, Risk, Advisory & Compliance), and Advanced (Fractional CISO). 90% of MSPs will fall into the first two categories.
- Weigh immediate and long-term benefits:
- Understand the immediate and long-term benefits of each tier. For example, basic services offer a high rate of return and efficient client management, while intermediate services can provide higher rates of return over time, but are less efficient in the short term.
- Address challenges and optimize operations:
- Be aware of potential challenges such as scope creep and knowledge gaps with new regulations. Ensure a clear distinction between advisory roles and actual security implementation to avoid liability issues. Specializing in industry verticals can lead to higher returns and more efficient operations over time.