angle image

Is vCISO services a new revenue stream for MSPs? #Cybersecurityassured #dowithdataguard

insight image circle

Is vCISO services a new revenue stream for MSPs? #Cybersecurityassured #dowithdataguard

client bg

As you try to make the most of your MSP's growing business, keeping a good return on your investment will become more and more important. To do this, you will need to find services that improve your gross margin on every client engagement. In this role, virtual CISO services can be a big help.

Even though solutions like Auvik help MSPs see what's going on in their clients' networks, we want to take this a step further by adding vCISO services. Let's look at what the CISO job is, how it can be done virtually, and how you could add it to the services you offer as an MSP.

Why is a CISO important?

People say that an IT worker has to wear many hats. But handling the security of a company is not one of them. This is a highly specialised job that needs a lot of focus, care, and attention. A cybersecurity incident or full-fledged attack can risk the very survival of a business and the careers of the people who work there. This role is not left up to chance.

CISO services are a mix of expert and managerial tasks, such as:

  1. Executive support: It is very important to talk to the C-suite at their level. And it can't be done well at the worker level or even at the management level. Only the CISO can get this very important help.

  2. Objective perspective: A CISO looks at the company's network and resources from the point of view of protecting them. No matter how good his security skills are, a split IT expert can never do this. Also, keep in mind that many threats come from within an organisation.

  3. Background in security: This person will have a lot of experience with security, risk management, and dealing with problems that overlap and are complicated. Few people who work in IT have a background in security.

  4. Communication: By talking to everyone in the company, they will be able to look at the whole business, figure out what's going on, and come up with good ideas.

  5. Understands the risk models: A CISO looks at hacking from the point of view of risk. Not only from a break-fix perspective. For example, a worker in charge of a company's security will want to look at firewalls and password-management software. That's fine. The CISO, on the other hand, looks at the risk that possible attack vectors pose to the business. They will do an in-depth analysis of the current situation and then give the executive team a list of possible solutions with tradeoffs between risk and return.

Moving CISO to the MSP

There are many threats to networks today. A normal IT worker would have a hard time keeping up with all of them. They are already working. And many of them just can't keep up with that much work! To understand and deal with the latest risks that are just around the corner, you have to work on it full-time.

As the local MSP, you're probably already doing some of this work to some degree. Most likely, you help your clients with IT problems every day. They already know you are a good expert and trust you. They've already asked you about security, and you've already talked to them about it. Now you just need to make this process official and make it look like a real job.

Invoke the vCISO

In reality, many companies don't have a CISO because they are so rare. CISOs are hard to find, and it can be too expensive for most businesses to hire one full-time. But a virtual CISO is a new type: a Chief Information Security Officer who doesn't work full-time. The job can be based on a set of criteria, such as specific tasks, a limited number of hours per month, or even a set of goals to be reached.

This is easy to add as an option to your current MSP contract, which can be changed at any time. This gives the client much more time to think about the choice. And to think of it as something they can deal with instead of being forced to do it.

What makes it ‘virtual’?

The vCISO is an account-focused professional who works remotely. They should behave as any other CISO within contract limits. They're available as needed or by contract. Or part-time but frequent. vCISO options are adaptable to accommodate numerous situations. Integrating with the business model is best. It fits the MSP's business model.

How can an MSP fulfil the vCISO role?

The vCISO monitors the MSP's client interactions for opportunities and threats. The work begins with a full security survey of the client firm, building relationships in every area. C-suite executives too.

After this, a full report with client recommendations is written. Every virtual CISO contract should have this by now. Then clients can purchase extra hours and services. Need a PCI, NIST, or CMMC-compliant report? Do downstream clients or industry require compliance? Management issues? Executives' personal goals? Always address these.

You'll need a few things to make the vCISO idea work in an MSP business.

Utilise a consultative process

It's much easier said than done. How often do you provide consulting assistance as opposed to simply selling a conventional product or service? How well-informed is your client? And how much of this education is relevant to your business? Are you communicating with your clients' top levels? Are you specifically demonstrating how vCISO services can benefit them? All of these questions must be thoroughly considered and have well-thought-out solutions.

Be able to document your service provision

Can you make quotes for the client that are strong and convincing? The price for this service needs to be fair and not too low just to make it easier to sell. You can do this if you want to start the programme with a loss leader, but we don't suggest it. Remember that vCISOs are highly paid professionals, and that the cost of a big cybersecurity incident is, at the very least, expensive and, at the very worst, devastating. This means you should charge the right amount for your service.

Have a consistent effective sales programme

You should be able to regularly communicate with all of your customers and provide your solution to them. Are you making use of the MSP staff that is located on-site in this process? Sign up with DataguardNXT's free trial for a limited period to utilise this process.

What to consider before offering this service?

Some things to think about if you want this service to work for your MSP. Remember that a consulting business is not the same as an MSP's regular services business.

Sell your value

The value is also significant. Do not be the company that undercuts the client's price. Offer them a reasonable price for a comprehensive solution. You should aim for gross margins of approximately 80 percent.

Billing in the front

Consulting is typical. Avoid giving clients 30- or 60-day terms. Failure awaits. Instead, start with a pre-work billing. Bill regularly or bi-weekly. It starts aggressively but establishes the tone. You want to grow your business, not shrink it.

Provide alternatives and promote retainers

You should always let the client know about extra services they can choose to pay for. And these choices should always be better than the first. A deposit service is the best thing you can do for a client. This is a simple option that lets a certain person at the client (usually the CEO) call your vCISO at any time without being charged just to get help or talk about a problem they are having. This option is nice because it's always paid for and rarely used unless it's really important, like when there's a big security breach. If your vCISO is doing his job, there shouldn't be too many of them.

Harun Shah Salim

Jun 7, 2023