What is the difference between vCISO and vCIO for MSP clients?

A vCIO owns technology strategy, lifecycle planning, budgets, and vendor decisions. A vCISO owns security leadership, risk, compliance, incident readiness, and executive security reporting. MSPs should not sell vCISO as vCIO with security slides because the scope, liability, buyer, and pricing logic are different.

How should MSPs price vCISO services?

Ongoing vCISO services usually work best as a monthly retainer, not hourly work. Starter packages can land around $2,500-$5,000 per month, core packages around $5,000-$10,000 per month, and regulated or audit-heavy engagements around $10,000-$20,000 per month when the scope and risk justify it. Price from scope, delivery hours, client risk, and decision-maker access.

When should an MSP avoid selling full vCISO services?

An MSP should avoid full vCISO services when it cannot separate advisory work from help desk work, lacks someone who can discuss risk with executives, cannot document accepted risk, or has contracts that do not define advisory scope and liability. A safer starting point is a fixed-scope assessment, managed compliance, or partner-led delivery.

How to Build a vCISO Practice From Your Existing MSP Stack

Q: What should an MSP vCISO package include?

An MSP vCISO package should include an initial security assessment, risk register ownership, policy and procedure management, compliance tracking, incident response planning, and executive reporting. The package should sit above managed IT operations and turn tool data into business decisions, budgets, accepted risks, and remediation plans.

Most MSPs are already doing pieces of vCISO work. They run gap assessments, answer cyber insurance questionnaires, explain MFA exceptions, review backup risk, and build security slides for QBRs.

If you are searching for how to offer vCISO services MSP clients will actually pay for, the problem probably is not raw capability. The problem is packaging. Security leadership gets buried inside vCIO, account management, or "included strategic guidance," then everyone acts surprised when clients treat it like free advice.

That is the trap. A tool subscription is not a vCISO practice. A quarterly security slide is not a vCISO practice. A tech lead saying "you should probably turn on MFA" is useful, but it is not executive security leadership.

A paid vCISO practice needs scope, price, cadence, documentation, and a clear line between technical operations and governance. It also needs restraint. Some MSPs should not sell full vCISO yet. Managed compliance, partner-led delivery, or fixed-scope assessments may be the safer first step.

How can an MSP offer vCISO services?

MSPs can offer vCISO services by packaging security assessments, risk registers, policy ownership, compliance tracking, incident response planning, and executive reporting into a monthly retainer. The service should sit above managed IT, not inside the help desk. The MSP sells ongoing security leadership, not another monitoring tool.

vCISO vs. vCIO, because clients will blur this if you let them

A vCIO owns technology strategy. A vCISO owns security risk.

Those sound related because they are. They should also be priced, staffed, and sold differently. If you sell vCISO as "vCIO with security slides," clients will not pay real advisory rates. They will see it as another QBR deck.

Service	Owns	Typical buyer	Deliverables	Pricing logic
vCIO	Technology strategy, budget, lifecycle planning	Owner, COO, finance lead	Technology roadmap, budget plan, vendor review, QBR	Often included in managed services or sold as a strategy retainer
vCISO	Security leadership, risk, compliance, incident readiness	CEO, compliance lead, board, risk owner	Risk register, policy library, control roadmap, IR plan, security reporting	Monthly retainer tied to advisory scope and regulatory pressure

The vCIO conversation sounds like: "Here is your lifecycle plan, budget, and systems roadmap."

The vCISO conversation sounds like: "Here are the risks you are carrying, the controls that need decisions, the evidence we have, the gaps we do not have permission to fix, and the business owner accepting each risk."

That distinction matters. A vCIO can recommend replacing a server. A vCISO has to explain why a missing incident response plan, shared admin account, or untested backup could become an insurance, compliance, or board problem.

If your current strategy motion is weak, fix that first. Start with vCIO pricing and scope before adding security liability to the pile.

What a vCISO engagement actually includes

A real MSP vCISO package is not unlimited security advice. It is a defined governance layer.

