Risk, Revenue, and Responsibility: The vCISO’s Real Job
The rise of Virtual CISO (V-CISO) services is transforming how Managed Service Providers (MSPs) deliver value and drive revenue in today’s fast-evolving cybersecurity landscape. With regulatory pressures like NIS2 and SEC disclosure rules, and the growing threat of ransomware and supply chain attacks, businesses need strategic security leadership that goes beyond technical fixes. A successful V-CISO translates complex risks into business outcomes, helping clients protect revenue, close deals, and navigate compliance challenges. By understanding client operations, mapping risks to revenue impact, and using clear business language, MSPs can position themselves as trusted advisors. Building a thriving V-CISO practice means assessing current service portfolios, standardizing processes, and focusing on risk assessments as a starting point. For MSPs ready to evolve from tech providers to strategic security leaders, V-CISO services offer an unparalleled opportunity to deepen client relationships and unlock sustainable growth.
Guests
Video Transcript
All right. Welcome, welcome. Happy Monday to you all, and, uh, I hope you all had a fantastic weekend. Um, got, um, gosh, four of my favorites on today. And, uh, Mark Wilkinson, great to see you out there, clin. Great to see you as well. Great job, by the way, Clint on Friday's CIS call. I'm gonna be talking about that briefly as we do it, just to touch a banter here and let everybody come on in. Um, as I mentioned, um, the cyber call is now also, um, in a podcast format.
So what we're doing post event is we are, we not only have this go right up to YouTube where you can watch it over and over, but we are also downloading the audio. I'll put a URL in so you can wa uh, see, it's on every major podcast player. Um, we hear folks listening to it during their, uh, doing their mowing, their lawns, Phyllis and other, you know, weekend hobbies and things like that. So we're, we're glad we can, uh, you know, be, be with you, uh, during those, uh, festive times at home.
Um, so, so in, in regards to the podcast, today's, uh, this week's title is Risk, revenue and Responsibility, the, the V CISO's Real Job. And I'll do some who's here with us. We'll, do you want to touch a banter? And then I'll get on into today's subject. So, with us here today are, uh, David Primer. He's the CEO and founder of smi.
I have, we have Brian Blakely, uh, who's had numerous roles in the MSP space from owning the MSPs, multiple MSPs to owning a, a really very successful CSO company that with a successful exit just a few years ago. And now he, uh, helps compliance scorecard on the professional service side as their chief risk officer. Um, net Lynch, welcome back to the state. Um, you were over abroad, uh, Italy, and all these different countries for, I think it's 78 days.
So welcome back for the US and as always, thank you, um, VP of content at CIS. I'm Andrew Morgan, uh, host of the cyber calls. So that's all that fun stuff. By the way, I'm going to put in chat real quick here for you all. If you wanna listen on any of the major podcast players, uh, that's how to get to, um, now, uh, the podcast, uh, write a boom podcast, which by the way, brought all of the cyber cast stuff that we did. Billy Turner, awesome to see you, Ann, awesome to see you.
Um, all the great stuff, Phyllis, that we did, gosh, going back probably three, four years ago on, oh my gosh, controls. Um, so just so you all know, if you are looking to implement the controls, touch up on the controls, anything like that, um, we've had north of 12,000 people, uh, listen to the CIS Controls podcast that we did with, uh, Phyllis, Ryan Weeks, Wes, Spencer, and Brian, you were part of it as well. So I highly recommend that, that you can find in there.
So, Brian, let's start off with, just to touch a banter before we get into, you know, real intros in today's, I wanted to, uh, a touch of good news, uh, in the channel. So, um, Ingram, fully operational, which, you know, they did that pretty quickly. I was really glad to see that for them and for the channel, for the people that need to, you know, rely on Ingram. They, they're, they're a massive organization that supports a huge amount of the, of the channel.
I did want to ask you, Brian, and I'll put the URL to their site, uh, their comm site up. As somebody that has had a role as a CISO for a $50 billion FinTech company, you've been in the, you know, in the hot seat, you've, you know, had a, you know, be in, you know, boardroom meetings that are not pleasant many times is whether a vcso, ciso, one of the big things is comms, right? And, and we, we, we talked about this last week. I, I just like your opinion on how the comms were in this.
Are you, are you okay with it? Did they do a good job? Would you like to see different, like these days, as I talked about last week, this is a tenuous area because people have gone to jail in the last few years. Um, CISOs have gone to jail. Um, sometimes they should. Other times they're the fall guy or gal. So I'd love your thoughts on what, what you're seeing here.
Yeah, Andrew, first of all, I, I share your sentiments in terms of genuinely being glad to see Ingram, uh, micro back and operational, right? I think any disruption at that scale really has a ripple effect, uh, for MSPs and really the entire supply chain. That said, I would, I would, I would characterize the com communications as, as safe, um, perhaps heavily slanted or weighted on the, the legal aspects. They lack some transparency, which kind of is a ding to trust.
Um, you know, I'd call them professional, but the comments, uh, and, and communications, um, professional, but sterile, right? I, I think clarity in these times and transparency are the, the currency, right? The phrase like, unauthorized access doesn't, doesn't tell me much. And working with law enforcement as, again, table stakes are being captain obvious, you know, mid-market companies and MSPs should really pay attention here.
I think incidents are obviously inevitable, but, but trust is retained or lost during your communications. So I would counsel say, what happened? You know, what it means to your customers and what you're doing next. Ambiguity helps no one. And to own the narrative here, I think is important. 'cause if you don't own the narrative, someone else will, and they'll generally fill that in with fud, right? Fear, uncertainty, and doubt. So that, that's kind of my take on the initial.
Maybe there's gonna be more co communications later, um, but it felt very safe, professional, sterile, and, and heavily slanted towards not balancing the legal and the transparency. Look at, you wanna see a couple good ones out there. I always like to know what does good look like. Then, uh, Shopify and Twilio are a couple of good ones. Uh, if you want to do some research or look up some of the, the past, um, notifications they had on a few event, um, breaches.
