How to start a vCISO practice

How to start a vCISO practice


MSPs, MSSPs, and cybersecurity consultancy firms are trusted by their clients to deliver best practices when it comes to cyber protection. At the same time, such service providers are also looking to stand out in a crowded field, boost recurring revenues, and retain clients, without having to significantly scale their own internal resources.

By operating a Virtual CISO (vCISO) practice, service providers benefit by diversifying their offering and unlocking new revenue streams, and their clients benefit by having access to in-depth cybersecurity services.

In this post, we’ll explain why a vCISO practice is exactly what both service providers and clients need, as well as concrete steps to getting started.

Service providers are moving from red ocean to blue ocean

Many MSPs, MSSPs and professional services firms have begun moving away from low-margin commodity products and services, towards new opportunities where they can add unique value and generate new, high-margin subscription revenue streams.

One area that is growing fast – and is on many leading service providers’ radar – is cybersecurity. Businesses of all sizes are investing more in cybersecurity, given the fact that a cyber attack or data breach can threaten the very existence of a company. This type of threat has consistently been ranked as the number one risk facing organizations today.

Unfortunately, traditionally it has been challenging for MSPs, MSSPs and consultancy  firms to offer cybersecurity and risk management to their clients at scale, for a number of reasons. These include:

  • A general cybersecurity skills shortage
  • The high cost of hiring cybersecurity professionals
  • Competing with large enterprises for cybersecurity talent
  • Large investments in technology required


CISOs have emerged as a key position to be filled in medium to large organizations or in organizations that operate in highly regulated industries.

The CISO is essentially the overall authority when it comes to a company’s cybersecurity. They orchestrate all security technologies, tactics, strategies, and processes to ensure the organization is protected currently, and in the future.

Of course, due to many of the challenges outlined previously, many organizations do not have the resources to retain a full-time CISO. Gartner estimates that current total cash compensation for a CISO ranges from $208K to $337K per year, which puts this position beyond the budget of many businesses.

This is where forward-thinking MSPs, MSSPs and professional services firms are filling a critical gap, by offering “virtual” CISO or “vCISO” services.

How to start a vCISO practice

A successful vCISO offering promises MSPs, MSSPs and professional services firms the ability to stand out, boost recurring revenues, and reduce churn – while growing their margins.

As a service provider how can you start a vCISO practice?

We’ve collated the key steps to take to get your vCISO practice off the ground and running successfully. You can download the full plan here, but essentially the steps consist of:

Assess Your Own Capabilities

Do mature security practices already exist within your organization, or do they need to be developed before it would be possible to launch vCISO services? What training and certifications have been completed by your team, and what is still needed?

Answering questions like these will help you position your approach to market, including the resources required and areas of strength and weakness. Find more questions to ask yourself and your team here.

Offering vCISO services: foundation phase

Of course, your business will have to have someone with security expertise on board, someone who is knowledgeable and experienced in security and executive duties. If you already have such a person or team, how do you leverage them effectively?

If you don’t have such a person, can you grow someone within your team, or do you need to make a new hire?

In both cases, ensure that these team members’ other work is distributed to other members, so that they can focus exclusively on the vCISO aspect of your offering.

Bridge the skills gap

Even with a security expert on your team – or someone being trained to fulfill this role – confidently offering a holistic vCISO service to multiple clients will require more resources than most service providers currently have available.

This is where vCISO platforms come in. Such platforms are required in order to provide an end-to-end solution to clients, at scale.

The best vCISO platforms use advanced AI to offer the combined wisdom of the world’s leading CISOs to your client, 24/7, and help you deliver the value in a way that is understood and appreciated by the client.

Additionally, such software takes care of assessments and general planning automatically, and harnesses AI to take into account the multiple variables introduced by vulnerabilities, exploits, regulations, standards, and overall risk.

A vCISO platform fills any skills gaps you may have, and makes running a vCISO practice within a business a smooth and seamless extension of current offerings.

Formulate your strategy and launch plan

Once the foundation for a vCISO offering is in place, the time has come to launch the offering. A strategic launch can make the difference here, so here are some suggested steps to follow when launching a vCISO practice:

  • Align internally: ensure your team is aware of the direction your business is heading in, and that everyone is on board and educated in this respect
  • Select the correct vCISO platform that is right for your business
  • Start with a “soft” launch with a friendly client, to iron out any initial learnings
  • Roll out a marketing campaign to both existing and potential new clients
  • Define a set of metrics and keep track of these, making course corrections where necessary

A vCISO practice: from planning to reality

With the technological tools available today, there is no reason not to be offering new and existing clients a full suite of vCISO services.

Clients will benefit from the protection and peace of mind of following best practices, while you will be elevated to trusted advisor, along with the expansion of revenue streams and margins.

Access the complete guide on “How MSPs, MSSPs, and Professional Service Providers Can Add vCISO Service at Scale” here.

Keeping you safe 24/7

Meet Cynomi Team Learn More

Get Started

Ready to leverage the power of the world's first AI-powered, automated vCISO platform?

Request a Demo