How to Make Money with Risk Management- Cyber Revenue Streams for MSPs


Introduction

There are many ways for SecurityStudio MSP and risk consultant partners to make a lot of money using our platform while, at the same time, serving our mission of fixing the broken industry. At the end of the day, making money while providing value to customers is a win/win for everyone!

Here are the best ways for MSPs and risk consultants to generate revenue streams with SecurityStudio. We’re guessing you know about many of these, but some will probably come as a surprise!

#1 – Comprehensive Security Profile (CSP)

Typical price: $2,500 – $7,000/mo.

Typical profit margin: 30% – 40%

Typical recurrence: Constant Monthly Recurring Revenue (MRR)

A great way to make money with SecurityStudio is to perform and manage a customer’s Comprehensive Security Profile.

SecurityStudio simplifies information security for everyone. Experts appreciate the comprehensive coverage and newcomers appreciate the straightforward and easy-to-understand approach. Everything in SecurityStudio is quantified using our S2Score[1], making information security easy to communicate and easy to manage.

The comprehensive information security profile consists of three perspectives, each addressed in separate, but integrated modules:

  • S2Org – an information security assessment of the organization and its practices.
  • S2Vendor – the risk module to account for third-party information security risks.
  • S2Team – an assessment of personnel information security risk.

SecurityStudio’s Comprehensive Security Profile is the most comprehensive and easy to understand quantification of information security risk in the industry.

#2 – Four-Phase Information Security Assessments

Typical price: $5,000 – $50,000/occurrence (mostly dependent upon organization size and complexity)

Typical profit margin: 30% – 40%

Typical recurrence: Annual

Information security goes well beyond technology. The organizations who treat information security as a business issue enjoy the benefits including competitive advantages, efficient business operations, enhanced customer trust, and better brand reputation (among others). S2Org fits the bill across all aspects of information security (Administrative, Physical, and Technical), without unnecessary complexity.

#3 – Administrative Security Assessments

Typical price: $1,000 – $25,000/occurrence (mostly dependent upon organization size and complexity)

Typical profit margin: 30% – 40%

Typical recurrence: Annual

These types of information security assessments leverage the power of S2Org to focus on only one aspect of information security, Administrative Controls.

An organization may only need an assessment of Administrative Controls. Choose this as a place to start their information security program to account for parts of their organization where there is some autonomy in their information security governance.

#4 – Physical Security Assessments

Typical price: $1,000 – $5,000/site/occurrence (mostly dependent upon physical location size and complexity)

Typical profit margin: 30% – 40%

Typical recurrence: Annual and as needed.

Just like using S2Org for assessing Administrative Controls (above), the same can be done for physical security. These information security assessments leverage the power of S2Org to focus on Physical Controls and safety.

S2Org is incredibly flexible and scalable, accounting for a single physical location by itself or an unlimited number of physical locations for comparison and further analysis.

#5 – Internal Technical Security Assessments

Typical price: $1,000 – $20,000/technical boundary/occurrence (mostly dependent upon size and complexity)

Typical profit margin: 30% – 40%

Typical recurrence: Annual or Quarterly

Using S2Org, the focus for an internal technical information security assessment is the Internal Technical Controls only. Internal Technical Controls are those used to protect non-public information and technical architecture.

Another way to communicate this type of assessment is, “What could an attacker do if they were already inside your network?”

#6 – External Technical Security Assessments

Typical price: $1,000 – $20,000/technical boundary/occurrence (mostly dependent upon size and complexity)

Typical profit margin: 30% – 40%

Typical recurrence: Annual or Quarterly

Using S2Org, the focus for an external technical information security assessment is the External Technical Controls only. External Technical Controls are those used to protect non-public information and technical architecture through publicly exposed information resources.

The purpose for this type of assessment is to determine how much risk there is related to what the organization has made publicly available.

#7 – Virtual Chief Information Security Officer (vCISO)

Typical price: $2,000 – $20,000/month

Typical profit margin: 25% – 40%

Typical recurrence: Constant Monthly Recurring Revenue (MRR)

This is arguably the most valuable use of the SecurityStudio platform. Customers receive the benefits of a full time CISO at a fraction of the cost. In simple terms, a vCISO has two jobs:

  1. Consult the organization to make good information security risk decisions.
  2. Implement the organization’s information security risk decisions.

A vCISO is in the optimal position to serve customers using S2Org, the built-in roadmap functions, and the other SecurityStudio modules. To assist our partners and the information security market, SecurityStudio created the best-in-class Certified virtual Chief Information Security Officer (CvCISO) training and certification program.

SecurityStudio offers tremendous benefits for partners and customers. Once a vCISO engagement has begun, partners lock-in long term relationships with customers and no longer need to sell additional services, the SecurityStudio platform does the selling for you!

vCISO Services, the new cyber revenue stream for MSPs

Earn your CvCISO Certification, and kickstart your new cyber revenue stream for MSPs- vCISO services.

