The Risks and Benefits of Starting a vCISO Practice

Rotem Shemesh — March 1, 2023

There has been a marked trend recently of MSPs shifting into the security space, and expanding their security-related activities. Much of this is “bottom-up” momentum, as SMEs and SMBs are increasingly becoming more security conscious, and MSPs and MSSPs are their natural “go to” partners for anything IT- or cyber-related.

SMEs and SMBs have a growing need for cybersecurity services, specifically vCISO or virtual CISO services that augment their internal IT teams. This need is driven by numerous factors including more sophisticated cyber threats, insurance requirements and evolving compliance needs.

The net result is that SMEs and SMBs are turning to their MSPs and MSSPs for strategic security or vCISO services – and these service providers generally want to provide such services as they bring tremendous benefits, and yet are often hesitant to do so due to perceived risks.

We’ll look into the risks, and the benefits, of starting a vCISO practice in your firm.

The risks of starting a vCISO practice

We’ll start with the risks. The top risks that keep MSPs and MSSPs from starting a vCISO practice in-house include:

Scale: Traditionally, vCISO services have been incredibly resource intensive, and notoriously difficult to scale. There are many human hours required to understand an organization, establish where gaps lie, create a plan to address these gaps, assess which regulatory frameworks must be complied with, establish the progress towards compliance, and so on. To do this for a couple of customers is doable, depending on the size and skill set of your team. But anything beyond this is just a bridge too far for many service providers.

Talent: Cybersecurity talent is scarce and expensive. Most service providers don’t have the required skills in house, at least not at scale. They might have a one or two CISO-level employees, but probably not more than that.

Standardization: Not only is it challenging to scale a vCISO offering, but processes and outputs are hard to standardize, and sharing knowledge is difficult.

Budgets: Dealing with SMEs and SMBs means tighter budgets, an intense focus on ROI, and therefore a tougher sell. Sometimes the amount of resources such businesses require from a vCISO perspective – such as suitably qualified team members – does not make the proposition commercially viable.

Before you give up on the idea of a vCISO practice for your company, let’s look at some of the benefits of starting such a practice.

The benefits of starting a vCISO practice

There is an impressive list of benefits when it comes to starting a vCISO practice. For example:

Demand: There is a huge and growing demand from the customers. As noted previously, more and more SMEs and SMBs are needing vCISO services. To leave this demand unfulfilled, or worse, to have a competitor take up this demand, is a massive missed opportunity.

Revenue: When set up correctly, an internal vCISO practice can be a reliable, recurring, and growing revenue stream that drives margins.

Differentiation: Offering vCISO services sets you apart from your competition, and ensures you’re seen as a leader from the perspective of both current and potential customers.

All the benefits without the risks with Cynomi

Cynomi offers a vCISO platform that was purpose-built for MSPs and MSSPs to easily start and scale a vCISO practice, with all the benefits and without the risks.

How does it achieve this?

Automation: Cynomi eliminates most of the manual, resource-intensive work by automating the heavy lifting, while ensuring there’s the right level of customization that each client needs. Experience shows an immediate 70% reduction in vCISO labor hours.

Empowerment: You don’t need a CISO in place to start and scale your vCISO practice. Cynomi empowers beginners so you don’t need the high barrier of professional skills in order to provide vCISO services.

Scalable: Because the platform is built on AI and automation, the lift from going from one or two customers to fifteen is negligible. Hear it first hand from InfoSystems’ CIO, Chris Bevil in this video.

Robust: The product leverages the knowledge of the world’s best CISOs, and standardizes the vCISO work process and output.

In short, there is every reason to start your vCISO practice together with Cynomi’s platform – but don’t take our word for it.

Here is Grant Goodnight, PMO & Risk Officer at ESI – Electronic Strategies Inc.: “We’ve explored several products in order to find a solution that can effectively communicate risk and compliance gaps to customers that may not have IT or compliance backgrounds. We searched long and hard to find a solution to help us streamline and improve the assessment process. After finding Cynomi, we called off our search.”

He continues: “Cynomi structures the assessment process in a way that is easy for our customers to understand and easy for our technicians to implement. Using Cynomi, we can collaboratively assess client environments, identify gaps, and prioritize and track remediation. The dashboard is incredibly effective at communicating overall compliance posture and remediation progress to our clients, and the Cynomi generated assessment reports saves us dozens of work hours that used to be spent collating findings and drafting summaries. Additionally, we’ve also begun using Cynomi as a way to evaluate customer environments for new engagements and to facilitate onboarding for managed and vCIO services.”

This is confirmed by Efrem Gonzales of TecRefresh: “Cynomi enables us to provide vCISO services at scale, at a fraction of the time it took before, and increased our sales pipeline.”