Cynomi has spent the better part of 2024 detailing the needs of smaller enterprises for high-level cybersecurity expertise and evangelizing the advantages of embracing the idea of virtual CISOs (vCISOs), security professionals who serve as consultants to companies rather than sit as full-time executives on a company's management team.
It’s not surprising the four-year-old startup is making this push: It provides an AI-powered vCISO service that MSSPs and MSPs can offer to their small and midsize enterprise (SMEs) customers as a service. That said, what Cynomi executives are seeing is a surge now and anticipated demand for vCISO services that is likely to continue into 2025.
In a survey of 200 MSSPs and MSP executives released in early September, Cynomi found that 21% offer vCISO programs now and that almost 98% expect to provide them, including 39% that said their vCISO service were coming by the end of this year.
In addition, 94% said they were seeing demand from customers for vCISO services, and 59% of service providers that added such programs increased revenues and margins.
More recently, the company asked industry experts what they expect for vCISO demand in the coming year as organizations continue to contend with increasingly complex cyberthreats, more government regulations, and a widely distributed business environment that includes more workloads and data going to the cloud.
“For many organizations, the growing cybersecurity threat landscape, coupled with increasing compliance demands, has made a strategic cybersecurity approach not just beneficial but essential,” Cynomi co-founder and CEO David Primor told MSSP Alert. “Yet, these organizations often lack the resources for a full-time, in-house CISO. This is where vCISO services come into play, offering a scalable, cost-effective solution for businesses to achieve enterprise-level cybersecurity guidance.”
Demand for vCISOs is Growing
A key part of the cyberthreat landscape includes the growing as-a-service trend among cybercriminal groups and their expanding use of AI in their attacks, according to Nett Lynch, CISO at managed IT services provider Kraft and Kennedy.
“Ransomware-as-a-service has made it so a threat actor doesn’t need technical skills,” Lynch told Cynomi. “They can sign up, get the tools, support, and even instructions on how to breach specific companies. It’s a whole industry now.”
Carlos Rodriguez, founder and CEO of cybersecurity testing firm CA2 Security, said he sees an expanding role for vCISOs in strategic risk management and AI readiness, adding that “these shifts will require vCISOs to be very creative and deeply attuned to both organizational needs and industry-specific challenges.”
A Growing and Crowded Market
Cynomi isn’t the only game in town. The list of vCISO platform providers includes such firms as RapidFireTools, Drawbridge, CISOteria, and Rival Data Security, and analysts with Business Research Insights expects the global vCISO market to grow from $1.06 billion this year to $1.48 billion by 2032.
The rise of vCISOs fits in with the need for MSSPs and MSPs to move beyond traditional managed services into more strategic offerings, Cynomi’s Primor said.
“For them, the ability to deliver not just tools and monitoring but also guidance, risk assessment, and compliance expertise positions them as trusted advisors, taking them to discussions with the top management levels,” he said. “Organizations are becoming more aware that cybersecurity is no longer just a technology issue; it’s a strategic priority.”
Primor added that “for service providers, the opportunity is twofold. It allows them to offer a new service that is in high demand from their clients, and this new service will help them offer more comprehensive cybersecurity and grow their business, offering additional services and solutions.”
Cynomi’s platform includes a range of services, including assessing organizations’ security postures, creating remediation plans, finding gaps in customer cybersecurity protections, providing real-time updates, and developing status and progress reports. Its AI model is based on the expertise of real-world CISOs and automates many of the tasks they normally perform.
Businesses Looking for Unbiased Evaluations
Donna Gallaher, president and CEO of advisory services provider New Oceans Enterprises, told Cynomi that she already is seeing a growing demand among organizations for independent and unbiased evaluations of their cybersecurity programs, saying that she’s “already seen some organizations create CISO positions that report directly to the board, outside the authority of the CEO and direct reports.”
Such shifts are helping to fuel the demand for vCISO services, which Primor said MSSPs and MSPs should pay attention to.
“The key message as we approach 2025 is clear: the role of the vCISO is no longer optional for service providers; it’s a strategic necessity,” he said. “The predictions outlined [by the experts Cynomi interviewed] reflect critical shifts in cybersecurity, compliance, and client expectations that service providers and businesses need to act on immediately.”