#8 – Whole of Information Security Empowerment (WISE™)

Typical price: $20,000 – $250,000+/month (varies broadly, based on scope and application)

Typical profit margin: 30% – 45%

Typical recurrence: Constant Monthly Recurring Revenue (MRR)

Securing complex environments is extremely challenging, even for the most experienced information security professionals. WISE™ is a methodology developed by SecurityStudio to solve information security complexity, accountability, and governance problems (among others). The original focus for the WISE™ program was for state and local governments, so it’s a perfect fit for partners active in State, Local, Education (SLED) markets.

WISE™ is an emerging methodology and it’s new for most partners. The potential for WISE™ is immense and the market is wide open, meaning there’s no competition (yet).

#9 – Third-Party Information Security Risk Management as a Service (TPISRMaaS)

Typical price: $2,000 – $10,000+/month (varies broadly, based on scope and application)

Typical profit margin: 20% – 35%

Typical recurrence: Constant Monthly Recurring Revenue (MRR)

Third-party information security (or “cybersecurity”) risk management is a critical component of information security for every organization. Neglecting the risks related to third-party relationships is extremely dangerous, non-compliant, and reckless. Consider these credible statistics[2] from a recent study:

  • 60% of respondents experienced an IT security incident in the past two years due to a 3rd-party.
  • Supply chain visibility is more essential now than it was prior to the pandemic.
  • 76% of IT leaders and influencers rated managing 3rd-party risk as a high or critical priority, 74% claim the priority has increased in importance since 2020.
  • 56% of respondents expected “some investment” in 3rd-party risk technology in the next 12 months.

The opportunity for partners stems from the fact that organizations claim managing third-party risks is difficult because of a lack of qualified staff (49%), insufficient budget (44%), and a lack of an automated third-party management technology solution (44%). SecurityStudio partners use S2Vendor to increase revenue while serving this critical need for their customers.

#10- Certified virtual Chief Information Security Officer (CvCISO) Partnership

Typical price: $750 – $1,500+/referral

Typical profit margin: nearly 100%

Typical recurrence: 3 to 4/month

There is no doubt that the vCISO market is exploding. There are many reasons for this, including the “Great CISO Resignation[3],” a significant (480%) increase[4] in the number of MSPs/MSSPs providing vCISO services, etc. The market is ripe for vCISO services and the differentiator for service providers will be the quality of their work and ability to provide tangible value to their customers.

Drawing from the experience of successfully serving more than 3,000 vCISO customers, SecurityStudio developed the first certification for vCISOs in the industry (CvCISO). CvCISO sets the standard for vCISO performance and answers the fundamental question “What does a vCISO do and how do they provide value?”

NOTE: A common question from partners is “Why would I refer someone to become a CvCISO when I am (or want to be) their vCISO?” The fact of the matter is partners who refer people to the CvCISO program end up with more customers.  The more educated your customers are, the more they understand the need for better information security. This leads to more referrals from customers through greater trust, higher customer satisfaction, and more sales confidence (for your team) from belonging to the CvCISO community.

The more people who belong to the CvCISO community, the more everyone in the community benefits.

#11 – S2Team/S2Me

Typical price: $500 – $2,000+/month

Typical profit margin: 30+%

Typical recurrence: Constant Monthly Recurring Revenue (MRR)

Most people understand that people pose the most significant risks, not technology. People who use technology irresponsibly, people who make mistakes, and people who make insecure technology are the causes of most (if not all) vulnerabilities, making it easy for attackers to get away with their crimes.

Traditional training and awareness programs help, but they’re limited in their effectiveness in addressing personal information security habits. Using S2Team and S2Me, SecurityStudio partners can manage personal information security risk assessments for their customer’s employees and greatly improve the “people part” of information security. At the end of the day, people care more about protecting themselves and their family members than they do about protecting their employers.

S2Team/S2Me is the perfect marriage between protecting people at home and protecting employers! S2Me is always offered to everyone at no cost.

Cyber Revenue Streams for MSPs- Simple Math

SecurityStudio is a fantastic utility platform to grow a very successful cybersecurity business. Quality, credible, and fully defensible information security consulting with a healthy profit margin is the goal. It’s as simple as choose your path, do the math, and start building!

Contact SecurityStudio if you would like more details about any of the ways you can make money with us.

[1]  https://securitystudio.com/s2score-2/

[2] https://www.cyberriskalliance.com/press-release/cra-research-a-turbulent-outlook-on-third-party-risk/

[3] https://www.sdxcentral.com/articles/analysis/the-great-ciso-resignation-why-security-leaders-are-quitting-in-droves/2023/05/

[4] https://ca.finance.yahoo.com/news/cynomi-study-reveals-number-msps-143623468.html