I'm so used to calling breaches events that I've been well-trained here. Not to say the B word, but those kinds of things, um, out there in the, in the wild, they've got a couple of good ones, very transparent, but they did a good job balancing transparency with, um, the legal parts. Yeah, really good, good insight. Brian. Also, CloudFlare, when they had theirs, they, They, oh, good one. Yeah. Really well done. Uh, if you Guys, yeah. Forgot about that. Yeah. Um, net put me on the spot.
I didn't ask you if you wanted to comment. And again, I know you're back. Did, did you look at anything, and I always like to get the MSP's perspective. Did you see it? And as the Ms. P, what are your thoughts? Yeah, I think it was kind of like that pause, oh, crap, we don't know what's happening yet when the no news first broke, because, you know, they are a major supplier to so many MSPs and to clients.
So, um, there was a lot of nervousness until the comms finally came out and we had better understanding of what was happening. Um, and I think at this point, from the MSP perspective, um, it's like a, um, um, a guarded sigh of relief. Like, we're not quite through it yet. It's not quite finished, but it, it's not as bad as we first anticipated. 'cause you know, when a major supplier like that announces they've had an incident, you think worst case scenario first.
So I, I think that's where we are right now, um, from the MSP perspective. Got it. Okay. Fantastic. Let's move on here. By the way, I am putting Brian Blake Lee's LinkedIn in the comment section. Um, and the reason I wanted to do that is if you are not following Brian, you really need to as an MSP, um, he posts probably once a day, give or take. Um, and, you know, he is involved with, you know, most of the time with MSPs sitting in the VCSO or CISO position.
Um, and you will find, uh, and this is a Brian Blakely term, a treasure tro, uh, of good stuff in there, he posts about how the conversation should really go, how to tie what matters to an end, to the customer, to the executive speak in their terms, versus how we t typically technically speak. So, um, uh, again, please, uh, if you want to get better at comms communications and driving revenue, uh, take a look at Brian's site. So let's get on into today. Let's do a few quick intros.
Uh, first off, David, first time on, uh, the cyber call. It's a pleasure to see you. Um, and for those that may not know you, uh, uh, congrats on on building a phenomenally, uh, phenomenal company. I mean, you guys are absolutely, uh, doing a great job. And, uh, I'm really looking forward to, to, to getting, this is a big topic today, but tell us a little about yourself. Um, and then, um, I'll have Brian do a quick intro and we'll get going. Thank you, Andrew.
And, uh, thank you for being, uh, for inviting me here. So, uh, David, uh, Primo out of Israel, um, spent many years in the Israel cyber intelligence, uh, about 15 years, Lieutenant Colon, um, small break in Switzerland to, uh, to find the Higgs boon, uh, in Exxon, the big particle accelerator. Did my PhD there. Went back to Israel and established the cybersecurity authority. I've been leading the, um, technical group there, building the national cert, and then understanding it.
I think it was after the one prior attack that there are so many SMBs and mid-market companies that are not well protected. And, uh, there's sometimes some, some foolish things and mis uh, configuration. And, uh, big cus big, uh, companies have CISOs and, uh, small companies. They, they don't know what to do. So, uh, I decided to establish TMI and to help eventually MSPs and MSPs to provide virtual CISO at scale. So, uh, very proud to be here, uh, Andrew.
And, uh, uh, luckily we have a bunch of MSPs and, uh, uh, we are trying to, uh, to help this community to go bigger and of course, to protect, uh, the ones that are usually not protected. Thanks for that, David. Really appreciate what you're doing, Brian. A lot of people do know you, but for those that don't, quick intro, uh, of yourself as well. Yeah, thanks Andrew. And thanks for the plug on the LinkedIn stuff too. But hey, everyone.
Brian Blakely here, spent the last three decades or so, plus minus in the trenches, uh, really starting as an engineer, and then founding building, growing, selling, exiting several MSPs over the years. I'll say some of the exits were more successful than than others.
Then evolving into kind of a full-time mid-market portfolio company, CISO for four years at a FinTech company, and several vcso roles, uh, really helping MSPs and SMBs and larger mid-market companies turn, uh, really security and compliance into, into real business value. And I'm excited to be here today, again, on the cyber call. Always humbled Andrew, when, when you tap me to be on the call. So thanks again for that.
And, um, you know, this topic too, what the vcso role really is, and, uh, really excited to kind of get into that over the next few minutes. Yeah, absolutely. Thanks. And that, we'll do let you do a quick intro, and then you can just start right into your first question on over to Brian. And I'll find that Wall Street Journal article as well, that I know you're gonna a ask about.
But, uh, it, it's, it's interesting, uh, Nat, that, you know, vcso is starting to become a, you know, when, when you, you see com, when you see Wall Street Journal do articles on vcso, um, that, not, not saying that that's, we've reached the pinnacle, but the fact that it's becoming a, an adoptive thing and industry, or, or I should say media is talking about it, says something. Um, so a little bit about yourself, Ned, and I'll let you take over. All right. Hi everyone. Ned Lynch.
I'm the CISO at Craft Kennedy. I've been in tech for 30 years. The last, uh, 20 or so have been in the MSP space focusing, um, unex exclusively on client strategy, including VCIO and vcso. And I've sat in almost every seat in an MSP. So I know this world inside and out. And one of the big game changers was that light bulb moment when I realized, wait a minute, clients don't care about features, they care about how this solves business problems.
Um, so that's kind of how I've built, um, the, the services around me since then. Um, so Brian, first question for you. So what do you think is driving the sudden momentum behind the VCSO services? Like from a regulatory shift, like the, the NIST two directive that came out for business expectations?
Um, as, uh, Andrew mentioned, there was an article in the Wall Street Journal, which is normalizing this, and it's not such a, um, situation where, um, my IT services company's trying to sell me something. Now there's getting legitimacy behind why companies need this, so I'd love your take On it. Yeah, great question.
