The 2024 State of the vCISO Report continues Cynomi’s tradition of examining the growing popularity of virtual Chief Information Security Officer (vCISO) services. According to the independent survey, the demand for these services is increasing, with both providers and clients reaping the rewards. The upward trend is set to continue, with even faster growth expected in the future. However, service providers looking to enter the vCISO market must address challenges like technological limitations and a lack of security and compliance expertise.
For more details on the state of vCISO, read Cynomi’s comprehensive report.
The State of the Virtual CISO Survey Report by Global Surveyz, an independent survey company, which was commissioned by Cynomi, provides a deep understanding of the vCISO opportunities and challenges facing MSPs and MSSPs today. The report shares insights from 200 security leaders in MSPs and MSSPs that provide cybersecurity strategic services or cybersecurity consulting and employ 50 or more employees. It shines a light on the growing adoption of vCISO services by service providers, the reasons driving this adoption, the challenges faced by MSPs/MSSPs, and how to overcome them.
Starting with the most striking data: in the upcoming period, 98% of MSPs and MSSPs that don’t currently offer these services as part of their portfolio — will. This incredible surge, which can be seen in Figure 1, reflects the growing SMB demand for specialized cybersecurity and compliance expertise and how vCISO services align with service providers’ growth and business goals.
Next, it’s interesting to examine the changes behind this surge. SMBs are tasked with protecting their assets, ensuring compliance, and meeting cyber insurance requirements. Yet, many do not have the bandwidth and resources to hire a full-time security executive. The vCISO role provides SMBs across industries with top-tier cybersecurity and compliance expertise, in a flexible and cost-effective manner. MSPs and MSSPs understand this need and the opportunity it holds and are consistently adding vCISO services to their portfolio.
Currently, 21% of MSPs and MSSPs are offering vCISO services. This trend is on the rise, increasing from 19% in 2023. It seems like this is just the start, with vCISO services gaining traction, and expected to surge in the next few years.
The vCISO landscape is expected to change dramatically in the upcoming years. According to the report, nearly all MSPs and MSSPs will offer vCISO services as part of their offering. 98% of MSPs that currently don’t, will do so. This is not only a phenomenal surge in the ecosystem, it’s also a change in the MSP/MSSP mindset that sees vCISO services as a must-have as part of their future offering.
The appeal of vCISO services lies in the multiple business and customer benefits that derive from adding them to the MSP/MSSP portfolio. 59% of service providers that added vCISO services increased revenue and/or their margins. Guess how many increased revenue by more than 20%? Answers in the report.
Just as importantly, 43% of MSPs and MSSPs identified improved customer security as a beneficial impact of adding vCISO services, 38% enjoyed increased client engagement, and 38% were able to upsell additional products and services.
These benefits show how MSPs and MSSPs have been able to leverage vCISO services to position themselves as security leaders and trusted leadership advisors. This change has been lucrative, resulting in more sales, customers, and revenue. Both of these advantages overlap with the strategic goals service providers have set for themselves for the upcoming year.
Yet, the path to vCISO success requires addressing certain challenges, as can be seen in Figure 4. 29% of respondents report that they lack the technology that can help them support and offer vCISO services. In addition, more than one-fourth feel they have limited security or compliance knowledge, which hinders them from adding vCISO services to their offering.
The initial investment required to build a vCISO offering and the scarcity of skilled personnel are also perceived as vCISO adoption blockers. This includes hiring and training a security team, required tools and technologies, and building work processes to support clients. Hiring is an especially challenging aspect since qualified personnel with expertise is scarce and costly.
The issue of security and compliance knowledge (or lack thereof) is not to be taken lightly. The report reveals a startling trend: a significant majority (98%) feel overwhelmed by the complexities of security and compliance frameworks like NIST, ISO, PCI-DSS, GDPR, and more. This lack of understanding poses significant challenges for both service providers and their clients.
While the importance of these frameworks is undeniable—they ensure legal compliance, and enhance market positioning—many service providers struggle to navigate this complex landscape. This raises the question: what tools and resources can effectively empower service providers to navigate the maze of compliance, ensuring both their own success and the protection of their clients’ data?
MSPs and MSSPs should not give up on the opportunities to offer vCISO services. vCISO platforms are key to achieving this. Service providers report that with a vCISO platform, they can capitalize on the benefits of offering vCISO services faster. As can be seen in Figure 5, MSPs and MSSPs have identified the main benefits of a vCISO platform as standardizing work processes (36%), accelerating onboarding of their new employees (34%), easy access to compliance frameworks (33%), and increased revenue (33%) and easy upselling (32%).
These benefits directly address the challenges reported by service providers. A vCISO platform is a technological solution that allows MSPs and MSSPs to provide security and compliance services without having to invest in internal security and compliance experts.
Such a platform helps service providers map, manage, and understand security and compliance requirements. It also standardizes processes and creates clarity so team members know how to use this information to enhance clients’ security posture. This also means team members of various expertise levels can provide high-quality services and that new team members can be onboarded and deliver value quickly.
The immediate byproduct of the vCISO platform is A) more customers that are B) more satisfied and C) more secure, resulting in higher revenue. In other words, the ability to scale and enhance revenue from offering vCISO services is closely tied to using a vCISO platform.
So what is the bottom line of this report? There is a high demand for vCISO services, as reported by MSPs and MSSPs themselves. With security and compliance being a strategic priority for SMBs, so should the offering of vCISO services for service providers. vCISO services help their clients build security resilience and meet compliance demands while driving MSP/MSSP growth.
As it seems, in the upcoming years hardly any MSP or MSSP will not offer vCISO services. Many of them will expand their services portfolio to vCISO by the end of 2025. This is aligned with their strategic goals to grow and scale their businesses.
A vCISO platform is key in this strategy, helping service providers overcome challenges related to technologies, teams, and security and compliance expertise. A vCISO platform helps onboard team members, build processes, and provides the necessary security and compliance knowledge so service providers can guide clients on their security journey. The delightful and profitable byproduct is MSPs and MSSPs’ ability to grow their business as well, making this offering a success for all involved.
For more insights on the vCISO landscape for 2025 and beyond Download the Report.