vCISO Services: Your Key To Landing The Lucrative Clients You Want

Every high-profile data breach—Change Healthcare, Ticketmaster, CDK Global, and most recently National Public Data—is an opportunity to tee up a vCISO conversation with clients and prospects. And offering vCISO services is the key to moving upstream and landing larger, better-funded clients.

Effective risk assessments and the thought leadership that vCISO brings fill a critical gap the good prospects—the ones you WANT—are looking for. The price-quibbling three-person shops will never pay for vCISO. However, the 100-seat manufacturer or 50-seat financial services firm are losing sleep over cyber risk.

The Risk Of Being Sued

Every business that uses third-party software or line of business software is at risk of being sued—by their own customers. This is the problem they cannot solve with their current MSP or their internal IT staff. 

Use Findlay Automotive as an example. Their customers are suing the company for damages after revelations of the ransomware attack on CDK, a software vendor that serves over 10,000 North American car dealerships.

Findlay can blame the vendor all day, but their customers didn’t use CDK; they shared their information with Findlay.

And it remains to be seen what the fallout will be from the ransomware attack on background check company National Public Data breach, which may have affected 2.9 billion records, including names, addresses, and Social Security numbers.

The moral of the story is this: Any business that uses third-party tools and/or takes regulated or personal information has a bigger problem than they realize. More important, nobody is solving it for them. That’s where you come in.

vCISO services are about risk management. And your customers and prospects most undoubtedly care about their business risk.

Your Talking Points

Most small and midsize businesses do not truly understand their risk exposure when it comes to third-party tools. Start the conversation with decision makers here:

  • Is your staff doing a security assessment of the third-party tools?
  • Who’s managing the patching, maintenance, and monitoring of your third-party tools or your line of business software?
  • Is your line of business software tied into your other security and monitoring tools?
  • Who’s the administrator?
  • Are they making sure that multifactor authentication (MFA) is turned on for all those third-party tools?

These are all functions that most of your MSP clients are not capable of doing themselves. They either have a knowledge or a time gap. And just because they could turn on MFA doesn’t mean they’re actually taking the time to do it.

Next, drill down into their liabilities:

  • Does your business take regulated information like health data or credit card numbers? Or personal information like Social Security numbers and addresses?
  • If you’re choosing to put that information in a third-party application, did you conduct a risk assessment?
  • Does that third party have a SOC 2 Type 2 or FedRAMP certification (or another standard applicable to their industry)?
  • Did that third party provide a responsibility matrix when you signed up?
  • Did you agree to certain things that limit the third party’s liability?
  • Did you read the terms and conditions when you signed up for the software?

Stop Racing To The Bottom With Transactional Relationships

If they answer “no,” “nobody,” or “I don’t know” to most of the above questions, now you can explain why they need your vCISO services to manage their third-party risk. For instance, as part of a risk management program, you would vet their third-party providers’ security practices. If you think the software is too high of a risk, you would raise that issue to the business owner and let them make the call. The important part is making them aware. In addition, you want to ensure the third-party’s security practices are in alignment with your customer’s cyber insurance policy. You would also develop an incident response plan that addresses problems with third-party vendors.

In addition, you would review the terms and conditions of their software licenses to identify what they’re responsible for and what the end users are responsible for and convey that clearly to your customer so they understand. And your team would take responsibility for ensuring that the software is configured correctly with the security turned on.

By the way, you should be taking all the same steps thing whenever you vet any software for your own MSP business.

Go Upstream With vCISO

Obviously, there is no zero-risk scenario. Despite implementing a risk management program, a third-party tool may still be the source of a cyber incident. But now, if your customer has done everything they told their insurance company they would do, it was deployed properly, and was patched and managed, with MFA on all user accounts, they won’t be found negligent if they’re hit with a lawsuit and they need to file insurance claims.

You’ll find that businesses do care about risk. If you can help the business owner make informed risk decisions, it will elevate you to a valuable advisor who can attract the clients you WANT.

Still not convinced? Ponder this: If you don’t have a vCISO offering, you’ll be stuck with cheap, low-profit clients while your competitors head upstream.  

Share:

Author:

Jon DePerro

Jon DePerro is chief compliance officer at Vector Choice, an MSP headquartered in Atlanta, and VisibilityMSP, a white glove cybersecurity and compliance service for MSPs.

RELATED ARTICLES

Get The #1 Media Source For MSPs!
Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends And Business Growth Strategies. Subscribe now!
 

Upcoming Events

Stay Up To Date

Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends and Business Growth Strategies

Never Miss An Update