The vCSO Market Opportunity: Why and How

This post was originally published on this site

Bruce McCully, CSO, Galactic Advisors

Organizations of every kind face a diverse and ever-expanding range of serious threats as they implement more technology—and thereby become increasingly technology-dependent. These threats include ransomware, data theft, insider malfeasance, and failure to fulfill regulatory mandates regarding the protection of customer information. So every organization must defend itself against these threats if it is to survive and thrive.

There are, however, at least three obstacles standing between every organization and its goal of maintaining a reasonably effective defense against the threats that put it at risk:

  • Organizations don’t yet have the necessary tools, processes, and policies in place
  • There is a global shortage of people with the skills and experience organizations need
  • Organizations don’t have anybody to lead their risk mitigation efforts at the executive level

These obstacles obviously represent a huge opportunity for MSPs. If you can help organizations reduce their risks by delivering the security and compliance capabilities they need, you can grow your business with recurring revenue streams and healthy margins.

Most MSPs, however, only focus on the first two bullet points above. They leverage their technology partners-of-choice to deliver the security capabilities their clients need—and they hire the very best talent they can find to execute the work their clients require: vulnerability management, incident response, penetration testing, etc.

Unfortunately, as more and more MSPs pursue the business opportunities represented by those first two bullets, the market for that kind of security housekeeping is becoming more competitive and more commodified. That commodification means that MSPs are increasingly being forced to compete on price.

Every MSP therefore faces a choice:

  1. Try to grow by competing on price for a bigger piece of the low-margin/high-churn pie.


  1. Move up the value chain to address the third bullet above—thereby establishing competitive differentiation, achieving higher margins, and more effectively protecting client relationships over the long haul.

If you want to make the second choice, now’s the time to do it. And the way to do it is by building a virtual Chief Security Officer (vCSO) program.

What’s a vCSO?

A vCSO is a trusted advisor who is capable of understanding, talking about, and proactively managing risk at an executive level. If you decide to build a vCSO program, you will be offering your existing clients and your future prospects several high-value benefits that are not part of the typical MSP security offering.

These benefits include:

A proactive, strategic approach to mitigating organizational risk
MSPs in the security business handle the day-to-day technical tasks that their clients need to avoid getting hacked, ransomwared, DDoSed, or insider-sabotaged. But organizations need more than that. They need someone to address the broader issue of business risk—including operational, financial, reputational, regulatory, and legal risk—and how it needs to be either mitigated, accepted, transferred, or avoided completely. A vCSO plays this crucial role.

Factoring security and compliance rick into executive-level decision-making
A VP of Sales is evaluating a cool VR tool to take their organization’s sales presentations into the 21st Century. A CFO is considering a facilities outsourcing deal that could save their organization millions over the next five years. Without a CSO, these executives will likely make these decisions without fully factoring in the potential impact on their organization’s threat surface—and, by extension, the concomitant new exposures to risk. The result: Security, IT, and other operational stakeholders will have to clean up whatever mess they make after the fact.

With a vCSO to consult with as a trusted advisor at a peer level, on the other hand, executive decision-makers can avoid unexpected costs, unforeseen dangers, and missed project milestones by being much smarter about factoring the potential risk implications of their decisions before they make those decisions.

Get maximum value from internal and external resources
As a security MSP, your job is to do the best you can with the budget you’re given. But you may have little or no insight into or control over all the other realities that impact your clients’ risk posture. How much are they investing in employee security and compliance policy training? How are spotting employees whose behaviors may inadvertently be exposing them to avoidable risk? Do they have an adequate internal and external communications plan in place? Have they invested the time and effort required to run through a truly realistic tabletop exercise that will help ensure that their plan is a viable one—and that everyone truly understands what they will have to do if and when the manure collides with the air-circulation device? MSPs can do little more than make the occasional suggestion about these issues. vCSOs help organizations appropriately prioritize these vital allocations of time, effort, and budget. And they get well-compensated for doing so.

A significantly improved insurability profile
Insurance is a key component of every organization’s risk management strategy. But insurance companies have very demanding criteria for determining 1) an organizations’ premiums and deductibles, 2) coverage limits and exclusions, and 3) whether they want to write a policy at all. One common item on their underwriting checklist is executive leadership of a risk management program. Having an MSP does not address these underwriting criteria. Having a CSO can.

Positive impact on audit/regulatory scorecards
The same principle holds true when it comes to regulatory audits and other third-party risk assessments. Having a CSO scores much higher than having risk management fall under the aegis of a CFO or CIO with other primary responsibilities. In fact, if and when an organization does experience a compliance issue, having a CSO who can document and attest to that organization’s due diligence can mean the difference between a mere warning and a painful penalty—because regulators draw a very clear distinction between failures that occur despite an organization’s best efforts and failures that they can reasonably attribute to negligence and/or shortfalls in executive oversight. Avoiding the latter in even one instance can be worth the entire cost of a vCSO program all by itself.

The bottom line: A vCSO engagement will enable your clients to reap the essential business advantages of a CSO without the high cost and extreme difficulty of finding, recruiting, hiring, and retaining a CSO in-house.

Getting started

The vCSO is growing quickly due to high demand and constrained supply. So you probably want to launch your vCSO program sooner rather than later.

But there are several things you’ll need to do to get started. For one thing, you’ll need to educate yourself about how to talk about risk strategically rather than just talking about threats and countermeasures tactically. For another, you’ll have to add more compliance-related capabilities to your deliverables portfolio. And, of course, you’ll need to develop an effective and repeatable sales process for identifying prospects, assessing their needs, rightsizing your vCSO proposals, and turning those proposals into closed deals.

The best place to start is probably your existing client base. These are organizations that already know you and trust you. And you already know them—so you most likely have a good idea of why they could benefit from a vCSO engagement.

At the same time, you should also make it a priority to start including a vCSO offering in your proposals to new prospects as well. That offering can help you better differentiate yourself from competitors that only offer basic IT and security deliverables. And, if you segment your proposal properly, a vCSO offering can even help you close deals for those basic IT and security deliverables even when you’re selling prospects who initially decline or defer your proposal for a full vCSO engagement.

Here at Galactic Advisors, we specialize in helping MSPs make the challenging but profitable transition from managed IT and/or managed security to managed IT, security, and compliance plus vCSO engagement. So if you’d like some help with that, just reach out. We have the tools, training, and experience to make your move up the value chain faster, easier, and more successful.

In fact, if you want to really hit the ground running, you can sign up now for vCSO Accelerate coming up October 21. You will leave this unique, high-value workshop with an entire vCSO program in place—and with meetings already scheduled—so you can start delivering your first vCSO engagements right away.

Just click this link to learn more.

This is a sponsored blog post.

Skip to content