Nat and I, I went to look at that, that article, and it's behind a subscription gate or something, and I'm a data privacy nerd, so I, I, I'll take your word on the actual content of the Wall Street, uh, article, but it is, to Andrew's point that it's getting that kind of visibility, I think is, is important to, uh, you know, vcso and what that means.
But I think there's a few forces driving the surge for, for, for really vc, so demand right now, I, I'd say it's things like regulation, uh, business risk visibility, and this revenue pressure. So first, when I think about like regulatory expectations, they've exploded right from this two in Europe, SEC Cyber disclosure rules here in the, the US boards and executives are now personally accountable. Andrew, you, you mentioned that, right? And you can't, you can't outsource that liability, right?
But you can outsource leadership. That's where I think the vcso can step in and be a big help. And I think second risk is no longer abstract, right? Ransomware, supply chain attacks, like, uh, Ingram Micro, even like we've talked about, these are now more, I'll call it kitchen table kind of conversations, right? Businesses are realizing that security isn't just an IT problem, right? It's an enterprise wide obligation, right?
They want someone who can align security strategy, policy and operations without hiring a $300,000 a year full-time ciso. And the last thing I think the real tailwind, um, is, is more economic in nature, right? Coming companies are, are needing to prove resilience to win deals, right? Keep contracts and in air quotes kind of pass audits. And a vcso doesn't just reduce cyber risk. They reduce sales friction. You mentioned that too in your intro. Now, I think that's important.
You're greasing the wheels of the sales team, right? By having some of this compliance stuff done, and then insurance costs and reputational exposure. So I always say a good vcso helps close close revenue and close deals just as much as they close or shrink risk gaps, right? So we're at the point where not having a security leader, if you want to call it a vcso, whatever that is, not having that security leader, isn't seen as lean anymore, right?
It's seen as, as reckless and MSPs that recognize that shift, I think are gonna be in a great position to, to lead here now. Yeah. That's great. Great feedback. Um, so Brian, next question over to you, David. Um, you built a team of successful, I think we're sorry. Yeah, I think we're over to David. No, do or Oh, yep, you're right, you're right. I skipped, uh, thank you for that. Uh, David, hi.
Um, so there's announcement that you have made recently with Deutsche Telecom, pretty big announcement there. Um, and you launched your vcso services with them using smi, which is fantastic. Congratulations. So what is this signal to the MSP community globally about where the industry is headed? Yeah, It's a great question. Um, and when I mentioned smi, we, uh, mainly focus on MSPs and MSPs, uh, in the us.
And, and I think that the fact that, uh, Deutsche Telecom as, uh, one of the biggest telecos that also has this consultancy services and sells a lot of, uh, um, cybersecurity stuff to the customers, decide that they want to establish the virtual CAW services, it means that virtual CAW should be a core offering within many MSPs and MSPs. It's not a niche, it's something which is, uh, a big company like Deutsche Telecom.
And, and I guess that you could imagine decisions like that in the, um, headquarter of Deutsche Telecom to say that we are going to, uh, establish, uh, a new set of, uh, um, businesses. I think it's something very, really unique. And, uh, and the fact that Tsunami is, there was a, a great news for us. They understood that if they want to provide virtual CSO X scale, and they have thousands of potential customers, they need automation, they need, uh, standardization.
And, and as Brian said, that they need a, um, a platform that helps them to, uh, to manage and help them also to, to generate a RL. Because we understand that a virtual ciso, it's not only protecting, it's also helping the business. So I guess this, uh, big opportunity, uh, uh, maybe a signal to other MSPs and MSPs High, there is a big opportunity here, and you should step, uh, uh, and, and start thinking about the future of cybersecurity services.
And, uh, it's not, uh, a maybe it's not, uh, let's see what is going on. Virtual CSO services are growing, and if you want to, uh, to be, um, I'm not sure if it's early adopters, but maybe it's, uh, it's kind, it's, uh, MSPs and MSPs that want to join before the pick. Na, I, I think, uh, Eric Wells make, and there's Keith, you know, some good, good comments, but Eric's like, you know, about, you know, allows smaller firms to leverage expertise they normally couldn't afford.
One thing that, Brian, maybe you could touch on this, you've touched on this in other sessions of the cyber call, and I'm kind of teeing off Eric's, that, you know, these smaller organizations don't think about, you know, their contractual obligations, things they've actually signed off on that, you know, really could mean the difference in 6 40, 60, 80% of their revenue.
You know, that, you know, whether it's compliance rolling downhill, whether it's something on breach notification, data privacy. Can you, can you kind of maybe fill in those just quick blanks on that, why you, why you always dig into that area? Why is that so important for small businesses? Well, small businesses generally sell into larger ones, right? And, and when smaller companies do that, they usually don't have the maturity when they're reviewing that contract. We all enjoy revenue, right?
And we're like, just sign the contract. But looking at your, your client's customer contracts, they've agreed to all kinds of data security and data privacy requirements in there, and sometimes compliance obligations that they're in breach of.
And so having that conversation, in fact, if part of your risk assessments don't involve reviewing your client's customer contracts, the contracts they, uh, engaged in, then you're missing not only risk, but you're missing golden opportunities because a small business understands I have a contract and it's worth 50% of my revenue, and if I'm not fulfilling the obligations of that contract, I'm a breach of that contract and thus putting that revenue at risk.
And so, nothing's better to have that conversation, especially as an MSB that doesn't always do the best of job of articulating the value of the products and services they do. Now, they can tie these products and services directly to protecting the revenue that's tied to a contract that's very tangible and SMBs, um, understand that, right? 'cause it, it makes a significant portion of the revenue.
So instead of it being some theoretical risk, you can really tie that product or service you do to protecting, uh, their, their promises that your clients made to their, their customers. I think the other thing you mentioned a lot too, Brian, is that it's way more compelling for an executive to hear something like that, versus you have your, you know, S3 bucket where you store your data, has a potential vulnerability or like that, that's, that doesn't mean much to an executive.
