Chapter 2: Selling vCISO services
Scoping & go-to-market
Once you’ve determined which existing clients to upsell, or new clients to sell to, it’s vital to properly scope the engagement to ensure that your services are aligned with client needs and industry requirements. This approach drives value in client engagements and maintains a strategic focus that resonates with stakeholders.
To scope a vCISO service offering, start by getting more information from clients to assess whether they are a good fit. Schedule an introductory discovery call and ask questions to better understand the following:
- Business drivers: Understand the client’s business goals, market, and what they are trying to achieve (e.g., scaling, preparing for an exit). Knowing these drivers helps in aligning cybersecurity strategies with the client’s overall objectives.
- What business / industry are they in?
- What’s their business model?
- What are they trying to achieve? What big projects do they have coming up?
- Client’s readiness and priorities: It’s important to determine if the client has a genuine need for cybersecurity services and is ready to prioritize security. If the client lacks a clear business justification for the investment or isn’t ready to make security a priority it might be better to limit cybersecurity efforts until the client’s situation evolves.
- Why are they talking to you?
- Do they need security advice?
- Are they seeking a strategic leader to ask key questions and run programs?
- Do they need assistance with obtaining insurance?
- What will truly benefit their company?
- Avoid bad business: It’s important to walk away from business that doesn’t fit. Engaging with clients who don’t value or prioritize security can lead to ineffective partnerships and potential frustration. It’s better to focus on clients who are aligned with the service provider’s strategic goals and mission.
Once you have this information, you can start packaging your services (based on the three service tiers provided above):
- Service bucket: Identify which service categories you’ll offer.
- Specific inclusions: Determine what exactly will be included in each category.
- Time estimate: Assess how many hours it will take to deliver the services needed by the client.
- Budget considerations: Align the services with the client’s budget. Are they a $1,500/month client or a $4,000/month client?
- Compliance efforts: What is the level of effort required for compliance? What do they know about their compliance needs? What might they be unaware of?
- Validate any assumptions. For example, if the client is in healthcare, they’re likely under HIPAA in the US, but additional requirements might apply, depending on their location (e.g., California’s CCPA). You may need to consult with attorneys or client executives to clarify these details.
- It’s useful to focus on specific verticals where you already have answers to these compliance questions.
- Timeline: Establish a realistic timeframe for delivery.
- Goal-based outcomes: Establish realistic goal-based outcomes for delivery (based on the clients’ goals)
Common pitfalls to avoid:
- Underestimating time requirements
- Over-delivering beyond what was sold
- Failing to set clear expectations early, especially during the sales process. Clients may sometimes expect the vCISO to handle both strategic and hands-on cyber engineering tasks, so it’s essential to establish boundaries to maintain focus on your role.
Key selling points
For MSPs and MSSPs, demonstrating their cybersecurity expertise and capabilities is crucial to winning the trust of potential clients. In a competitive market, clients are looking for partners who can not only provide technical solutions but also understand their unique business challenges and can offer tailored security strategies.
Here are five key points to emphasize when selling vCISO services to SMBs:
Provide top-tier security expertise without the high costs and rigidity of a full-time C-suite executive.
Here are several ways to demonstrate your abilities to potential clients:
Handling SMB sales objections
A common objection from SMBs is: “I’m too small to be hacked. I don’t have any data of value. They’re targeting only big companies.”
As a security service provider, you can address this objection by emphasizing the following points:
- Higher risk for SMBs: In 2023, 46% of SMBs reported experiencing a ransomware attack. Small businesses are often more impacted by cyber-attacks than larger companies. While big companies make the headlines, small businesses frequently face severe consequences.
- Significant Costs of a Hack: Over 75% of SMBs could not continue operations if hit by ransomware. Costs include legal and regulatory fines as well as loss of revenue from the business not operating, etc.
- It’s about business resilience, not just FUD: MSPs often use fear tactics (FUD – Fear, Uncertainty, Doubt) to sell cybersecurity. They focus on hackers and the cost of the data exposed. It’s essential to educate clients that cybersecurity isn’t just about hackers. The real threat to their business includes system availability. Instead of focusing on fear, the emphasis should be on business resilience and continuity. Highlight how cybersecurity ensures the longevity and stability of their business. Encourage potential clients to consider the real risk. If their business were unable to operate for two weeks, would they still be in business? How much revenue would they lose?
For example, ransomware is currently the primary threat to SMBs. Over 75% of SMBs could not continue operations if hit by ransomware. It affects four main areas:
- Ransom demand: Hackers encrypt your data and demand payment for its return.
- Public data exposure: If you refuse to pay (for example, if you have backups available), hackers may threaten to make your data public, which can severely impact consumer confidence. Additionally, if your data is released, you could face lawsuits from clients, with attorneys trying to prove negligence.
- Law enforcement and regulatory alerts: Hackers may also threaten to alert law enforcement and regulators if you refuse to pay, which could lead to fines and other legal consequences.
- Loss of revenue from system unavailability: The business can lose significant revenue from not being in operations. Just one hour can cost significant financial damage. For example, if a manufacturing company’s ERP system goes offline for an hour and it costs them a million dollars, this is a significant business risk.
Discuss the following points with a potential client:
Emphasize that implementing robust security measures and demonstrating due diligence are not just about protection but also about ensuring the survival and continuity of your business in the event of an attack.
To learn more about how to scale your vCISO revenue, check out Jesse Miller’s PowerGRYD vCISO System and build a vCISO program capable of growing to 7 figures and beyond. Cynomi partners get $250/month off for the first 12 months.
- Align vCISO services with client needs: Scoping a vCISO engagement properly is essential to ensure that services are aligned with the client’s business drivers, priorities, and industry-specific requirements. This builds trust and ensures that cybersecurity strategies directly support the client’s goals, whether scaling operations or achieving compliance.
- Focus on high-value clients: It’s important to identify and prioritize clients who truly value cybersecurity. MSPs should engage with clients whose business needs align with security services, while avoiding engagements with those who do not prioritize security, to maintain successful and mutually beneficial partnerships.
- Demonstrating your abilities to potential clients:
- Use testimonials or anonymized case studies to build credibility.
- Clearly outline the vCISO services and specify expected deliverables.
- List supported frameworks and explain how compliance enhances security.
- Present example reports and dashboards to illustrate progress and value.
- Highlight AI-driven capabilities that provide advanced protection with automated insights.
- Handle SMB sales objections effectively: SMBs may believe they’re “too small to be hacked.” Emphasize the reality that small businesses are often more vulnerable to cyber-attacks and face severe consequences if breached. Focus on business resilience, regulatory requirements, and continuity rather than fear tactics.
- Tailor services based on client’s readiness and budget: Each client will have different levels of security awareness, readiness, and budget. MSPs must scope their vCISO offerings accordingly, ensuring the service categories, time, and budget considerations are aligned with the client’s expectations and compliance needs.