Much Pain, Lots of Gain for Virtual CISOs

Cynomi is bullish on the virtual CISO market. A maker of multitenant vCISO management software, the company came into being three years ago based on the assumption that a lot of managed service and managed security service providers would wish to be vCISOs someday. When it decided to test that proposition last year in a research study, however, even Cynomi found the results surprising.

The portion of North American MSPs and MSSPs delivering vCISO services, the study found, will rise 480% by the end of this year, from 19% to 86%. Only one-quarter of the survey participants with vCISO offerings today, moreover, were in that market prior to 2022.

“We felt that there was an increase in vCISO offerings, but to be honest, we didn’t realize to what extent,” said Rotem Shemesh, Cynomi’s vice president of marketing. “We never imagined it was going to be that huge.”

The question now for the many participants in that stampede, as well as the few stragglers still to follow, is what the future holds. Veterans of the field say they can expect fat profits, sticky customer relationships, and a lot of extremely hard work well outside a typical IT professional’s comfort zone.

Cynomi's Rotem Shemesh

“You’re foundationally trying to put your customer in a position to make informed risk management decisions,” says Felicia King, a longtime security expert and vCISO based in Somers, Wisconsin. “It sounds simple, but what I just articulated is insanely difficult.”

Related:4 Tips to Help CIOs, CISOs Evaluate and Find the Right Tooling Partner

Summoning Intestinal Fortitude

According to Shemesh, the race to add vCISO offerings is a logical response by MSPs to a mounting end-user need for such services.

“Small and medium businesses in the past were not so aware of cybersecurity risks and threats, and they were less worried about compliance,” she said.

Then came several years of widespread ransomware attacks, skyrocketing cyberinsurance premiums, and mounting regulatory mandates.

“All that led to SMBs realizing that they need someone to manage their cybersecurity,” Shemesh notes.

MSPs and MSSPs soon began telling them that the someone they need is a virtual CISO, something few businesses knew to ask for and that few IT providers define the same way, according to David Primor, Cynomi’s CEO.

“It’s very different from one MSP to another,” he said.

At the simplest level, a good vCISO identifies weaknesses in a company’s security defenses, helps decision makers understand the risks posed by those weaknesses, and tallies up the investments required to close them.

“It starts with doing an assessment, understanding the gaps, and creating the strategy,” Primor said.

Felicia King

Here though, per King, is where matters get insanely difficult. vCISOs must have both the security chops to evaluate a customer's environment and the communication skills to get business managers with little or no knowledge of IT bought into funding investments they’d rather skip.

“We’re talking about trying to help an executive management team make and form risk management decisions,” King said. “They’re sitting there trying to work out the strategy and you’ve got to be able to say with authority right then and there, ‘No, bad idea and this is why.’”

To make matters worse, she adds, the clients that most need your help are often least likely to accept your recommendations.

“It takes a tremendous amount of intestinal fortitude and emotional intelligence to deal with a lot of dysfunctional organizations that lack operational maturity,” King said.

Speaking to them in their own language instead of your own helps.

“Business understanding is a very important thing,” Primor said, “and the ability to move from business to technology.”

The most difficult thing of all for many clients to understand, though, is that no matter how little interest they have in security, they must remain actively engaged in implementing it.

“They want the easy button, which is to delegate,” she said.

The law, their customers and their shareholders, if they have any, will hold them responsible for breaches in the end. Abdicating isn't an option.

Transforming the Business

The headaches King and Primor describe, meanwhile, are the ones MSPs suffer after getting a vCISO practice up and running, which won’t be easy either.

“If they’re going to introduce a virtual CISO service, they need to step back and understand that’s going to transform the way they do business today,” warns Elvis Moreland, chief security officer at Blue Cyren, a Richardson, Texas-based provider of vCISO services to businesses and MSPs.

Problem No. 1, assuming you don’t have years of security experience yourself, will be hiring someone who does amid a massive global shortage of qualified talent.

“To hire someone like me full-time is going to cost them at least $200,000 if not more,” Moreland said.

King recommends training someone already on your payroll to do the job instead.

“I don’t think you can hire the talent,” she said. “I think you have to grow these people.”

However, you’ll still end up spending heavily on less skilled security specialists to do the grunt work of putting vCISO strategies into action.

“I don’t really think that a vCISO is that effective unless they are backed by a technical team,” King said.

Very Lucrative

For all the pain and expense entailed in becoming a vCISO, though, the rewards can be substantial.

“There’s going to be some change, and it might be hard at first, but over the long run it will pay off big time,” Moreland said.

How big? According to Moreland, top-tier enterprise vCISOs routinely charge up to $500 an hour.

“If you’re charging $300 an hour as opposed to $400 or $500 an hour like the big boys are, you’re going to bring in a good amount of revenue, and if you set this up properly, the return on investment could be a 60% or 70% profit margin.”

Indeed, Model Technology Solutions, an MSP and Cynomi partner based in Creve Coeur, Missouri, grew its customer base 20% after launching a vCISO service and increased its upsell income for new security solutions and services by 60%.

“We believe it’s a very profitable business to get into,” Primor said.

It can be a rich source of recurring monitoring and management revenue too.

“You’re verifying that this system is in fact doing what it’s supposed to do according to the requirements you’ve laid out,” Moreland explained.

There’s more, however, than just money at stake. An MSP responsible for your security strategy and regulatory compliance, in addition to your network, isn’t easy to replace.

“Your customer’s going to stay with you for a lot longer," said Moreland.

Besides, Primor adds, it won’t be long before MSPs without a vCISO practice are at a competitive disadvantage.

“I think that in maybe one, two years, it will be so common to have a vCISO that the demand will come from the end customers,” he said. "If you don’t meet that demand, someone else will."