Chapter 3: Costs of offering vCISO services

Offering virtual Chief Information Security Officer (vCISO) services can be a lucrative addition for Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs). 

However, hidden manual costs can impact profitability and ROI. For many MSPs and MSSPs, the main challenge is the lack of immediate ROI, as initial investments in tools and personnel are often required before seeing returns. Understanding these costs is crucial for optimizing service delivery and financial performance.

Key hidden costs

Increased cost of salaries and training to gain the necessary expertise and skills

 

Many service providers struggle to offer vCISO services because they lack the personnel or expertise to deliver this level of consulting. vCISO services require in-depth knowledge of risk management, compliance, and cybersecurity strategy—skills that are often beyond the scope of traditional IT teams. Without seasoned security professionals or the right tools, many MSPs and MSSPs find it difficult to meet the complex, high-level needs of their clients in this area. Therefore, one of the primary hidden costs of offering vCISO services (specifically the intermediate and advanced buckets) is the significant expenditure on salaries for skilled cybersecurity professionals. Additionally, ongoing training is essential to keep these professionals up-to-date with the latest cybersecurity threats, regulations, and best practices. This continuous investment in human resources can quickly add up, impacting the overall profitability of vCISO services.

Up front costs of tools and software

 

Manual vCISO services necessitate a suite of tools and software for tasks like security reporting, risk assessments, and compliance tracking. The costs for acquiring, maintaining, and updating these tools can be substantial. Additionally, many tools and software require minimum usage commitments, which might exceed your current client capacity.

Increased time spent on client education

 

Offering vCISO services often comes with the hidden cost of dedicating more time to educating customers. Many clients, particularly those unfamiliar with the role of a CISO, may not fully understand its importance or the risks associated with not having proper cybersecurity leadership. This means MSPs must invest additional time in explaining the value of a vCISO, addressing misconceptions, and guiding clients through the complexities of cybersecurity, which can significantly extend the sales process.

Time-consuming manual tasks

Manual vCISO services involve numerous time-consuming tasks, including detailed risk assessments, compliance checks, and the creation of tailored security policies. According to the State of the Virtual CISO 2024 Report, 93% of service providers feel overwhelmed by cybersecurity frameworks including NIST or ISO. Nearly a third of MSPs and MSSPs state they lack the technology to automate the service. For example (see the graph below), creating security policies takes 14.3 hours. Generating a security report manually takes 14 hours. Conducting a risk assessment takes 13.9 hours. You can see more examples in the graph below:

The manual execution of these tasks not only requires significant time but also increases the likelihood of human error, which can lead to costly security breaches and compliance issues.

Average hours spent on tasks (in # of hours)

The good news

Many MSPs and MSSPs recognize the growing demand for vCISO services as businesses seek more strategic cybersecurity solutions. However, many struggle to offer these services because they lack the personnel or expertise required for high-level cybersecurity consulting. The good news is that when it comes to offering vCISO services, you don’t have to dive in all at once—you can start small. Begin by offering basic security services to your clients (see Tier 1), and as you gain more expertise, skills, and experienced personnel, you can gradually move to more advanced service tiers. 

Additionally, using automation tools like Cynomi can save you hours of manual, time-consuming tasks, making the process more efficient. While offering vCISO services can involve hidden costs, using the right tools to automate and streamline these tasks can greatly reduce those expenses. In addition, by setting clear expectations with clients and properly tiering your offerings to match their needs and budgets, the benefits of providing vCISO services will greatly outweigh the costs.