The 2024 State of vCISO Report continues Cynomi’s tradition of exploring the growing popularity of virtual Chief Information Security Officer (vCISO) services. According to an independent survey, demand for these services is growing, with both providers and customers reaping the benefits. The upward trend will continue, and even faster growth is expected in the future. However, service providers looking to enter the vCISO market must address challenges such as technology limitations and a lack of security and compliance expertise.
For more information on the state of vCISOs, read Cynomi’s detailed report.
Virtual CISO Health Review Report Global Surveyz, an independent survey company commissioned by Cynomi, provides deep insight into the vCISO opportunities and challenges facing MSPs and MSSPs today. The report shares the insights of 200 security leaders at MSPs and MSSPs that provide strategic cybersecurity services or cybersecurity consulting and have 50 or more employees. It sheds light on the growing adoption of vCISO services by service providers, the reasons behind this adoption, the challenges MSPs/MSSPs face and how to overcome them.
1. Who will offer vCISO services? Everyone!
Let’s start with the most surprising data: in the near future, 98% of MSPs and MSSPs that do not currently offer these services as part of their portfolio will. This incredible surge, which can be seen in Figure 1, reflects the growing demand from SMBs for specialized cybersecurity and compliance expertise and how vCISO services align with the growth and business goals of service providers.
 |
| Figure 1 – Graph of vCISO service offerings among service providers that do not |
2. The vCISO landscape is changing rapidly
Next, it is interesting to study the changes behind this surge. Small and medium-sized businesses are tasked with protecting their assets and ensuring compliance with cyber insurance requirements. However, many do not have the bandwidth or resources to hire a full-time security manager. The vCISO role provides SMBs in a variety of industries with top-notch cybersecurity and compliance expertise in a flexible and cost-effective manner. MSPs and MSSPs understand this need and the opportunities it brings and are consistently adding vCISO services to their portfolio.
Currently, 21% of MSPs and MSSPs offer vCISO services. This trend increases from 19% in 2023. This seems to be just the beginning, vCISO services are gaining momentum and are expected to grow in the next few years.
The vCISO landscape is expected to change dramatically in the coming years. According to the report, almost all MSPs and MSSPs will offer vCISO services as part of their offering. 98% of MSPs that don’t currently do this will. Not only is this a phenomenal jump in the ecosystem, it’s also a mindset shift for MSPs/MSSPs who see vCISO services as a must-have part of their future offering.
3. vCISO services are a profitable and strategic opportunity
The appeal of vCISO services lies in the many business and customer benefits that come from adding them to an MSP/MSSP portfolio. 59% of service providers who added vCISO services increased revenue and/or margins. Guess how many increased profits by more than 20%? Answers in the report.
Equally important, 43% of MSPs and MSSPs identified increased customer security as a positive impact of adding vCISO services, 38% enjoyed increased customer engagement, and 38% were able to sell additional products and services.
 |
| Figure 3: Impact of vCISO service offering |
These benefits show how MSPs and MSSPs have been able to use vCISO services to position themselves as security leaders and trusted advisors. This change was profitable, resulting in increased sales, customers and revenue. Both of these benefits align with the strategic goals that service providers have set for themselves for the coming year.
4. Obstacles to offering vCISO services and how to overcome them
However, the path to vCISO success requires addressing certain challenges, as seen in Figure 4. 29% of respondents say they lack technology that can help them support and offer vCISO services. Additionally, more than one-quarter believe they have limited knowledge of security or compliance, preventing them from adding vCISO services to their offerings.
The upfront investment required to build a vCISO offering and the shortage of skilled personnel are also perceived as vCISO adoption blockers. This includes hiring and training a security team, the necessary tools and technology, and creating workflows to support customers. Recruitment is a particularly challenging aspect as skilled and experienced personnel are scarce and expensive.
 |
| Figure 4: Top reasons for vCISO service offer rejection |
The challenge of understanding security and compliance
The issue of security knowledge and compliance (or lack thereof) is not to be taken lightly. The report reveals a startling trend: a large majority (98%) feel overwhelmed by the complexities of security and compliance such as NIST, ISO, PCI-DSS, GDPR, and more. This lack of understanding creates serious problems for both service providers and their customers.
While the importance of these frameworks is undeniable—they ensure compliance and improve market positioning—many service providers find it difficult to navigate this complex landscape. Here the question arises: what tools and resources can effectively enable service providers to navigate the compliance maze while ensuring both their success and the protection of their customers’ data?
5. The vCISO platform is key
MSPs and MSSPs should not decline the opportunity to offer vCISO services. vCISO platforms are key to achieving this goal. Service providers report that with the vCISO platform, they can take advantage of the vCISO service offering more quickly. As seen in Figure 5, MSPs and MSSPs identified the main benefits of the vCISO platform as standardizing work processes (36%), speeding up onboarding of their new employees (34%), easy access to compliance frameworks (33%), and increased revenue (33%) and ease of selling added (32%).
 |
| Figure 5: Key benefits of not using a vCISO platform |
These benefits directly address the issues reported by service providers. The vCISO platform is a technology solution that enables MSPs and MSSPs to provide security and compliance services without having to invest in in-house security and compliance experts.
Such a platform helps service providers map, manage and understand security and compliance requirements. It also standardizes processes and creates clarity so team members know how to use this information to improve customer security. It also means that team members with different levels of experience can provide high-quality service and that new team members can be brought on board and benefit quickly.
A direct byproduct of the vCISO platform is A) more, B) happier, and C) more secure customers, which leads to more revenue. In other words, the ability to scale and increase revenue from the vCISO service offering is closely related to the use of the vCISO platform.
6. Security strategies in 2025 for MSP and MSSP
So what’s the takeaway from this report? As MSPs and MSSPs themselves report, there is a high demand for vCISO services. Security and compliance are a strategic priority for SMBs, so the vCISO service offering for service providers should be the same. vCISO services help their clients improve security resilience and meet compliance requirements, driving MSP/MSSP growth.
It seems unlikely that any MSP or MSSP will not offer vCISO services in the coming years. By the end of 2025, many of them will expand their portfolio of services to vCISO. This is in line with their strategic goals to grow and scale their business.
The vCISO platform is key to this strategy, helping service providers overcome security and compliance technology, team and expertise challenges. The vCISO platform helps team members onboard, build processes, and provide the security and compliance knowledge they need to help service providers guide customers on their security journey. A wonderful and profitable byproduct is the MSP and the MSSP’s ability to grow their business, making this a win-win proposition for everyone involved.
For more information on the vCISO landscape for 2025 and beyond Download the report.
