Here’s Why MSPs Should Explore Adding vCSO Services: Galactic Advisors

It’s worth looking into vCSO (virtual chief security officer) services as managed IT services become commoditized, says Bruce McCully, CSO of the cybersecurity assessment and consulting firm.

In response to the growing risk from commoditization of managed IT services and the shortage of cybersecurity professionals who can fill chief security officer (CSO) roles, MSPs would be smart to explore adding virtual CSO services, according to an executive from cybersecurity assessment and consulting firm Galactic Advisors.

Bruce McCully, CSO at the Nashville, Tenn.-based company, addressed an audience of MSPs Sunday at XChange March 2023, which is hosted by CRN parent The Channel Company and being held this week in Orlando.

[Related: Zero Trust Security’s New Pitfall To Avoid: Over-Investing]

McCully said there’s currently a major risk of MSPs losing clients who opt to switch to lower-priced competitors as managed IT services start to see greater commoditization.

“What you do when all of these different components become commoditized [is] you focus on getting above it,” he said.

Offering vCSO services is a strong opportunity for MSPs because many already have significant experience in the cybersecurity realm, McCully said. “If you go through the exercise of building out your CSO resume, you’ll be shocked at your credentials.”

He recommended that MSPs who serve the SMB market choose to focus on medium-sized businesses with any vCSO service offering, since that’s where the highest growth is available right now.

McCully acknowledged that there’s a lengthy to-do list in order to be able to offer vCSO services, presenting a slide with more than two dozen requirements, but said that he and his firm have developed a number of resources to help MSPs get started, including a book that was handed out to audience members.

At the top of McCully’s list is to build the vCSO offering itself and profile what type of clients to target. Other key items on the list include completing a risk assessment questionnaire, getting familiar with the sales process for vCSO services and developing an incident response procedure.

Brian Edelman, founder and CEO of FCI Cyber, a managed security service provider (MSSP) based in Bloomfield, N.J., said his firm has been offering similar services since he launched the company in 1995. Edelman said the content that McCully presented about what’s necessary to offer vCSO is “dead on.”

However, it’s not a quick or easy transition to make, Edelman said.

“If you want to go down the path of being a security team, first off, it doesn’t happen overnight,” he said.

Edelman suggested that for an MSP that’s exploring the idea of providing vCSO services to clients, a key initial step is to become proficient at managing their own internal cybersecurity program.

“If you do it [well] for yourself, then make that jump,” he said. “But if you don’t do it well for yourself, then learn to do it well for yourself—and then make an informed decision that allows you to do something that’s good for you and your clients.”