MSSP, MSP, Managed Security Services, vCISO, Generative AI

vCISO Demand is Surging – Here’s How MSSPs and MSPs are Stepping Up

As the demand for virtual CISO capabilities among enterprises and SMBs continues to ramp, MSSPs and MSPs are moving fast to add this service to their offerings and fill that gap.

Those were among the key findings in Cynomi’s 2025 State of the vCISO Report released last week. In a survey of 200 security leaders with security services providers, Cynomi highlighted that the high demand for vCISO services grew from 75% in 2024 to 79% this year; when combined with moderate demand, that number jumped to 96%.

"This trend signals that structured, ongoing cybersecurity support is becoming a standard client expectation, and service providers that delay may risk falling behind,” the report’s authors wrote.

That said, the trend is leaning heavily toward both MSSPs and MSPs adopting and offering vCISO services. 67% of those surveyed stated that they are offering these services, compared to only 21% of the surveyed last year. This indicates that not only is the demand surging, service providers are also following through on their last year's intent. Back in 2024, 74% of those not yet offering vCISO said they planned to by the end of this year, and many clearly did.

More vCISO Service Adoption Coming

This trend is likely to continue. Among the providers that don’t offer vCISO services now, nearly half plan to do so before this year is over and another 27% are targeting 2026 as the time they’ll add it to their services portfolios. Only 3% say they have no such plans at all.

There’s been a clear shift in the mindset of organizations – particularly smaller ones – when considering using a vCISO service, according to Rotem Shemesh, Cynomi’s vice president of marketing. Earlier, SMBs tended to embrace vCISO services after a data breach or compliance scare. Increasingly, the driver is “strategy, not panic,” Shemesh told MSSP Alert.

"There’s increasing regulatory pressure, tighter cyber insurance requirements, and rising board-level awareness that cybersecurity is core to business resilience,” he said. "SMBs are recognizing that strong cybersecurity management and leadership can bring structure, visibility, and executive-level guidance to their business and that’s exactly what’s needed to mature their posture and grow with confidence.”

In addition, more SMBs want to be proactive about security, not just compliant, and vCISO services help them get there, he said.

Three Growth Drivers

However, the growing demand among SMBs and other organizations is only one of three reasons why service providers are quickly adding vCISO services to their lineups. The role of MSSPs and MSPs is also evolving - from technical support to trusted advisors.

“MSPs and MSSPs are actively looking to grow, and they want to grow in cybersecurity,” Shemesh said. “It’s a high-value, high-need area where they can move up the value chain. At the same time, they’re seeking ways to differentiate from their competitors.”

The third reason is the role of AI and purpose-built technology.

"The tools are here,” he said. "Platforms like Cynomi make it feasible to deliver high-quality vCISO services without needing a large internal team. With automation handling the heavy lifting, even smaller providers can now scale these services efficiently. The barriers to entry are much lower.”

AI Puts Its Stamp on vCISO Services

Of the service providers offering vCISO services now, 81% are using AI or automation in delivering the services and 15% plan to adopt them in the next 12 months, according to Cynomi’s report. It shows that AI use is shifting from experimental to operational, with the MSSPs and MSPs that offer AI-powered vCISO services realizing its value - from saving time to scalability to efficiency.

Overall, 95% of survey respondents stated that AI can enhance their services, with half strongly agreeing. About 46% said they see value in compliance readiness, task prioritization (40%), client communication (39%), and risk or security assessment (37%).

More than half of MSSPs and MSPs surveyed use AI-based tools for security and compliance, and 44% plan to adopt them by the end of next year. Only 1% have no plans to implement AI.

"Looking at the vCISO practice, there are a lot of improvements that can be done using AI, starting with CISO-level knowledge, all the way to automation of the many manual repetitive tasks that are part of the vCISO’s day-to-day work,” Shemesh said. “We're already seeing growing interest in predictive risk modeling, automated roadmap generation, and AI-guided client communication. I believe that in the next few years, AI will be what allows vCISO services to scale without compromising quality, especially for MSPs and MSSPs juggling multiple clients.”

Improvements Being Made

According to the survey results, service providers are seeing AI or automation enhancing in their operations. Respondents said that using AI has led to an average reduction in their security and compliance workloads of 68%

Shemesh said the maturing vCISO market is at a “tipping point.” It no longer just nice to have or an experiment for early adopters. Instead, it’s become an expected service.

“At Cynomi, we expect to see more managed service providers expanding into vCISO services and more bundled offerings,” he said. “For example, vCISO plus compliance plus cyber insurance readiness, or managed cybersecurity plus vCISO. We are also expecting a continued expansion into smaller MSPs who are now equipped with the tools to deliver strategic cybersecurity services.”

The Israeli startup earlier this month added automated business impact analysis (BIA) and business continuity planning (BCP) to its vCISO platform after raising $37 million in Series B funding in April.

Jeffrey Burt

Jeffrey Burt has been a journalist for almost 40 years, moving from general-circulation newspapers to IT news sites in 2000. He’s an expert analyst and writer on cybersecurity, data center infrastructure, AI, and a host of other subjects for a range of organizations, including CyberRisk Alliance, eWEEK, Techstrong Group, The Next Platform, and The Register.

You can skip this ad in 5 seconds