1. Initial security assessment

Start with an assessment that matches the client's actual driver. Use NIST CSF 2.0 for general maturity, CIS Controls for practical security hygiene, HIPAA for healthcare, CMMC for defense supply chain clients, SOC 2 for SaaS, or cyber insurance readiness when renewal pressure is the trigger.

NIST describes the Cybersecurity Framework as a way for organizations to better understand and improve cybersecurity risk management. That makes it a clean starting point when the client does not have a framework requirement yet.

The output is not a scary PDF. The output is a prioritized gap list, a risk register, and a 90-day roadmap.

2. Risk register ownership

The risk register is where the vCISO practice becomes real.

Each risk should have:

A plain-English description
Business impact
Likelihood and severity
Mitigation owner
Due date
Status
Accepted risk decision, if the client refuses remediation

This is also where MSPs need discipline. If a client declines MFA for privileged accounts, refuses backup testing, or will not fund EDR, do not bury that in a ticket note. Document it, assign the business owner, and capture acceptance. Read the MSP compliance liability guide before you start making promises your MSA does not support.

3. Policy and procedure ownership

A vCISO package usually owns the policy layer: acceptable use, access control, incident response, vendor access, backup, data handling, and security awareness.

"Owns" does not mean your MSP makes every business decision. It means you maintain the structure, surface gaps, recommend updates, and make sure the client knows what they approved.

4. Compliance program management

For regulated clients, the work becomes recurring. Evidence review, gap remediation tracking, framework mapping, audit prep support, and exception handling all need a cadence.

That does not mean every MSP should become a compliance firm overnight. If you are still learning scope discipline, start with managed compliance services or a shared responsibility matrix before selling a full vCISO retainer.

5. Incident response planning

A written incident response plan is not decoration. It should name roles, escalation contacts, legal and insurance contacts, client decision makers, communication rules, and recovery priorities.

CISA's #StopRansomware Guide recommends offline, encrypted backups, regular backup testing, and a basic incident response plan with communications procedures. Those are exactly the kind of practical controls a vCISO engagement should keep alive, not file away after onboarding.

6. Executive reporting

This is the part clients actually remember.

A vCISO review should show risk movement, open decisions, remediation progress, accepted risks, budget needs, and the next quarter's priorities. It should not be a tool dump. The client does not need twelve screenshots from EDR. They need to know what changed, what still matters, and what decision they have to make.

Scopable fits here as the structured assessment, GRC, roadmap, and reporting layer. Use it to turn assessment findings into a client roadmap, track open risks, tie security work to budget, and give the executive review something more useful than a pile of exported dashboards. If you want to test that workflow with real client data, start with Scopable early access.

Why 2026 makes this easier to sell

Do not lead with fear. Lead with the business pressure the client already has.

Cyber insurance is asking for evidence

Cyber insurance underwriting has become much more specific. Coalition lists MFA, cybersecurity training, backups, identity access management, data classification, EDR, incident response plans, and security risk assessments among common cyber insurance requirements and controls. GetCybr's 2026 MSP guidance says insurers commonly ask about MFA, EDR, privileged access, vulnerability management, incident response, email security, and backup evidence.

That maps neatly to a vCISO engagement. The insurer asks for proof. The MSP runs the assessment, records gaps, builds the remediation plan, and keeps the evidence organized.

CMMC is moving into contracts

DoD's CMMC program at 32 CFR Part 170 applies to contractor information systems that process, store, or transmit FCI or CUI. The 2025 DFARS final rule says the contracting officer will not award a covered contract when the offeror lacks the current CMMC status required by the solicitation for the contractor systems that process, store, or transmit FCI or CUI.

The effective date for that DFARS rule is November 10, 2025, with a phased implementation approach. For MSPs serving defense contractors, this is not a generic security pitch. It is contract eligibility work. If you support those clients, read our CMMC 2.0 guide for MSPs before you sell anything.

HIPAA is signaling more documentation pressure

HHS issued a HIPAA Security Rule Notice of Proposed Rulemaking to strengthen cybersecurity protections for ePHI. Treat it as proposed until finalized. Do not sell it as current law.

The HHS fact sheet says the proposal would require, among other items, written documentation of Security Rule policies, technology asset inventory and network map updates at least every 12 months, more specific risk analysis, written incident response procedures, contingency planning, and annual compliance audits.

That is planning fuel for healthcare MSPs. It is also a warning. HIPAA advisory work has liability. If you do not understand business associate obligations, scope boundaries, and client responsibilities, start with HIPAA planning for MSPs before calling yourself a vCISO.

AI governance is becoming another client question

Clients are asking who can use AI tools, what data can go into them, and how approvals work. That is not a settled compliance mandate for most SMBs. It is still a governance question. A practical vCISO can help write the usage policy, assign data handling rules, and make sure the client does not paste customer data into whatever app looked clever on a Tuesday.

How to price vCISO services

Do not sell vCISO hourly unless it is a one-off advisory call. Ongoing vCISO work should be a monthly retainer with a defined scope.

SideChannel's 2026 pricing guide says many mid-market vCISO retainers run $3,000-$12,000 per month, with regulated industries or organizations under active audit often at $10,000-$20,000 per month. Cynomi lists common models as hourly at $200-$300, monthly retainers from $2,600-$20,000, and project-based work from $5,000-$50,000 or more.

Use those as market references, not a price sheet to copy.

Package	Typical client	Included scope	Pricing guidance
Starter vCISO	SMB with cyber insurance or light compliance needs	Annual assessment, quarterly risk review, policy refresh, cyber insurance questionnaire support	Around $2,500-$5,000 per month if scope is tight
Core vCISO	SMB or lower mid-market with recurring risk and compliance work	Monthly risk register review, quarterly executive reporting, IR plan ownership, roadmap updates	Around $5,000-$10,000 per month
Regulated vCISO	Healthcare, finance, defense supply chain, or audit-heavy client	Framework mapping, evidence review, board reporting, auditor support, tighter governance cadence	$10,000-$20,000 per month when scope and risk justify it

Price from four inputs:

Scope: How many frameworks, meetings, policies, reports, and evidence reviews are included?
Delivery hours: Who actually does the work, and how many hours per month will it take?
Risk: Are you advising a regulated client, a cyber insurance renewal, or a client with board reporting pressure?
Decision access: Are you talking to the owner and risk owner, or are you stuck with a ticket contact who cannot approve anything?

The last point is underrated. If the client will not give you access to the decision maker, they are not buying vCISO. They are buying security chores.

The tooling you probably already have

Most MSPs do not need a totally new stack to start. They already manage the technical foundation:

RMM for endpoint visibility and patching
Microsoft 365 or Google Workspace for identity, email, and access controls
EDR or MDR for endpoint detection and response
Backup and DR tooling for recovery evidence
PSA for tickets and recurring work
Documentation system for policies, assets, and procedures
Scopable for assessments, GRC tracking, roadmaps, and executive reporting

The mistake is thinking those tools equal a vCISO practice.

They do not. Tools produce signals. vCISO turns those signals into decisions: which risk matters, who owns it, what it costs to fix, what happens if the client refuses, and how that decision gets reported.

That is why a vCISO package has to sit above managed IT. Your service desk can close the MFA ticket. Your vCISO process explains why the MFA exception exists, who approved it, and when it expires.

Three-phase rollout plan

Do not launch this across your entire base next week. That is how MSPs create a service they cannot deliver.

Phase 1: Productize the assessment

Start with a fixed-scope security assessment for 5-10 existing clients.

Deliverables:

Current-state assessment
Risk register
Control gap list
90-day remediation roadmap
Cyber insurance or framework mapping, if relevant
Executive summary for the business owner

Charge for it. Even if you discount the first few, do not call it free. Free assessments teach clients that your advisory work has no value.

Use this phase to learn your delivery cost. Track hours. Track which questions stall. Track where clients refuse remediation. If every assessment takes three times longer than expected, your retainer price is not ready.

Phase 2: Convert the right clients to a retainer

After the assessment, sort clients into three buckets:

Ready for vCISO: They have executive access, budget, risk pressure, and willingness to make decisions.
Better fit for managed compliance: They need recurring help, but not full security leadership.
Not ready: They want someone to absorb liability without changing behavior.

Only sell the retainer to bucket one. Bucket two can use a tighter MSP compliance pricing model. Bucket three gets documentation, declined-risk notes, and maybe a referral.

The retainer should include a monthly or quarterly cadence, defined deliverables, response expectations, excluded services, and decision rights. Auditor fees, penetration tests, legal review, incident response forensics, and implementation projects should be separate unless you have priced them explicitly.

Phase 3: Build the operating rhythm

Once you have a small book of vCISO clients, standardize the rhythm.

Monthly:

Review open risks
Check remediation status
Update policies and exceptions
Review evidence gaps
Prepare decisions for the client owner

Quarterly:

Executive security review
Roadmap update
Budget discussion
Accepted risk review
Incident response or tabletop planning, when included

Annually:

Full reassessment
Cyber insurance renewal support
Framework review
Policy refresh
Service scope and price review

This is where margins improve. You are no longer inventing the service from scratch for every client. You have a repeatable delivery model, not a pile of heroic one-off effort.

Who should not sell vCISO yet

This is the uncomfortable part.

Do not sell full vCISO services if:

Your MSP cannot separate security advice from help desk work
You do not have someone who can talk risk with a CEO or board
You cannot document client decisions and declined recommendations
Your contracts do not define advisory scope and liability
You lack E&O or cyber coverage that fits advisory services
You do not know the difference between operational control work and governance
You are hoping a GRC tool will make you qualified

That last one matters. Software can structure the work. It cannot make security judgments for you, and it cannot carry professional liability on your behalf.

If you are not ready, there is still a good path: sell fixed-scope assessments, managed compliance, cyber insurance readiness, or partner-led vCISO. You can build capability without pretending you are already a fractional CISO firm.

Common mistakes MSPs make

Mistake 1: Calling every security conversation vCISO

A firewall review is not vCISO. A one-time questionnaire is not vCISO. A security page in the QBR is not vCISO.

Use the name only when the client is paying for ongoing security leadership, risk ownership, and reporting.

Mistake 2: Pricing below the delivery cost

A $1,500 monthly retainer sounds attractive until your senior engineer spends 14 hours preparing the review. Track the work before you set the price.

Mistake 3: Accepting liability without decision rights

If the client will not let you speak to the business owner, document accepted risk, or influence budget, do not accept vCISO responsibility. You cannot own security leadership from the passenger seat.

Mistake 4: Hiding behind tools

Clients do not pay vCISO rates for a portal login. They pay for judgment, structure, and decisions. If the portal is the service, the retainer will not last.

Mistake 5: Skipping the shared responsibility matrix

Every regulated or insurance-driven engagement needs clear responsibility boundaries. Who owns MFA enforcement? Who owns employee training? Who approves exceptions? Who tests backups? Who signs off on accepted risk?

If that is vague, you are building a future argument.

A simple starting offer

If you want the cleanest first offer, start here:

vCISO Readiness Assessment

Fixed fee, usually $5,000-$15,000 depending on size and scope
NIST CSF 2.0 or cyber insurance readiness baseline
Risk register and control gap list
90-day remediation roadmap
Executive readout
Recommendation on whether the client is a fit for Starter, Core, or Regulated vCISO

This offer is honest. It does not require you to sell a full retainer before you know the client's state. It creates a paid entry point. It gives the client a useful artifact. It also protects you from signing up for vague ongoing advisory work with no boundaries.

From there, the retainer becomes the obvious next step for the right clients: keep the risk register current, manage the roadmap, prepare executive reporting, support insurance and compliance evidence, and keep security decisions from disappearing into ticket notes.

That is the practice. Not another tool. Not another line item hidden inside managed services. A defined advisory service with real scope, real pricing, and enough honesty to tell some clients no.