Riding the vCISO Wave: How to Provide vCISO Services
Virtual CISO services are in demand like never before. According to Gartner, adoption rates are soaring, from a mere 1% in 2021 to a substantial 20% by 2022, across SMBs and non-regulated enterprises. How can MSPs and MSSPs capitalize on this opportunity?
In this blog post, we delve into the roles and responsibilities of the vCISO, discuss how you can expand your offering to include vCISO services and explain why the route to being a vCISO is shorter than you might think!
This blog post is based on the webinar we held with Dr. Jerry Craig, a CISO and Senior Director of Security at Ntiva, and Dr. David Primor, founder and CEO of Cynomi. You can gain more insights and information on the topic by watching the webinar on demand.
What is a vCISO?
A vCISO, also known as a Virtual CISO, CISO as a Service, or Fractional CISO, is an external professional security expert that provides strategic and hands-on security services to organizations. In this way, small businesses can access high-level cybersecurity expertise without incurring full-time expenses.
There are varying definitions of the vCISO role. These differences stem from unique organizational requirements, varying standards across industries and diverse organizational cultural approaches. However, there are underlying commonalities that all organizations acknowledge are part of the vCISO role. These include:
- Understanding goals and risks
- Creating the security strategy
- Assessing cybersecurity gaps
- Understanding the strategic vulnerabilities
- Implementing a remediation plan
- Overseeing compliance processes
- Reporting to top management
Recommended Components of vCISO Services
Based on these responsibilities, there are hundreds of areas where vCISOs can serve and add value. While the vCISO offering should be tailored to each organization’s specific need (see more on this topic below), there are recurring themes that should always be addressed. These are:
- Risk assessment and management – Quantifying risk and building a risk program.
- Setting the strategy – Setting goals, building a plan and roadmap, aligning with the IT department, budget, etc.
- Actual protection – Services, processes and procedures that make the environment, people and data more secure.
- Continuity planning – How to keep the business up and running during an event.
- Training and security awareness – Teaching employees how to detect and prevent attacks like phishing.
- Compliance and governance – Meeting the industry requirements.
- Incident response – What to do when attacked and services go down, how to eradicate and remediate.
- Third-party management – How to work with vendors, partners and providers.
- Communication – Communicating up, down and across, to show value and ROI.
Any MSP or MSSP that wants to expand into offering vCISO services should take these components into consideration when creating their service offer and portfolio for their customers.
Why vCISO Services are an Opportunity for MSPs and MSSPs
We’ve established what a vCISO offering includes. This begs the question: why should MSPs and MSSPs make the effort to expand their offering and include vCISO services?
With the growing demand for security services, a vCISO offering is an attractive opportunity for MSPs and MSSPs to grow their business. By providing vCISO services, MSPs and MSSPs can:
- Address the growing customer need for proactive cyber resilience
- Grow recurring revenue, for existing and new customers
- Differentiate themselves from the competition
- Upsell additional products and services
- Provide a lucrative offering
- Maintain continuous communications with their customers’ top management
Challenges with Providing vCISO Services
When MSPs and MSSPs plan their vCISO offer, it’s important to understand the potential pitfalls along the way, so they can address them. There are four main pillars to take into consideration:
- Upfront investment – How will you educate yourself on the vCISO components? Will you hire an expert, use a platform, etc.?
- Structuring your vCISO offering – Which components and services will you offer your client base?
- Skills – Do you have the in-house skills? Will you hire someone, use a vCISO platform, etc.?
- Scalability – How will you grow and increase revenue? Will you expand your headcount, implement automation, etc.?
How to Build Your vCISO Offering
Many MSPs and MSSPs are already offering some form of a vCISO offering and can easily expand it to a full-blown vCISO service.
The first step to take is to find out whether you are already offering vCISO services. Ask yourself:
- Do you manage customers’ security?
- Do you offer risk assessment or manage risk over time?
- Do you support customers with compliance readiness?
- Do you set a security strategy or write internal security policies?
- Do you generate remediation plans?
- Do you generate incident response plans?
- Do you offer security awareness and training?
- Do you communicate the security status to your customers’ management?
If you answered “yes” to four or more of these questions, you can most likely bundle the offering as a vCISO package. Surprisingly, you might be closer to a vCISO offering than you might think.
The Missing Piece of the vCISO Offer: An Automated vCISO Platform
Since organizations need end-to-end services, MSPs and MSSPs have to find a way to complement their offering to include all the components listed above. This is where an automated vCISO platform comes in. An automated vCISO platform that can help answer the challenges above, and even pile on more benefits:
- Upfront investment – An automated platform provides you with the knowledge you need to lead the security strategic efforts of the organization without hiring expensive cybersecurity experts. Assuming you use a SaaS platform, you pay on the go with no upfront investment.
- Structuring your vCISO offering – An automated platform streamlines the vCISO work through a well-structured process – starting from risk and compliance assessment, through creating a security policy, cyber posture reporting and all the way to building remediation plans. It takes less experienced teams step by step throughout the process and sets standards for processes and deliverables.
- Skills – A vCISO automated platform is modeled on the knowledge of the world’s best CISOs and security experts. Instead of bringing those people in (which most MSPs and MSSPs can’t afford to), an automated platform provides their expertise at the users’ fingertips.
- Scalability – An automated platform can easily and cost-effectively help you scale. It doesn’t require any sleep time or salaries and can be used on-demand. As Stephen Parsons, CEO, VISO said: “Using a vCISO platform we use the same resources to provide the service to more customers”.
- In addition, an automated platform can help you present data and metrics to customers and customize a program to each organization’s specific needs.
vCISO services offer MSPs and MSSPs the opportunity for business growth, enhanced customer satisfaction, and differentiation from competitors. By incorporating vCISO elements into their service offerings, MSPs and MSSPs can provide a comprehensive and valuable package to their clients. An automated vCISO platform is positioned to help MSPs and MSSPs extend their service portfolio and provide clients with a broad range of security expertise and solutions. Therefore, it is recommended to implement an automated vCISO platform when offering vCISO services to customers.
To learn more and get more insightful observations about a vCISO offering, watch the webinar here.