Cynomi, which has been banging the drum loudly about the need for virtual CISOs since its founding five years ago, now has an
exhaustive list of the steps that MSSPs and MSPs can take to add that service to their portfolio offerings.
The checklist, published this month, begins with eight recommendations including preparing to launch vCISO services, then moves into steps for onboarding and engaging clients, follows with over a dozen tips for delivering value and building momentum, and wraps up with strategies for scaling the practice.
The demand for such a service from organizations is there, particularly among smaller businesses, according to
David Primor, co-founder and CEO of the Israeli startup, which offers MSSPs and MSPs an AI-driven vCISO platform. Service providers now need to meet that demand.
“SMBs are facing more cybersecurity threats, tighter regulations, and increased pressure from insurers and they’re turning to their service providers not just for tools, but for strategic guidance,” Primor told MSSP Alert. “At the same time, many MSSPs are telling us they want to offer these services but aren’t sure where to start. They often don’t have senior security staff on hand, and building a repeatable, scalable vCISO offering from scratch is challenging. Finding the ultimate service pricing and packaging may also be complex.”
Oursourced Security Skills
vCISOs offer businesses cybersecurity expertise and strategic guidance they cannot afford to bring in-house through a contract or as an outsourced service. In September 2024, Cynomi published a
survey that showed 21% of MSSPs and MSPs offered a vCISO program and that almost 98% expect to provide them. Of those surveyed, 39% said their vCISO services were coming by the end of 2024. About 94% said there was demand for a vCISO service from customers.
“vCISO services are quickly becoming essential for MSPs and MSSPs that want to stay competitive,” Primor said. “The message we’re sending is that it is doable, and almost any service provider can start these services. The checklist walks them through both the basics, like defining their offering, and a perspective shift: thinking and acting like a CISO, not just a technician.”
The market for vCISOs is expanding as SMBs and smaller enterprise try to navigate their way through an increasingly complex and dangerous cyberthreat environment including an expanding regulatory space. Vendors ranging from smaller companies like CyberSecOp, CisoShare, and Optiv to cloud behemoth Amazon Web Services are offering such services, and analysts with Business Research insights are predicting the vCISO global market to grow to
$1.48 billion by 2032 (from $1.06 billion in 2023).
The Money Comes In
Meanwhile, Cynomi is seeing investment money flow in. In 2022, the company pulled in $3.5 million in initial seed funding, and last year
raised $20 million in a Series A round. A Series B round last month brought in
another $37 million to expand its presence in the United States and Europe, and expand the agentic AI and automation features in its vCISO platform.
Primor said the money also would be used to expand their partnership ecosystem. The focus since the founding in 2020 has been on MSSPs, MSPs, consultants, and telcos. Now Cynomi will court other channel players, including integrators and resellers.
This comes as the company is seeing its own business grow. Primor in April said Cynomi in 2023 saw a 4.5-fold increase in annual recurring revenue (ARR) and 3X growth the year prior.
'A Big Opportunity'
By giving service providers a clear path to adding vCISO services, Cynomi aims to support organizations under pressure from both threat actors and regulators—while also fueling its own growth.
Creating such a service “may seem complex, but with the right tools and structure, it’s absolutely achievable,” the CEO said. “Our platform is designed to simplify the process, automating some of the tasks and taking users step-by-step through the strategic parts like risk assessments, policies, and remediation plans so MSPs and MSSPs can start offering vCISO services quickly, even without deep in-house expertise.’
He added that creating a vCISO service is a “big opportunity, and we’re helping service providers seize it without overwhelming their teams.”