Yeah, here's the eight things we need to do to shore up the weaknesses that are driving 80% of your revenue. That's a different conversation, right? And then the proposals and all the stuff that has the technical stuff and all that kind of stuff, they can connect the dots to what you said earlier when you're connecting, uh, the technical jargon and stuff into something that the business can, can understand, consume, and react to, and resource, Right? Good.
And so, sorry, net, that's, I get all pumped up here, comments in there by Eric and, and Keith and all this good stuff. So go ahead and not No worries. I'm the same way. Eric Wells just joined my team at Legion, so I'm happy to see, uh, he's already having an impact. Alright, uh, Brian, next question's for you. Um, you built a team of successful vcso at Cozen. What made that model work and how did you prove ROI to clients early on?
Yeah, I think anytime that, you know, you're talking about vcso or professional services around security in general, um, the, the VCSO model we put together I think worked because we never led with compliance or tech or frameworks or stack we led with the business, right? Our entire approach was built around really one simple but powerful question. And Andrew's heard me ask this a million times, right? But how does this client make money, right?
Once you understand that security stops being theoretical, right? It becomes more intentional. And the VCSO program, um, shouldn't be a technical gatekeeper, right? Should be a strategic operation. So focusing, uh, you know, what we focused on identifying the critical business functions that drive revenue and then map the risk that could screw up or damage or destroy those, those functions.
Usually a client only has two or three critical business functions that drive the majority of the revenue, and that's a great place to, to focus. And that's what we protected. That's what you measured and that's how you, we proved ROI we didn't show up with like this laundry list of 150 controls and a bunch of of audit jargon, right? You show up with leadership, right?
Help clients make intentional decisions about, about where to invest, uh, what not to invest in or what to skip, and how to prioritize based on business impact. Not just a check a to check a box, but to move forward faster with confidence. So we delivered security and compliance strategy and execution, I'd say, with the least amount of friction possible. That's the number two question you always get when you talk to a client about vcso services.
How much, but what ki how much money is this gonna cost, right? That's always part of it. But the bigger part is what kind of friction are you gonna put in my ability to, for my team to do their work? You're gonna put in controls and you're going to, you're gonna recommend all this stuff to shrink risk, but at the end of the day, how is this gonna impact the, the business's velocity to get product out the door? The services, uh, services they do.
So you don't wanna make security a blocker, right? A business accelerator, you wanna be able to push that skinny pedal on the right and, and accelerate the business and, and always keep, and I'll end with this keep cost top of of mind. You know, our promise was you'll, you'll and is, even today on the pro services side, you'll never spend a dollar more than you have to, to say secure, compliant, competitive, that's being intentional with the spend.
So in the end, you, you can kind of prove ROI, not by reducing risk on paper, right? But by helping clients protect their revenue win deals, right? Satisfy partners and sleep at night knowing they're not one bad day away from a, a breach or a lawsuit. And I think that's the real leadership net and, uh, what a vcso is really supposed to do. Fantastic. David, next question's for you.
Are there certain characteristics you look for in an MSP that you know, will have a greater chance of success in their vcso practice? And would you be able to share some insights on roles and processes so that all the MSPs listening can take notes on, uh, how to begin their journey if they're not already in it, or to improve their strategy? Yeah, yeah. So of course, it's, uh, easier to start this journey, um, by finding some MSPs that already provide, providing some consultancy already.
So it could be risk management or some compliance as a service or vulnera vulnerability, um, um, measurements or any type of, uh, consulting to the, uh, customers. So the step from, uh, providing some kind of consultancy, uh, or cybersecurity professional services to virtual CISO would not be a, a very big step.
But what we see, because, uh, uh, most of the, the MSPs, let's say 30%, uh, have some kind of consultancy and, uh, lots of MSPs are currently want to be, uh, uh, to provide those services, let's call them the aspiring MSPs. I think that first they should, uh, um, take it really seriously because it's not, uh, it's not easy to provide virtual CISO services. You must understand that there is some kind of investment.
We believe that, uh, the ROI will comes, but, uh, you must have at least somebody who, uh, uh, or gave some consultancy services in the past or willing to learn very fast. I think those MSPs that are willing to, uh, to use some kind of a platform that take this, uh, journey and accelerate it, it's very, very, uh, uh, important. The second one is it's not, uh, an niche.
So you, um, so the MSP must, uh, um, understand from the executive point of view that it's really something that they want to, uh, uh, invest in. They understand that, uh, there is a major potential of, uh, revenue stream, and there is involvement of the managers as well as, uh, some champion within the MSP that is willing to, to take it. Uh, lots of times we see a problems of, okay, I want to establish this service, but how can I find my customers, my first customers?
I think this is one of the things that, uh, holding MSPs to start, uh, building the virtual CSO services, and I guess it's the same, uh, problem with other services as well. I think that starting, uh, or finding the way to start with your existing customers, it's better to, to find the early adopters, the ones that might have some, uh, regulatory, uh, uh, requirements, uh, maybe insurance problem.
And, uh, I would recommend taking maybe companies that already unfortunately have been attacked so they understand that they have to, uh, uh, improve the cybersecurity posture. So finding the first customers, and when trying to provide those services to the first customers, it'll be much easier to progress and to add more and more, um, customers in the future. Ned, when you hear that, what about you? I, I'll ask you, you've scaled and you are scaling bcso and services.
First off, what about doing it in turn, you know, the old, you know, eat your own dog food, eat your own tacos, the whole nine yards there. How important is that doing it, you know, being able to do it yourself before scaling it out? Absolutely. And I would choose tacos over dog food. So eat your own tacos, right? If this is something you want to offer to your clients, do it internally first.
Do it on your own MSP first one, you're gonna go through the controls and have a better understanding of what they really mean and what they're looking for. So when you're having a conversation with a client, you're speaking from experience, and two, you're doing a security assessment on your MSP, you are part of the supply chain, you are part of the risk to your clients. You should be doing a risk evaluation. And this is the perfect way to do it. You know, especially using a framework.
