Over the last couple of years, the cybersecurity industry has witnessed ‘the great CISO resignation’ — a trend where company CISOs are stepping away from the role for a myriad of reasons including intense pressure and expectations. This growing void has fueled the rise of the virtual CISO (vCISO), an external resource, or set of resources that provide the CISO function in a fractional capacity.
When it comes to attack surface management (ASM), vCISOs play a critical role. Attack surface management focuses on identifying, reducing, and mitigating potential vulnerabilities across all assets, including networks, applications, and endpoints. The expertise of a vCISO enhances an ASM strategy by providing a comprehensive view of an organization's risk exposure, continuously identifying emerging threats, and advising on tactical responses.
As managed service providers (MSPs) expand their offerings to meet customer demand and requirements, many are turning to vCISO providers to not only harden their own ASM strategy, but also to sharpen their competitive edge.
I recently sat down with Jesse Miller, Founder of PowerPSA Consulting, and creator of the PowerGRYD vCISO System – a firm focused on helping MSPs build and improve their vCISO practices – to talk about why the vCISO is becoming more popular, and how MSPs can incorporate it into their business.
James Mignacca: We’ve seen vCISO growing in popularity in company environments for a while now, but how widely adopted are vCISO services in MSPs?
Jesse Miller: So, it's interesting, because I think this is an area where there's parity in the industry. Even bigger MSPs are on a similar trajectory; the majority haven't fully formed their service offering yet. vCISO services are still relatively new for MSPs, but they're starting to realize that their clients are asking for more than just reactive security. Cyber has moved beyond traditional endpoint and network detection—clients need strategic guidance on risk management, data protection, and regulatory compliance, all of which fall into the vCISO role. Adoption is rising, but there’s still a lot of room for growth, especially as more MSPs learn how to integrate these services effectively.
James: What challenges do MSPs have when trying to implement vCISO capabilities in their own environment, and then across their client base?
Jesse: Where to start?! [laughs] - I see a few areas. The first challenge MSPs face is operationalizing vCISO services. They often lack the processes and frameworks to deliver consistent, high-quality advisory services at scale. Many MSPs currently offering vCISO operate in reactive mode—charging by the hour and dealing with issues as they arise. It's like we've gone back to the break-fix days! This often results in client relationships that are more transactional, focused on firefighting rather than long-term planning and risk mitigation. This leads to struggles in aligning cybersecurity services with the business goals of their clients, which is critical for delivering value as a vCISO.
The second major challenge is a lack of visibility on the data they are supposed to protect. Without clear view of data and assets, and their resulting risk, it’s impossible to make informed security decisions, perform accurate risk assessments, or create strategic cybersecurity plans. Beyond that, MSPs often struggle with scalability. Delivering vCISO services requires structured processes through the entire organization, from marketing all the way to account management to ensure profitable service delivery across multiple clients.
James: How do vCISO capabilities strengthen MSP offerings — what value does it bring to operations, customer outcomes and competitive positioning?
Jesse: vCISO services allow MSPs to become true business partners to their clients. By providing strategic cybersecurity leadership, MSPs can move beyond basic managed services and offer solutions that address the bigger picture, including long-term business risk management, regulatory compliance, and data protection. This not only strengthens customer relationships but also improves client retention and satisfaction. Clients that view their MSP as a trusted advisor, rather than just a service provider, are more likely to stay for the long haul. It also positions the MSP as a premium provider in the marketplace, opening the door to larger, more complex engagements, premium clientele, and bigger MRR numbers.
James: How can managed service providers benefit by combining an ASM technology platform like Cavelo, with strategic vCISO services from PowerPSA?
Jesse: The partnership is designed to remove barriers for MSPs looking to get started with vCISO services. Our PowerGRYD vCISO System gives MSPs the blueprint for delivering these services at scale, while Cavelo provides the technology to support data/asset discovery and protection. Together, MSPs can offer a comprehensive service that addresses the strategic, operational, and technical sides of cybersecurity without a large upfront investment. It’s a win-win that allows MSPs to enter the vCISO market quickly and effectively.
James: How does the PowerGRYD program work (from an MSP’s perspective)?
Jesse: From the MSP’s perspective, it’s a simple and structured process. MSPs who join PowerGRYD gain access to our blueprint and training for delivering scalable vCISO services. They can immediately begin implementing the structured methodologies we’ve developed, from risk assessments to performance management. With Cavelo, they can also integrate asset, data and vulnerability discovery and protection services right away — Cavelo’s platform strengthens their vCISO offering without having to build the tech stack from scratch. It’s about reducing barriers to entry and helping MSPs deliver high-value, high-margin services to their clients.
James: vCISO is a newer concept to many MSPs — where and how do they start implementing a vCISO program?
Jesse: The starting point for any MSP is understanding their client’s cybersecurity posture. This usually means conducting a risk assessment to identify vulnerabilities, compliance gaps, and areas of concern. PowerGRYD provides MSPs with the templates and workflows to conduct these assessments efficiently and consistently.
Cavelo gives them the data to be able to verify and evidence the findings with concrete data points. Once they’ve assessed the client’s risk, MSPs can start building a cybersecurity roadmap, aligning the client’s security needs with their business objectives.
From there, it’s about managing that roadmap through regular reviews and updates, which PowerGRYD helps facilitate with clear, repeatable processes, and Cavelo helps by proactively identifying risk to the client. The key is to start small, deliver value quickly, and scale from there.
James: What does the future of vCISO look like in the MSP and MSSP community?
Jesse: vCISO services will become a standard offering for MSPs and MSSPs as more clients demand reasoned approaches to their cyber investments. Regulatory demands are increasing, and cyber threats are getting more sophisticated, which means businesses can’t rely on basic cyber tools alone. MSPs that don’t adapt to offer strategic cybersecurity services will fall behind. We expect to see a shift where more MSPs evolve into full-service security providers, offering both technical solutions and advisory services. This trend will only accelerate as businesses look for partners who can help them understand their business risk through a cyber lens.
James: What advice would you give to an MSP considering vCISO programs or capabilities?
Jesse: Start small but think big. You don’t need to have a massive security team or complex strategies to begin offering vCISO services. What you do need is focus and a structured approach—clear processes, defined roles, and the ability to deliver strategic advice that helps your clients achieve their business goals.
Technology like the Cavelo platform can help with data visibility, and frameworks like the PowerGRYD give you the operational blueprint to scale these services. My advice is to first focus on building strong, long-term relationships with your existing clients through these new services, then quickly use those learnings to pivot and inform your full market attack.
Getting Started with Cavelo and Building a vCISO Program with PowerPSA
By aligning security policies with the dynamic nature of today’s threat landscape, a vCISO ensures that attack surface management isn’t a one-time project but an ongoing initiative. This continuous oversight ensures that organizations remain proactive, rather than reactive, in mitigating vulnerabilities, minimizing risks, and strengthening their overall cybersecurity posture.
Cavelo and PowerPSA are committed to helping MSPs crack the code for vCISO profits. We do this by lowering the risk and barrier for entry by creating economies of scale through our community approach, and by leveraging vendor partnerships that allow MSPs to get started without a large upfront investment, and without years of trial and error.
Schedule your free consultation today to learn how Cavelo and PowerPSA can help your firm apply vCISO services.
