High-Value MSP Security Services Can Fend Off Low-Cost Rivals: Galactic Advisors

‘If you add in things like recurring third-party assessments and a vCSO solution, now all of the sudden your solution is completely different,’ Bruce McCully said Sunday.


Bruce McCully, Galactic Advisors

Managed service providers that do not build high-value security services such as virtual chief security officer (vCSO) offerings face threats to their businesses in the form of companies that offer commoditized IT and security at low prices.

That warning came Sunday from Bruce McCully, chief security officer of Nashville, Tenn.-based cybersecurity advisory Galactic Advisors, who spoke to an audience of MSPs and managed security service providers (MSSPs) at the XChange August 2023 conference, hosted by CRN parent The Channel Company.

Adding vCSO offerings on top of basic IT, advanced security, compliance-as-a-service and recurring third-party assessments provides a moat against not only competing MSPs but also companies such as that provide cheap commodity offerings, McCully said.

Sponsored post

“If you add in things like recurring third-party assessments and a vCSO solution, now all of the sudden your solution is completely different,” he said. “Not only that, you can demonstrate value. When you go through and you break it apart in this way, all of the sudden, it’s a demonstration of value, and the per-user cost goes out the window.”

McCully continued: “It’s no longer something that [customers] are thinking about. This is how you move into that trusted advisor seat.”

[RELATED: Becoming An MSSP Is Hard. Partnering With One Could Be A Better Answer]

Phil Walker, CEO of Manhattan Beach, Calif.-based Network Solutions Provider—a member of CRN’s 2023 MSP 500—agrees that MSPs should build more comprehensive security practices.

Walker’s company has long had cybersecurity offerings, and for the last three years, it has had four cybersecurity experts available as vCSOs, he said in an interview with CRN.

“In the data center, cybersecurity has always been a thing, so our clients have always needed strategic expertise, advice, consulting and sometimes even direction,” he said. “And the fact that you can provide that for a customer even if you’re not on the hook for doing it is an amazing thing.”

For customers who view security as a sunk cost, Walker has found success turning the conversation into security as a profit center, a reputation enhancement and a necessity for insurance, he said.

To avoid competition from the security commoditization companies, MSPs need the comprehensive and wrap-around services to win customers, Walker said.

Part of the boom in vCSO demand from clients is the price of in-house CSOs, who can cost around $230,000 in annual salary, take up to seven months to hire and may leave the client after 18 months, McCully said.

And while the global MSP market is expected to grow 46 percent from $242.9 billion in 2021 to $354.8 billion in 2026, the global MSSP market is expected to grow 183 percent from $27.7 billion in 2020 to $64.7 billion in 2026, he said.

As for how to build a vCSO practice, McCully’s recommendations included building out elements such as a vCSO client profiler, vendor self-assessment and risk assessment questionnaires, incident response procedures, physical access and remote user checklists, among other things.