I like ci IS um, and using that to evaluate your MSP, going through the controls, understanding how to collect evide evidence and what's gonna be required for that is, um, a super Valuable experience. Not only that net, but I think to Brian's point, you start off with how do you make money? Well, we know how we make money. And then you probably have, probably, again, the 80 20 rule, right? Net probably most MSPs could say, yeah, these 20% of my customers make up 80% of our revenue.
And then more than likely, Brian, in the days you had your MSP, I'm as probably there's some, you know, compliance roles downhill. Some of your larger accounts as an MSP, right? Whether it's them directly are regulated, or their biggest clients are regulated, are going to start to roll the questionnaires downhill. Is that fair as well? So you're looking at it through your own lens, but then if you're, if you can get a handle on this, you can go then have that conversation with others. No.
Yeah, a hundred percent, right. MSPs, we always learn by getting our hands on something, right? There's always this, okay, let me do a proof of concept, or let me play with it, or let me mess with it. And messing with it on yourself is a safer environment. But you do start to build up what I, I think is wisdom, right? You go through the process yourself and you say, Hey, I looked at my own contracts and I saw this.
Now I have a compelling story and some wisdom when I'm trying to sell these services to my client to say, oh, we did this on ourselves and here's where we screwed up and how we should have done it, right? There's a certain level of vulnerability there, but at the same time, you can prove you've gone through that journey.
And that's extremely valuable when you're trying to, after you've done it on yourself, you've gained the wisdom, you've looked at your own contracts, you, you found your own stuff and you fixed it. That's a, that's always a compelling story that you can share with your, your clients and clients wanna hear that kind of stuff too. 'cause it builds confidence and trust that you're able to, that you've been there and done it, and you have some empathy there in how you deliver the service as well.
Two, a quick question, Brian, before we hand it over to Phyllis. Um, I think we're at that point, right, Matt? Um, but, but Brian, um, oh gosh, drawing a blank. He's gonna shoot me at Strive Technology. I'm sorry, dude. Um, just shoot your name in there. Um, but he asked, did you actually, you know, ask to go through, um, your customers, you know, contracts and you know, what they were committing to? Would you actually do that, Brian, and would you Oh my gosh, Yeah, yeah, yeah.
What what I generally do is sample recent and most significant David, Okay? Yeah. Recent and most significant, uh, contracts that they've signed, you know, and, uh, generally you'll have some clients that don't wanna do that, and you can say, Hey, let's just do a screen share. All I wanna see is kind of the data security, data privacy and compliance requirements in there. Um, we can black out the rest, do a screen share, or, or you can ask them to go through.
But generally speaking, if you, if you share the why behind it, right? The why behind is, Hey, I wanna make sure that every dollar you spend on security and compliance is consistent with some of your obligations and promises you made to your clients. That's the why. I don't want to, I don't wanna quote something that you don't need. And the best way to determine these are things or products or services that you're gonna need to shrink risk.
Hey, you've got some things you agreed to in this, in this client, in this customer contract. I'd love to see what those are. And I, all I care about is the data security, data privacy requirements. Um, in there. Do, would the incident handling fall in that as well, Brian, or, well, that's The data security requirement, oftentimes. Yeah. And, and our clients agree to all kinds of crap in there, in there, right?
They'll agree to, for example, like, uh, they'll agree to 48 hours upon any security event, right? And it's like, hey, you can counsel your client say, Hey, next time when you're going through this process negotiating agreement with client, the vcso, we, we'll look at those data security and data privacy requirements, and we'll give you some areas where you may want to consider pushing back.
We might want to refine that to 48 hours for any, uh, event to, to 72 hours, you know, within a confirmed data breach involving the scope of data within this agreement, right? Or something like that. You would relo that, but, but something to that, that effect, because there's no way 48 hours in every event, whatcha gonna do call your client every time that somebody clicks on a phishing email or, or something, right? We don't don't want to do that.
And, and chances are the client doesn't want that either. So might as well get some of that, some of that, right? But that's usually what you're looking for. Also, you probably wanna know, like, Hey, do I have the right to send down and secure, you know, like what, What Right to audit, Right? Yeah. Yeah. What kind of audit language is in there, right? Brian? Like, Hey, you know, client's About paint, uh, faint.
When you tell 'em, oh, did you know your customer has the right to call you at any time and, and audit you against the promises you made in this agreement? And I'll tell you, I've done everything out there from SOC two, attestations, ISO certifications, CMMC, now fed ramps over the years, and these client risk assessments these days are on par with that.
What used to be a security questionnaire and yes or no questions has turned into this trust and verify where we don't believe you when you say, yes, we wanna see an artifact or evidence uploaded here. And by the way, we also wanna call you, by the way, we also want two days to go through these things where our risk nerds are gonna talk to you guys. We're gonna wanna know, they're gonna wanna know all this kind of stuff, right? All kinds of proof, right? Don't we hear your words?
But let's see, some screenshots, some log files, some other evidence that you really are doing these things, clients about faint when they've, they realize they've agreed to a lot of this stuff. Yeah. Good. Tell us over to you, That's really good stuff. I think, you know, you've covered a lot of, um, my next question, so I'll ask you, do you have anything to add on, you know, how would you coach a technical MSP or security lead to talk about revenue and risk versus tools and tickets?
And then, you know, what qualities or kind of what services do you believe make a good vcso? Oh, wow. Um, good question, Phyllis. Um, I tell you, every MSP or technical security leader, I tell 'em all about the same thing, right? If you want to earn, right? We always hear about this getting a seat at the table and earning a seat at the table.
And, and the meme here is the Thanksgiving Day meal, where you see at the adult tables, the CEO and the CFO and the CO and at the kids' table at Thanksgiving, you've got the ciso and, and they're not allowed at the, uh, big table yet, the adult table, right? That's kind of the meme. And, um, you know, I, I always tell 'em basically the same thing. Stop talking about your stack and your tools and your tickets and blinking lights and white noise, and start talking about revenue and risk.
