vcso-offeringYour vCSO offering is more than security. It’s really about trust.

A lot has changed as the chief security officer role has taken shape. As computers have become a critical component to all businesses, there are tangible risks that many leaders are seeing today. They might not understand exactly how those risks impact their organizations, but they are aware they exist.

In addition to having someone at the watch for their physical and cyber security, they need someone that will be able to communicate and show them how their security risks—the actual nuts and bolts impacting their business operations.

Securing a business is no longer just setting some burglar alarm up and expecting it catches any unwanted or unwarranted people from getting in. The problem is that leadership doesn’t always understand why simply investing in tools in not a solution in today’s environment. They might not be able to link how cyber attackers are getting onto networks and exploiting them (most of the time through some sort of clicked link) and the actual cost associated with that one linked click.

They might not see or realize how tools in their environment work in tandem to protect against that attack. And if you’re not looping them into critical conversations, they might blame you when something happens.

That’s where your vCSO offering comes in.

What we’re seeing is cybersecurity awareness within company leadership is tied to client trust. Your clients are less likely to have confidence in how their business is being secured unless they have someone at the table explaining and strategizing solutions that they understand. If they see security as something your team is doing or cannot see how their security is being changed or modified to accommodate changing threats, they are probably not seeing a huge value in their investment and might not have complete trust that your solutions are keeping them safe.

As a modern vCSO, you will need to address different areas of securing a business than what might traditionally be thought as security. These will include network security, protecting digital assets, regulatory compliance, due diligence actions, legal participation, along with operational and behavior aspects of your client’s network environment.

Network and data security may be the obvious ways your solution would help them. Making sure that any locally stored and cloud data is protected and backed up will be expected of you. But also making sure that data does not escape from their network.

When it comes to compliance, you would have to audit their network and behaviors in effort to modify or course correct processes that are not completely in alignment of requirements. Compliance will also likely include things like cyber liability insurance policy requirements. Basically, any risks associated with guidelines.

Due diligence efforts will be the ways in which you are leading your client towards satisfying requirements or reducing their risks to what they are able to tolerate. A big portion of your job here is communicating risks in a way they understand (likely in the context of their business) and making sure they are taking the right steps in hardening not only their data and technology, but also their processes and people.

In the event something happens, you will be a key person(s) to help address legal concerns. They may want to work with their legal teams to make sure remediation efforts are implemented.

I hope from above, the common theme you’re seeing is that the vCSO builds trust between the entire organization and their mission to securing their organization. They are a solidifying force to establish a reputation of dependability for data security.

As a vCSO you are the pathfinder and problem-solver. You might not have all the answers, but you are there to guide the organization forward. You will provide the thought leadership around where their security is headed, which is far different than delivering implemented tools. You are the one forging relationships with key individuals within their organization and making sure they understand and are on board with security decisions the leadership decides on having had input from you.

Good CSOs don’t just follow standards and apply them. They aren’t simply making sure rules are being followed. They are having conversations and identifying the biggest areas for your organization’s improvement.

As an MSP, you are in the perfect spot to launch a vCSO offering. By vCSO, I do NOT mean CIO services. I don’t think the IT support and day to day IT services can be intermixed with what a CSO has to offer. I think you have the experience and the ability to systematize the CSO offering in a way that creates extreme value for your clients.

For MSPs that are interested in not having to recreate the wheel to create a high value vCSO offering, we have a time-tested MSP-centered framework. Visit for details.