Cybersecurity threats continue to rise, but the available IT talent pool is shrinking. In fact, studies show there is still a need for more than 3.4 million security professionals, which is an increase of more than 26 percent from 2021. Managed service providers (MSPs) have been increasingly called upon to fill the IT talent gap. The MSP services market is projected to hit $329.1 billion by 2025, up from 24 billion as recently as 2009. One service that MSPs are offering more and more is the “virtual Chief Information Security Officer,” or vCISO.
A vCISO is an excellent option for smaller businesses that want to centralize their cybersecurity and IT needs with an MSP. Surprisingly, however, only about 20 percent of MSPs offer the service, according to data from Global Surveyz. A vCISO differs from traditional cybersecurity services provided by MSPs. They concentrate the role of in-house CISO into a virtual position.
“A vCISO offers a c-suite level talent to businesses of all sizes, which is a real plus today. Companies don’t have to hire a full-time person and all the training and benefits that entails. They can hire a vCISO,” says Winston Samuels, an IT business consultant in Dallas.
Putting it more directly, the Global Surveyz study says:
The vCISO role is designed to provide organizations with top-tier cybersecurity expertise without hiring a full-time executive. This allows businesses to access critical security insights and leadership on a flexible and cost-effective basis. However, despite these apparent benefits, adopting the vCISO offering among MSPs and MSSPs has been slow.
The cybersecurity talent shortage is affecting MSPs, slowing the adoption of vCISOs.
Benefits of a vCISO
Samuels explains that a virtual Chief Information Security Officers can offer a variety of benefits to an SMB, such as:
- Developing and implementing cybersecurity strategies. “Many small businesses don’t have a strategy, but a vCISO service can help them implement one.”
- Assessing and managing cybersecurity risks. “Some companies simply don’t know what’s a risk and what’s not; a vCISO can do a remote audit.”
- Overseeing the organization’s compliance with cybersecurity regulations. “This is a big one because the web of rules, regulations, and laws is getting increasingly complex; a vCISO will have that information or access to the information needed to ensure a company complies.”
- Training and educating staff about cybersecurity best practices.
- Responding to cybersecurity incidents. “While MSPs do this, a vCISO can offer a more targeted, systematic approach.”
Some virtual Chief Information Security Officers have specializations, which can be a great fit if matched with the right MSP. Some MSPs specialize in healthcare clients, finance, or education. Some vCISOs also occupy niches. “The role of vCISO is still evolving, but for the relationship to be effective, vCISOs should have access to top company leadership; that way, if there is a problem, they can talk directly with decision makers and budget deciders,” Samuels advises.
Opportunity to upsell and level the playing field
For MSPs, the virtual Chief Information Security Officers provides an opportunity to expand into other services. “A lot of MSPs have not wanted to take the initial plunge, but once they make that investment, it can quickly be recouped because of the rising demand for vCISO services,” says Samuels. He adds that there is plenty of opportunity for an MSP to upsell other services once a vCISO is in place.
He says the key is that the vCISO can be offered at a lower price than a company would have to pay to hire a full-time, in-house CISO, retain that person, and then train and replace them if the person leaves. The vCISO also offers a chance for SMBs to level the playing field with larger companies that may have their in-house IT team. A smaller bank, for instance, could never compete with one of the giants they offer customers on the IT and security side.
“But with a vCISO, they can at least compete,” Samuels explains. “A vCISO in today’s environment is the way to go for most SMBs.” The vCISO offering can be expected to become an increasingly common service for MSPs as demand grows.
Photo: Gorodenkoff / Shutterstock