So here's how I coach. First, ask your client again, you know, how do they make money? What's their most profitable areas of their business? What are their revenue streams? Not what tools they use and how many endpoints they have, but how they make money. Then map their, uh, critical business functions that drive that revenue to risk, that could disrupt that revenue. Okay?
So when you could say, if the system goes down, you're, if this system goes down, your invoicing stops, or if this data leaks, you'll lose your biggest contract. That is speaking their language. I also coach them to understand contracts, not just configurations. We've talked about contracts, right? So the best vcso I met her know that, that most security obligations are, are packed into customer agreements, insurance policies, and regulatory commitments.
So you're, you're not just protecting us server, you're helping your client keep a promise to their customers, okay? And I think that's what separates a vcso from a TAM or a technical account manager kind of role. Uh, I think historically MSPs have been challenged with the little V role out there, right? VCIO and vcso. There, there's a challenge there. And, uh, lastly I'll say, a great vcso, uh, doesn't create, uh, fiction, right? I've said this friction, right? They, they remove it.
So they guide the business to make, I think, intentional informed decisions with the least amount of disruptions. So they don't just say, do this, this is the control, and beat them over the head with it, right? They say, here's why this matters to your revenue, your reputation, or maybe it's your runway. So good VCs who brings that clarity, prioritization, um, confidence, and a great one, they help the business spend the least amount of money necessary to be, uh, secure and con compliant.
I think that, uh, Phyllis, that's, that's value, that's, that's leadership. And that's how we turn techs or tams into that almighty proverbial, um, trusted advisor role. I think that's great because, you know, when I was at the National Security Agency and we always used to be like, oh, if only they patched, if only they need this, what's it going to take? And at that time, we were pretty young in kind of like the cyber world and all that.
And, and what we always tried to do was scare the bejesus outfit of everybody. You don't wanna be the headline in the Wall Street Journal, but you know, what you realize after years and years is you can't scare people into paying money and dedicating resources towards cyber. And so really what Brian said is golden, you know, you have to make the business case for them, and you have to coach them, them Specifically. Yeah. And the only way to do that is to get to know them, right?
And ask questions and listen. Uh, you're exactly right. That's awesome. I have a question. So, how long do you think an MSP should invest? Like here, you haven't had a client, you don't have a client who signed on, you're like kind of, you know, negotiating, wooing them, showing them how great you are or whatever. Like how long? I'm, I'm not an MSP, I never owned my own business. Is this in the beginning of stages?
Have they already signed, like outta curiosity, like how long do you dedicate to, to this process and then you realize it's not working, or, okay, yes, it's gonna work. Is That question for me, Phyllis? For You for, yeah, yeah, Yeah. And when you say not working, could you share a little bit more about that? I would say, um, maybe someone's like, well, I still just want the cheapest thing ever. Like, I don't want, so often on this call we hear, how can I get my client to pay for security?
Right now? We often hear also back from Gary Pika is, well, you didn't make the right business case. And so, you know, I'm curious like, what is the success rate perhaps that you have? Maybe net what you have, and then how much time should an MSP dedicate towards, um, towards, you know, creating the case for vcso and those services that an organization should be paying for? Yeah. In, in my opinion, there's the market's kind of fragmented for these services in three different areas, right?
You have these people, kind of what you're talking about, Phyllis, that may never understand or get vc, so they never see the value in it, and you're probably not gonna win that case. And they, they might be, right? Then you have this tasty top, right, I'll call it the tasty top that says, highly regulated. They get compliance, they know they need it, they have to, then you've got this larger middle section, the meaty middle.
And I think to make the business case is really getting into, if you can do that risk assessment and roadmap, and I've said this before and I hate to sound like a broken record, but if they're even on tightest people on money, you, you say, Hey, I've gotta make sure we're intentional with your money and your budget. You don't have a bazillion dollars to spend on this, and I wanna make sure we get this right.
And I wanna make sure every dollar you spend, we can connect the dots to leadership intent and solving a business problem. I don't wanna sell you a bunch of stuff that you do not need. And the best way to do that is part in part of the, you know, having a risk assessment and roadmap is being able to ask the, the business the right questions and tease out what's important to them. Okay.
And then that's, that's usually the revenue drivers, you know, again, where are their profit centers where they make money? And I really focus in on their hard and tight and get in there because they understand that. So everything I connect when I'm talking about risk connects the dots directly to to, to them. And this is important, and I think a lot of us miss this, is be very specific in your conversations with your clients.
And that might take a little bit of time, Phyllis, to get to know them a little bit. Mm-hmm. Because if they call a widget a gadget, call a gad, call it a gadget every time, right? And, and make sure that when you're talking to them, you're very specific in their lingo and their industry vernacular and what they're saying, because you'll build that rapport and trust much, much, much more, you know, much quickly, much more quickly.
And, um, be able to, uh, resonate and provide value that, again, that they can understand, react to, and put resources behind. If I, if I can add, Yeah, go David, I was gonna Yeah, of course. Yeah, please, David, go ahead. I was gonna, yeah, So I think, uh, if to continue Brian thoughts, I think it's, uh, it's about, uh, cybersecurity journey that we want to take, uh, the different, uh, customers of the MS P.
So they want those that fully reg regulated, they understand that they need virtual ciso, but most of the customers, and I think that we understand that everyone needs to understand the risks. Every, every customer need to have some kind of a roadmap. And the thing showing, uh, the gaps for every customer, even if it's, uh, it's not a full risk assessment, it's partial risk assessment, something to raise the appetite of the customers to understand that there is something else.
Then tools, something else that, uh, now they understand that they have gaps, they cannot ignore that. And then, um, take them to the next step, maybe for risk as full risk assessment, and then taking them to the next step of maybe compliant and picking the, the framework that they want to follow.
