As you look to optimize your MSP’s growing business, it’s going to become more and more important to maintain an acceptable return on your investment. To do this, you’ll need to find services that increase your gross margin on every client engagement. Virtual CISO services can greatly help in this function.

While solutions like Auvik already help MSPs have visibility inside of client networks, we want to take this a step further with the addition of vCISO services. Let’s look at what the CISO role is, how it can be offered virtually, and how you might make this part of your MSP service offerings.

Why is a CISO important?

It’s said that an IT professional has to wear a lot of hats. But managing a company’s cybersecurity posture is not one of them. This is a highly specialized job that requires a great deal of attention, focus, and delicacy. A cybersecurity incident or a full-blown attack can reach into the very existence of a business and personally threaten the careers of the employees at the targeted company. This is not a function that’s left to chance.

CISO services are part technical and part executive including:

  • Executive support. The need to communicate with the C-suite at their level is critical. And cannot be performed effectively at the technician or even managerial level. Look at this article in Harvard Business Review that discusses the importance of executive support in cybersecurity. Only the CISO is able to garner this badly needed support.
  • Objective perspective. A CISO gives the perspective of one priority—the protection of the company’s network and resources. This can never be done by a divided IT professional regardless of his security skills. Also remember that a large number of attacks come from inside the organization.
  • Background in security. This person is going to have a rich background in security, risk management, and an understanding of how to deal with overlapping and complex issues. Very few IT professionals have an actual background in security.
  • Communication. Communicating with every part of the company, they will be able to reach into all parts of the business and analyze the current posture and offer effective solutions.
  • Understands the risk models. A CISO is looking at cybersecurity from a risk perspective. Not just from a break-fix view. For instance, a technician who is in charge of the security of a company will want to evaluate and look at firewalls and password manager software. Which is fine. The CISO, however, is looking at the risk to the company of potential attack vectors. They will do an in-depth evaluation of the current condition, then supply the potential solutions to the executive team with risk versus reward tradeoffs.

Moving CISO to the MSP

Networks today have a multitude of threats. It is virtually impossible for a normal IT professional to keep up with them all. They already have a job. And many of them can barely keep up with that workload! It takes full-time dedication to understand and deal with the latest threats just over the horizon.

The nice thing is, as the onsite MSP, you’re probably already doing this job to some extent. You are likely advising your clients on issues with their IT every day. They trust you already as a competent consultant. They are already asking you and you are already talking to them about security. Now you just need to formalize this process, and professionalize it.

Another modern looking desk and chair sit empty in an empty office
Image: Max Vakhtbovych/Pexels

Enter the vCISO

The truth is, a lot of companies lack a dedicated CISO because they’re a rare breed. CISOs are hard to find and can be a prohibitively expensive option as a full-time role for most companies. But a virtual CISO is a new breed: a Chief Information Security Officer who is not a full-time position. The role can be based on a set of criteria, such as specific tasks, a limited number of hours per month, or even a set of goals to be accomplished.

This can easily be wrapped into your existing MSP contract as an option that can be added or taken away. This gives the client a lot more breathing room to consider the option. And to think of it as something they can live with as opposed to being painted into the corner.

What makes it ‘virtual’?

The idea is straightforward: the vCISO is a professional that’s dedicated to the account but isn’t there all of the time. They should be performing the duties of any other CISO but within specific boundaries of the contract. They are there when you need them, or when the contract specifies. Or maybe it’s part-time, but on a regular basis. The options are quite flexible in order to fit a vCISO into many circumstances. The best way is to tie it in with the existing business model. So, it works seamlessly with the current MSP’s business structure.

How can an MSP make a vCISO role work?

The vCISO is the eyes and ears of the MSP when they are engaged with the client—looking for opportunities and threats that may be looming. The role will typically start with a complete security survey of the entire client company, top to bottom, developing relationships in every department. And that includes the C-suite executives.

Once this is done, a complete report is written with all recommendations for the client. This should be standard up to this point with every virtual CISO contract. Then the add-on services and additional hours can be offered to the client. Do you need a report customized to a specific security framework such as PCI, NIST, or CMMC? Are there any compliance requirements from their downstream clients or industry? Are there specific concerns from management that need to be addressed? What are the personal goals of the executives? These should always be addressed.

Through the cloud

MSPs can greatly leverage cloud computing and cloud services to make a vCISO position much more cost-effective. While the expertise rests with the expert, many of their day-to-day duties can be performed through the cloud. And we certainly recommend this. However, there is a certain amount of personal face-to-face contact that will be needed to maintain a good rapport with your clients. This type of contact kept to a minimum number of days per year is critical to ensuring trust and a deep relationship that will keep your company engaged at this higher level.

To make the vCISO concept work through an MSP business you will need a few things.

Take a consultative approach

This is easier said than done. How often are you giving actual consultative advice as opposed to just selling an off-the-shelf standard product or service? How educated is your client? And how much of this education is linked to your company? Are you connecting with the upper level of your clients? Are you showing them specifically how vCISO services will serve them? All of these questions need to be looked at carefully and have well-thought-out answers.

Be able to show your service offering on paper

Can you build strong compelling quotations for the client?

Pricing this service needs to be realistic and not lowballing just to facilitate sales. If you want a loss leader to jump-start the program you can do this, but we don’t recommend it. Remember, vCISOs are very highly paid professionals, and the cost of a major cybersecurity incident is expensive at the least and devastating at the worst. This means your service should be priced properly.

Have a consistent effective sales program

Be able to reach all of your clients on a regular basis and present your solution. Are you utilizing your on-site MSP staff in this process? Using Auviks network visibility tools can help with this process.

Your Guide to Selling Managed Network Services

Get templates for network assessment reports, presentations, pricing & more—designed just for MSPs.

What to consider before offering this service?

Some things to consider to make this service work for your MSP. Keep in mind that a consulting business is different from an MSP’s traditional services business.

Sell your value.

And the value is high. Do not be the company that comes in and lowballs the client. Give them a real fair price with a complete solution. You should be targeting around 80% gross margins at the end of the day.

Billing in the front.

This is customary with consulting. Don’t be giving the client 30- or 60-day terms. This is the road to failure. On the contrary, develop a set of terms that start with an initial billing before the commencement of the work. And then have either weekly or bi-weekly billing. This may sound aggressive but it sets the tone from the beginning. Remember, you are trying to enhance your business, not stunt it.

Offer options and sell retainers.

You should always offer optional services on the quote to the client. And these options should always add to the original. The best option you can offer a client is a retainer service. This is a simple option that gives a specific person at the client (usually the CEO) the ability to call your vCISO any time without billing simply to ask for advice or discuss an issue they are dealing with. The nice thing about this option is that it’s always paid for and seldom used unless it’s really important such as a major security incident. If your vCISO is doing his job there shouldn’t be many of them!

How to Start

Start with a business plan. Get all of your company stakeholders together and build a real concise business plan with all areas covered. Marketing, staffing, technology, financial. You should be able to define what a vCISO is and what it will do for you. From there, start to seed your current client pool with your list of services. As interest grows you start bringing on skilled CISO personnel to do the work. You can even start by hiring contract cybersecurity consultants to do the initial work.

Leave a Reply

Your email address will not be published. Required fields are marked *