The vCISO Moment: Turning AI Threat Panic Into Your Most Profitable SMB Offering
Five Eyes has told boards that cyber security is now their problem — but few UK SMEs can afford a full-time CISO. Here's how MSPs can package, price, and staff a vCISO service that turns that gap into recurring revenue.
A manufacturing firm in Derby recently forwarded us an email from one of their biggest customers. The gist: prove you have proper security governance in place within 60 days, or we start looking for a new supplier. The finance director who forwarded it had no idea where to start. He didn't have a security team. He didn't have a security policy. He had a spreadsheet, a firewall someone installed in 2019, and a growing sense of dread.
That firm is not unusual. What's changed is that the pressure now comes from every direction at once — customers, insurers, regulators, and increasingly the government itself.
The warning that landed on every board's desk
In recent guidance, the Five Eyes intelligence alliance — the UK, US, Canada, Australia and New Zealand — made a point that had previously been implied rather than stated: cyber security is a governance issue, and responsibility sits with company directors, not just the IT department. The National Cyber Security Centre has been saying the same thing in plainer language for a while. Boards are expected to understand their cyber risk, ask the right questions, and be able to show they took reasonable steps.
At the same time, the threat picture has genuinely shifted. Attackers are using AI to write more convincing phishing emails, clone voices for fraud calls, and probe networks faster than before. The barrier to launching a credible attack has dropped. A criminal no longer needs perfect English or deep technical skill to fool an accounts clerk into paying a fake invoice.
So you have a genuine increase in risk, a genuine increase in accountability, and — for most SMEs — no one in the building who owns any of it.
The gap SMEs can't fill on their own
A full-time Chief Information Security Officer in the UK commands a salary well north of £100,000, often much higher in London or for anyone with a strong track record. Add pension, National Insurance and the cost of the tools and team a CISO expects to have around them, and you're looking at a quarter of a million pounds a year before they've achieved anything.
A business turning over £5 million cannot justify that. But it also can't ignore the customer demanding evidence of governance, the insurer refusing to renew without multi-factor authentication, or the director who now personally carries the reputational risk if things go wrong.
This is the gap. And it's exactly the shape of a service an MSP is well placed to sell.
What a vCISO actually does
A virtual CISO provides the strategic and governance layer that sits above day-to-day IT support. Crucially, it is not the same thing as managing endpoints or patching servers — though you may already do that for the same client. The vCISO answers a different set of questions:
- What are our biggest risks, in business terms?
- What controls do we have, and where are the gaps?
- What should we spend, and on what, and in what order?
- How do we prove to a customer, insurer or regulator that we're taking this seriously?
- Who does what when an incident happens?
In practice the role covers risk assessments, a security roadmap tied to budget, policy development, oversight of certifications like Cyber Essentials or ISO 27001, incident response planning, board-level reporting, and supplier and compliance management. It's advisory and it's ongoing. That last word matters — this is not a one-off project, and that's precisely why it works as recurring revenue.
Packaging it so people actually buy
The mistake many MSPs make is describing the service in the language of frameworks and controls. SME owners don't buy NIST CSF alignment. They buy peace of mind, the ability to keep a key customer, and the confidence that they won't be the director quoted in a breach story.
A three-tier structure works well because it lets clients start small and grow into it.
Tier one — Foundations. A quarterly cadence. Annual risk assessment, a maintained set of core policies, Cyber Essentials support, and a short board report every quarter. This suits a business that mainly needs to demonstrate baseline diligence and satisfy insurers. Think of it as the entry point for the Derby firm above.
Tier two — Managed governance. Monthly touchpoints, a live security roadmap, vendor risk reviews, tabletop incident exercises, and attendance at a quarterly board meeting. This is for firms with compliance obligations or contracts that demand real oversight.
Tier three — Embedded advisory. For larger or more regulated SMEs. Regular strategic input, support through audits and certifications like ISO 27001, incident leadership if something happens, and named involvement your client can point to when a customer asks who runs their security.
Name the tiers in plain English. Publish what each includes. The clarity itself is reassuring to a buyer who feels out of their depth.
Pricing without guessing
Price a vCISO service on outcomes and time, not on a day rate for a named person. UK MSPs typically charge somewhere between £1,000 and £2,500 a month for foundational tiers, rising to £4,000 to £8,000 a month for embedded advisory work with larger clients. The exact figure depends on the size of the client, their compliance burden and how much of your senior time they consume.
The important point is that this stacks on top of your existing managed services revenue rather than replacing it. A client paying you £3,000 a month for support can reasonably pay another £1,500 for governance — and the margins on advisory work are far better than on commodity support, because you're selling judgement, not hardware.
Anchor the price against the alternative. A £1,500-a-month service is a fraction of what a permanent hire costs, and you can say so directly on the proposal.
Staffing it when you don't have a CISO either
Here's the honest concern most MSPs have: how do we deliver this if we don't have a seasoned security leader on staff? Three routes work.
First, train from within. A capable senior engineer or account manager, backed by a repeatable framework, can deliver the foundational tiers competently. Much of the value is process and structure, not deep technical wizardry.
Second, partner. A fractional CISO consultancy can front your higher tiers under your brand while you build capability. You keep the client relationship and the recurring revenue; they supply the senior name for the board meeting.
Third, standardise everything. Build your assessment templates, policy library, board report format and roadmap once, then reuse them across every client. A repeatable methodology is what lets one experienced person oversee ten clients rather than one.
Move before the moment passes
The demand is real right now. The Five Eyes guidance gave every director a reason to ask their IT provider an uncomfortable question, and the AI-fuelled threat news gives them a reason to act rather than defer. That combination of accountability and anxiety doesn't last forever — it becomes background noise once everyone's used to it.
Start with your existing base. Send a short note explaining what board-level accountability means for them and offering a fixed-fee assessment as a way in. That assessment does two jobs: it delivers immediate value and it exposes the gaps that justify an ongoing engagement. From there, the recurring line builds itself.
The Derby firm signed a Foundations retainer within a fortnight of that customer email. They kept the contract. They now have something to point to when the next customer asks. And their MSP added a profitable, sticky revenue stream that has nothing to do with the price of a firewall.