So, uh, so I guess it's, uh, how to educate your customers and how to build a program which is not a, a, a virtual CSO to, to those that understand that, but how to take or democratize virtual CSOs, uh, or cybersecurity compliance, uh, uh, uh, consultancy to most of the customers. And this is, Yeah, David, I'm really glad you said it, Ned, I'm gonna ask you this question. I think, look, you know, for years we've relied on the all in model, right?
In other words, it's 200, it's 300 a seat, and that's what we do, and this is what we do, and that's it. And I think what we're seeing, and, and I mentioned this book often on different podcasts and things like that, which is the jolt effect. Um, take a look at it. But basically what, you know, it talks about is 60% of all qualified deals are lost to no decision.
And I think the role of the vcso is critically important because in order to win deals, we have to de-risk, people aren't making decisions 'cause they don't see that they need something. People are making, not making decisions because of fear of being wrong. And a good vcso can go in and say, Hey, look, you know, uh, maybe this other MSP is driving you towards spending three 50. Let's take a step back. Let's take a lower risk step. Let's look at, you know, what's driving revenue.
Let's walk through a risk assessment. And even if we don't do business, at the end of the day, you're gonna have a bonafide understanding of these critical functions in your business, the critical data, the critical outcomes, blah, blah, blah, blah, blah, blah. And you can use this document. What are your thoughts on that role? Like the, the importance of the vcso in that capacity and how the kind of the sales model is changing, um, in, in, in, in our world? Yeah. I love this question.
Um, as Brian and David were talking, and then when you asked this question, the thing that kept going on in my head is, does your prospect or client see you see you as a salesperson? Is your vcso coming across as a salesperson? If you switch the conversation to discuss risk and have a business conversation? And I agree about having your vcso as part of the pre-sales process. One, because you're evaluating risk. 'cause you're taking on a certain amount of risk when you take on that client.
Um, and, and you're also, um, they're getting a sneak peek of what that relationship is gonna be like. This is the expertise that the vcso that will be taking care of you will bring to your organization. That gives them a lot of confidence. Mm-hmm. Yeah. And you're, you're, you're asking different questions too during that presales process, right?
And this is a five minute conversation to understand, Hey, I just talked to this company and 80% of the revenue is from transaction processing fees, right? And now I, a lot of my communication can be targeted towards that 80% of transaction processing fees, as an example. Yeah. Good stuff. Yeah, absolutely. Good. Go ahead. Uh, Phyllis Yeah, I'm just gonna in for time's sake, David, I'm just gonna ask you quickly.
Um, so what do you, so from your perspective, what's a great first vcso conversation look like and what frameworks or assessments, um, really help anchor that value early on? It starts with a CIS Sorry. Exactly. I mean, not to, not to leave the witness, but I'm kidding. Yeah, actually, we, um, when we start an engagement, I think that it's important to follow any, um, framework. Um, and I think that I like, I I, I like the CIS and when we talk about this, the, the, the cyber journey.
I think CIS, uh, implementation group one, start with that and then continue to, uh, to the second and, and the third. Um, but what we see, the, the, the starting point of, uh, a good engagement is, uh, finding the right first customers and then, um, doing the, the risk assessment and the risk as assessment can, uh, uh, or posture assessment, it can compose of, uh, uh, CIS or NIST or, or, or nothing, but understand your gaps and, uh, and have your first customers, uh, get your, get your gaps.
Then doing the roadmap in order to, uh, uh, to find, uh, you know, how to solve the gaps. Usually when, uh, we, we, uh, uh, we join the partners, our partners, MSPs starting to, uh, to provide those services. They usually bundle the, uh, first the, the software with some, uh, services hours could be two hours a week, it could be four hours a week, depends of the, the type of the customer. And then it's the, the big decision is how to bundle the, the, the virtual CSO service.
Is it a separate, is it part of the, uh, managed services? And, uh, we see different, uh, um, different MSPs with different, uh, different motions. Uh, I think what is really important is to, uh, to create this, uh, transparency between the virtual csaw and the customer. And we see it with, uh, looking together on a dashboard on, uh, or a report.
And I think, and we, we see it a lot of times that this virtual csaw engagement and that, uh, uh, started a conversation which related to risks and to your cyber posture and gaps. It helped the virtual CISO and the partners and the customers to understand what is the next steps. And then it, it helped the MSPs, of course, to close more deals, because when you have gaps, you have more revenue, uh, you, you have a better conversation with your, with your customers.
And, uh, when we speak with a successful MSP with tsunami, um, they saying, yeah, we, we now we can provide virtual CISO at scale. Now we can help more customers, but now we do more business and it's easier for us to convince the customers to, uh, to add more cybersecurity services, small tools, because we have a different, uh, I think that we talked about that we have a different type of conversation.
It's related to business, it's related to risks, and now it's easier for us to take our customers to the next stage. Now did you, did you have models over the years? You've been doing this a long, long time where you wish you like, oh gosh, I wish we had did this differently. And then what have you learned over the years? Like has there been a sweet spot now of how you approach it?
Yeah, I think a lot of the mistakes could fall under the ca two categories of under providing and over providing, um, because I think most MSPs have some sort of an ICP, their average client fits a certain profile. And if you build a VCSO program that is just doing the basics, right? The clients aren't gonna see the value and they're always gonna want more.
And if you say, well, okay, well, we've been providing, you know, some level of security advising for you, um, and, but now we want you to buy your premium package, like, wait a minute, what were you doing for me before that you're not doing now, right? That you're now telling me, I thought you were doing all this. Right? And we hate that question as an MSP, we fear that question. We will avoid conversations for fear of that question.
And the other one is, um, making a program that has every single thing in it that every client needs to have, but they're not ready to pay for. So you're either underpricing yourself or overpricing yourself. So the client isn't happy in either situation. So I think, um, the sweet spot right in the middle is evaluating where your clients are. And this is something that you can do internally at the MSP level to see where your clients are and where they really need to go.
