The Hidden Costs of Manual vCISO Services and How to Increase ROI

The hidden cost

Offering vCISO services is a natural next step for a growing MSP/MSSP. SMBs and SMEs need security counseling and assistance to deal with threats, risks and compliance requirements and vCISO services can answer that need. However, MSPs and MSSPs should also ensure that their vCISO services offering will grow their revenue and profitability as expected and align with their business model. This is where this article can help.

Based on our experience working with hundreds of MSPs and MSSPs, this article provides business guidance to service providers who are offering or planning to offer vCISO services. With the information enclosed, you will be able to optimize your vCISO offering and business model and enhance profitability.

In this article, we detail:

  1. The hidden costs of providing vCISO services. This section shows what budget line items MSPs and MSSPs can expect when providing these services.
  2. How these costs can be cut, with automation.
    • Through ROI formulas, we demonstrate how many hours can be saved for various vCISO tasks.
    • We also show how automation helps reduce a large number of other costs.

These are all accompanied with real examples and case studies of businesses who’ve used automation to reduce expenses, increase deal size and grow their profitability significantly.

vCISO Services: What MSPs/MSSPs Have to Gain

Adding vCISO services to your MSP/MSSP offering is a strategic move that addresses a critical gap in the cybersecurity landscape. With the growing number of threats and third-party risks, a more demanding regulatory landscape and cyber insurance requirements, companies need cybersecurity guidance. vCISO services provide companies, and especially SMBs and SMEs, with access to top-tier security expertise without the overhead costs associated with hiring a full-time CISO or security team. Therefore, offering vCISO services can significantly help MSPs and MSSPs grow their revenue and enhance profitability.

According to the “State of the Virtual CISO 2023 Report”, 86% of MSPs/MSSPs currently offer or are planning to offer vCISO services by the end of 2024. This shows an understanding of the value vCISOs can bring to service providers. It also means that MSPs and MSSPs that wish to remain competitive, should consider adding vCISO services to their portfolio.

The Cost of Providing vCISO Services

However, simply offering those services on your website is not enough. First and foremost, vCISO services need to be of high-quality. Second, they should also allow you to maintain profitability.

Therefore, it’s important to understand the full spectrum of costs associated with providing high-quality vCISO services. Managing these costs correctly will ensure a sustainable business model. When possible, MSPs and MSSPs need to incorporate tools, methods and practices that cut costs and enhance profitability, while maintaining service quality.

Let’s break down the additional incurred costs of offering vCISO services:

  • Salaries and Benefits for vCISO Professionals and Team – When offering vCISO services, you’ll need to make sure your team is made up of professionals that can deliver those services in a high-quality manner. vCISO professionals are highly skilled experts and the talent pool is small. Therefore, they often demand competitive compensation packages. Additionally, their teams often include other cybersecurity specialists, who are essential for comprehensive service delivery, but whose expertise is also costly.
  • Training to Keep vCISO Team Up-to-Date – The cybersecurity and compliance field is fast-evolving, with new threats, risks, technologies, practices and frameworks. This necessitates continuous education for the vCISO team to remain relevant for your clients. This involves costs for certifications, workshops and other training programs, as well as the cost of their time spent on these training sessions.
  • Tools and Technologies – Effective vCISO service delivery relies on advanced cybersecurity tools and technologies for risk assessment, security planning, policy creation, reporting and more. These tools require investing in licensing and subscriptions. Therefore, it’s important to choose tools that can deliver ROI on their price tag.
  • Administrative and Operational Expenses – Growing your team and line of business requires office space or reimbursement for remote employees’ office needs, utilities, insurance, operational support and more. These are necessary to enable the vCISO team to focus on their job – providing security services. This section also includes the costs of hiring the vCISO team and making sure there’s little to no churn.
  • Time Spent on Manual Tasks – Manual tasks, if not efficiently managed or automated, can lead to significant time (and thus financial) losses. This is even more accentuated when it comes to repetitive and low-value tasks. The vCISO and team will spend hours upon hours executing tasks, gobbling up their time and leaving them unavailable for strategic projects or those that can bring higher value.

According to “State of the Virtual CISO 2023 Report”, vCISOs have to carry out quite a number of time consuming manual tasks. For example, creating security policies takes 14.3 hours. Generating a security report manually takes 14 hours. Conducting a risk assessment takes 13.9 hours.

You can see more examples in the graph below:


figure 9

Source: “State of the Virtual CISO 2023 Report”

  • Marketing and Upselling vCISO Services – Creating awareness and driving demand for your new vCISO services requires marketing and selling efforts. These might include campaigns, a new website, promotional materials, sales calls, sales commissions and more.
  • Onboarding Your Team to New vCISO Services – To enable scalability and redundancy, ideally there should be multiple members of your team who can deliver vCISO services and capabilities. First, this requires defining the service and its deliverables and setting up standardized processes. Then, the team needs to be trained on these methods, and management needs to supervise deliverables, at least at the start.

The ROI of an Automated vCISO Platform

As mentioned, offering vCISO services can significantly enhance profitability. But the amount of revenue and the amount of resources and work you’ll need to invest depend on your vCISO approach. Specifically, whether you choose to work manually or implement smart tools that introduce automation and AI to make your work more efficient and your processes more productive.

A vCISO platform is a solution that leverages automation and AI to simulate the expertise and decision-making capabilities of a human CISO. The core objective is to provide MSPs and MSSPs with the ability to deliver continuous, scalable and cost-effective cybersecurity leadership and guidance to their clients. Functionalities might include: guided and standardized risk assessments, automated policy creation, security plan management, security and compliance posture status and reports and more.

The main advantage of an automated vCISO platform is the ability to reduce the time spent on manual tasks that could be automated. This enables the MSP/MSSPs to cut down on the resources they spend and divert their existing resources to more profitable avenues.

Let’s calculate the advantages of automating. We’ll check out one of the most valuable and scarce resources any service provider has: work hours.


For example, generating a security report with Cynomi, an automated vCISO platform, takes 20 minutes. That’s 0.3 hours.

Manually, the exact same action takes 14.3 hours (based on the survey mentioned before). That means the gain is 14 hours (14.3 – 0.3).

Onboarding to Cynomi, i.e the cost of investment, is 1 hour. (Of course, if you use Cynomi for more than one activity that 1 hour onboarding divides itself, but for simplicity let’s use 1 hour).


The ROI is 13 hours, just for one security report. That’s approximately a day and a half of work and that’s if you only use Cynomi for one security report throughout the entire year.

Let’s take another example: risk assessment. With Cynomi, the process takes 2-4 hours. Let’s use 3 for simplicity. According to the survey, manually the process takes 13.9 hours.

((13.9-3)-1)/1=9.9 hours

The ROI for a risk assessment is nearly 10 hours of work saved for each risk assessment.

Additional examples:

  • Building a remediation plan with an automated vCISO platform takes 4 hours. Manually it takes 14.7 according to the report. The ROI is 9.7 hours.
  • For creating security policies, the ROI is 11.3 hours (14.3 hours manually based on the report, 2 hours with Cynomi).
  • For onboarding new vCISO team members, the ROI is 3 months(!).

These are just a few examples, but the ROI can be easily calculated for any activity. Reach out for specific inquiries.

(If you don’t have Cynomi, you can replace the numbers with the time it takes to carry out activities with your own automation solutions).

How a vCISO Platform Reduces Costs and Enhances Profitability

In addition to the ROI of hours saved, which can be easily calculated based on the formula above, an automated vCISO platform helps reduce many of the other costs we delineated.

Here’s a detailed table:


Cost Item Budget Item How an Automated vCISO Platform Cuts Costs Examples
Salaries and Benefits for vCISO Professionals and Team Expensive compensation packages for vCISOs skilled team members Automating complex tasks reduces the need for deep expertise in every aspect of cybersecurity. MSPs/MSSPs can do more with less, and save the vCISO’s time for tasks that require high expertise.
Automation also enhances the productivity of existing staff, amplifying the ROI for the salaries paid.
LevCo’s employees can all use Cynomi to provide services, regardless of their expertise.

rSolutions cut down on hiring resources with automation.

Training to Keep vCISO Staff Updated Investing in certifications, workshops and other training programs The platform stays up-to-date with the latest cybersecurity trends, threats, framework and guidelines. VISO relies on pre-populated updated questionnaires and frameworks for assessments.
Tools and Technologies Multiple licenses and subscriptions Consolidating multiple services into a single platform reduces the need to purchase, learn and manage numerous separate tools CA2 use Cynomi for building a security plan, reporting, as a risk register, and more.
Manual tasks


Significant time loss performing various tasks Reducing the time the team spends on each requirement.

See ROI calculation above.

POPP3r saved over 600 work hours on automating assessment reporting.

LevCo saved 80% of their time on generating reports.

rSolutions reduced risk assessment times by 60%.

Marketing and Upselling vCISO Services Investing in campaigns, collateral and a team An automated platform immediately and effectively demonstrates the value of vCISO services through simple to digest reports and a dashboard, which attracts new clients and convinces existing ones of the value of additional services.




CyberSherpas doubled their deal size.

Model grew their customer base by 20%.

LevCo grew their business offering and margins.

CA2 converted prospects.

VISO grew revenue by 54%.

Onboarding the Company to New vCISO Services Training, process creation and service standardization Built-in processes and frameworks take the vCISO team step by step and reduce the time and cost associated with adopting new vCISO services. CyberSherpas transitioned to vCISO services seamlessly.

VISO reduced onboarding time by 80%.




Embracing automation is a game changer for MSPs and MSSP. Automation improves operational efficiency and significantly improves the quality of service, enabling service providers to deliver advanced cybersecurity services at a fraction of the cost and time. By automating labor-intensive tasks, MSPs and MSSPs can reallocate their precious resources towards strategic initiatives that drive growth, enhance client satisfaction and solidify their competitive standing.

As the demand for sophisticated and cost-effective cybersecurity service continues to grow, the adoption of automated vCISO platforms allows MSPs and MSSPs to grow their revenue and profitability, while ensuring clients receive unparalleled expertise and support. This makes automation an essential part of any MSP/MSSP business strategy.

Learn more about automated vCISO platforms here.



Keeping you safe 24/7

Meet Cynomi Team Learn More

Get Started

Ready to leverage the power of the world's first AI-powered, automated vCISO platform?

Request a Demo