And from that, build out what your program is gonna be. We all have those outliers, we have those tiny little clients, and we have the, the few big ones, but the majority of your clients is really what your program needs To be. Yeah. So that's great net. Brian, just real quick to you, you, the rollback time, you have my, you know, your MSP MyTech, which was, you know, very, which were a formidable player in Phoenix.
Um, and how might you handle that when like, Hey, Brian, I thought you were doing this, why weren't you doing this all along? Like, any thoughts on how you'd approach that? If, if you could roll back time and you were stuck, you know, you got into one of those conversations. I, Yeah, I, I think that happens oftentimes when we don't have our service catalog very well defined to net's point. Um, we have these all, you can eat things, um, which really confuse everybody, right?
And, and I, I think back in the day it was selling, you know, free paid blocks of hours. That is for, hey, you can use these for anything you want, right? And then it is just confusing. So I think the better you can get and the tighter you can get on your, your service catalog and, and the menu of services you have, or if you bundle them, um, you can say what's included, but more importantly, what's not included.
And that's why what I really like doing these days is on, uh, CMCs forcing this maturity in some of the MSPs that are playing in that space to have what's called a shared responsibility matrix. So I think having a shared responsibility matrix to say, Hey, here's the things by this bundle. Here's the things that we're providing right for you, and here's the things we're not providing for you, and here's the things that we're gonna share responsibility on.
So I think having those kinds of shared responsibility makes a clear service catalog that accordion of services well-defined, and then, uh, better contracts and agreements help kind of get rid of some of that ambiguity and confusion. So a contract, like if you're in the throes of it today, basically make sure you have a good shared responsibility model on. That's Where I would start, Matt, Contract renewal. Make sure you're resetting expectations.
Yeah, that WA wasn't really a thing at the time. I had the MSP, I mean, we talked a little bit about it, but it's not like to the forefront now. Now it is with, uh, again, CMMC is really pushing a lot of that, but I think it's good for any MSP to have a a, a CR S RM or whatever you wanna call it, Eric, Eric Woodard does it around CIS. He's like, these 40 controls are mine. These, I think it what, 16 or yours, Phyllis. And then he talk, goes through the, an IG one he goes through.
Um, you know, that. So we've, we've talked about that, and you can find that a lot in some of the podcast work we've done. Okay. So where are we back to Nette for a, a question or two to, I mean, we're, we only have four minutes left. Andrew, You wanna, do you wanna, do you wanna sing for us Phyllis or anything? I Think about it, I was thinking about it. My second career is gonna be a rockstar, so Yeah. Yeah. That would be the best close ever, I think on the call.
Well, I let, let's go with this one to both David and Brian. 'cause this is, you know, I think this is the, the number one thing on MSP's mind because Brian, you brought it up. It's like you got your, you've got your sweet spot. Like they're regulated, they're gonna get audited. They, that is not a, I'm not saying it's not an easy conversation, but that's a conversation you can dig into. I'm regulated. Yeah, I know. I've got things I do.
The, the one that I want to bounce off you and David in closing, is how do you sell your non-regulated customers in that sweet spot? Right? What do, what, what are you focusing on? Let's start with you, David, and then go to you, Brian, and give you each about a minute each. David, over to you. Yeah, so, uh, so I guess regulation, uh, it's all about, um, being compliant, right? And when we talk about risks, it's different.
So I guess that trying to take this conversation into these are your risks, these are your gaps. This is one thing. I think that, uh, talking about insurance is another factor that, uh, might be relevant in other, in cases which are not regulated. And the third one is, uh, third party risk assessment. And maybe the bus, the other businesses that require you to be talked to or to be ease o or anything like that, or even to show them that you are secured.
So I think, uh, trying to understand the other business, uh, related things, which are not regulation. It's, uh, it's harder because regulation, I think it's, uh, from SMI, Portugal, 50% of, uh, it's drives from regulation, but 50% are not. And I think it's, uh, it's, it's, it's possible in this expanding. Brian, over to you. What about third party risk management, kicking it off there? And is, is that a place to look and what would you recommend?
Yeah, Or just real quick, why is a business in, in business, why is a organization in business Hopefully to make money? Correct. Okay, so if, if you can educate and inform your client that, hey, the vulnerabilities aren't theoretical, these aren't risks that are out there in the ether. These are connected to how you make that money.
You mentioned that you have two or three critical business functions and we need to secure those business functions, or you're, you know, you're, you're not gonna realize that that revenue, right? So you're protecting revenue. You're not like defending a framework or having that kind of conversation 'cause it's not relevant to them. But how they make money is, and those critical business functions, keeping those running and humming are important.
And if you can articulate and find out what those, those pressure points are, I think that's the gold. And when you talk about third party risk management, there is this, you cannot, as any organization out there, whether you're in a regulated industry or not, nothing builds trust faster with your new clients, right? We look at Amazon and before we buy something on Amazon, we look at the reviews, don't we? Oh, I like that they have 5,000 reviews and five stars. That's awesome.
Same kind of thing. A third party attestation or certification, you get to it for a client, it enables them, right? It removes friction in their sales process. And I think having those requires a vcso or, or some sort of leadership to lead them on that compliance journey. Again, as a business enabler, greasing the wheels of sales. Really good. I like, I like, like the way you closed that out. So, um, we'll be looking for all your five star reviews out there.
Make sure you get those up on your website, um, for sure. But, uh, so, um, in closing things out, um, thanks first off to our, all our attendees and in the audience, great chat this week. Really appreciate your support. We had a great turnout today. David, thanks for joining us for our first time. You're fantastic. Brian, as always, we really appreciate you coming on sharing your wisdom net as well. Um, and Phyllis is always good to see you.
Wishing everybody a fantastic week ahead and, and stay tuned. We'll have this out on podcast, uh, probably tomorrow. So, uh, make a great day, everybody. Take care. Bye Now. Thanks all. Bye bye. Bye.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois