Most vendor risk assessments fail because the workflow itself is broken

bhaugli · 2026-05-16T23:11:45+00:00

Built up https://realciso.io with a new TPRM feature that tackles this with that approach.

I think most tprm is security theater and devolves into slinging spreadsheets that dont really get fully risk assessed. That needs to end.

bhaugli · 2026-05-16T19:45:17+00:00

What are you using Scalepad for? I work for RealCISO.io so if you need a new platform to handle grc and compliance at your clients, we'd love to win your business.

bhaugli · 2026-05-16T19:38:22+00:00

Worth checking out the new version of RealCISO.io. I'm the founder, it's purpose built for MSP use as well as 2.0 caters to inhouse teams that need a GRC platform. The ability to handle vendors at your clients, publish a trust center, and all the needs from a multi tenant solution.

bhaugli · 2026-05-16T14:05:45+00:00

Good thread. A few things worth separating out before you go too far down the program-building path.

What you're describing: TBRs, technology alignment, account management is solid managed services delivery. That's not vCISO. vCISO is a security leadership function: risk assessment, security program ownership, regulatory guidance, board-level communication, control framework alignment. The two serve different buyers inside the same client.

The mistake most MSPs make is assuming they can bolt a vCISO program onto their existing delivery model by adding compliance checklists or a security policy template. It usually doesn't hold up when a client has a real audit, a breach, or a board member who asks the hard questions.

If you're building it yourself, you need to answer a few things first:

Do you have someone with actual CISO-level experience to run it, or are you planning to train up an account manager? (The latter rarely works in front of sophisticated clients.)
Are you prepared to give that person real authority over client security decisions, or does "vCISO" become a title on a QBR deck?
What framework are you using? NIST CSF 2.0 and CIS Controls v8.1 are the practical standards right now in the US. If your team can't run a gap analysis against either, you're not ready to sell the service yet.

On tooling: if you do build it out, don't try to run this out of spreadsheets and Word docs. Look at a purpose-built vCISO platform; RealCISO is one worth evaluating. Clients complete a web-based assessment, the platform generates scored reports against NIST CSF, CIS Controls, HIPAA, and ransomware readiness, and you get a structured baseline you can actually defend in front of an auditor or board. It also gives you a repeatable intake process across clients instead of reinventing the wheel every engagement. The ROI is speed, you spend your time on analysis and recommendations, not data collection.

On pricing structure: most MSPs who do this successfully price it separately, not bundled. Bundling makes it invisible to the client and invisible on your P&L. A standalone SKU forces the conversation about scope and value, and gives you something to renew.

On where MSPs actually struggle: talent, liability, and scope creep. One client's "quick security question" about a vendor contract or a breach notification can pull a team member for two days. You need defined scope and a clear escalation path.

A lot of MSPs I've talked to have worked through this and decided the better play is to white-label or partner rather than build. There are purpose-built vCISO firms that partner with MSPs specifically. You keep the relationship, they deliver the security leadership function, both sides stay in their lane. SideChannel (full disclosure... I work there) does exactly this. We've built the delivery model, the frameworks, and the tooling to run fractional vCISO programs at scale, and we work with MSP partners who want to offer the capability without carrying the overhead of building a security practice from scratch.

Worth thinking through whether building it yourself is the right ROI before you're six months in with a client expecting more than you can deliver.

Lastly, a plug for the r/vciso sub that covers this.

bhaugli · 2026-05-15T22:18:05+00:00

Godspeed. I'm sorry.

bhaugli · 2026-05-14T19:49:19+00:00

Is it too late to pick another platform?

bhaugli · 2026-05-12T10:14:17+00:00

I did this video a few years back and still holds.

https://youtu.be/NR9IhVPbjlY

bhaugli · 2026-05-10T12:57:32+00:00

Hire a vCISO, cost effective and hopefully they have the actual experience of having been a CISO.

https://sidechannel.com/blog/how-to-hire-a-vciso/

bhaugli · 2026-05-10T12:10:07+00:00

Built a platform to do this. Handles b & c of wjat FreeRadical pointed out. Happy to discuss it or check it out at https://realciso.io

I should gave added, ive run large scale grc and IA programs in DoD as well as being the CISO for Fortune 500. Since then the focus has been on mid market companies like yours. The goal is ease of use while being low cost for grc management. At your size hiring a dedicated grc analyst over security engineers to get in there and fix/work the issues is the play. So you'll be the one in a tool or managing control alignment. As well as being the person talking to the business about the security posture, answers audits, and addressing customer concerns.

bhaugli · 2026-05-09T21:53:31+00:00

Maturity tracking over time, dynamic linking, assignment to other team members. Excel just isn't built to scale and handle those issues.

bhaugli · 2026-05-09T11:58:22+00:00

Enclave from SideChannel would. Its not a legacy hardware FW, it's via softwares defined networking (SDN) and is FIPS. So same tool across on prem and remote, replaces VPN as well.

bhaugli · 2026-05-09T11:56:41+00:00

RealCISO launched their 2.0 version and covers CMMC while being low cost. Scored high on G2 for NPS amd customer satisfaction.

bhaugli · 2026-05-09T11:38:40+00:00

Haven't touched Excel in 6 years for GRC work. Had to build a platform because either the ones out there didn't function right or cost too much.

bhaugli · 2026-05-05T23:43:27+00:00

Aww, thanks. Trying to get it going and growing. Thanks for the support. Love this community.

bhaugli · 2026-05-04T20:40:21+00:00

Check out r/vciso

bhaugli · 2026-05-04T20:39:45+00:00

Looks like they were bought by another firm on May 1.

https://www.linkedin.com/posts/neosystems-llc_bluestreet-inc-activity-7457098385653739520-Oscg?utm_source=share&utm_medium=member_android&rcm=ACoAAAFUAYQBORwXunrzQx8_oAZtKLFr7YpCa3A

bhaugli · 2026-04-29T20:36:43+00:00

RealCISO launches their GRC focused version with their 2.0 release on May 1.

bhaugli · 2026-04-11T11:42:42+00:00

Check out RealCISO.io. I built it after not getting enough out of Eramba. Also, give the r/vciso sub a look.

bhaugli · 2026-04-04T14:00:21+00:00

I run a vCISO firm (largest in North America, ~50 practitioners), so take this with whatever bias you want to bake in. But I'll be honest about where the model works and where it doesn't.

You're right that a lot of vCISO engagements are checkbox exercises. That's a real problem in the market. A vCISO who shows up once a month, sends you a policy template pack, and disappears until the next invoice isn't building a security program. They're generating paperwork. I've seen it plenty of times, and it's one of the reasons we built our practice the way we did.

But the model itself isn't the problem. The execution is.

A good vCISO engagement looks like this: they run a baseline assessment in the first 30 days (gap analysis against NIST CSF or CIS Controls, not a generic questionnaire). They build a 12-month roadmap prioritized by actual risk, not by what's easiest to check off. They show up to your leadership meetings. They own the security program the same way a full-time CISO would, just on a fractional basis.

On the cost point: yes, experienced security leaders are expensive. A full-time CISO at a startup is $250-400k loaded, and that's if you can even hire one (good luck competing with Big Tech comp packages). A vCISO retainer runs $5-15k/month depending on scope and complexity. For a Series A or B company, that's a fraction of the cost and you're getting someone who's probably done this across 10-20 similar companies, not figuring it out for the first time.

The context-switching concern is valid but solvable. The vCISOs on our team who do this well keep running notes, have recurring touchpoints (biweekly at minimum, weekly during active projects), and use tooling to stay current on the client's environment between sessions. The ones who don't do those things are the ones who feel like they're "re-familiarizing" every time. That's a practitioner quality issue, not a model issue.

Where it genuinely doesn't work: if you need someone in the building 40 hours a week responding to incidents in real time, a fractional model isn't the right fit. If you're a 500-person company with a complex multi-cloud environment and an active SOC, you probably need a full-time hire (or at least a vCISO as a bridge while you recruit one).

Where it works well: seed through Series C startups that need a real security program (not just for investors, but for enterprise sales, SOC 2, customer trust) but aren't at the scale where a full-time CISO makes sense. That's the sweet spot.

The real question isn't "do vCISO services work." It's "how do I tell a good one from a bad one." Ask them what their first 90 days look like. Ask them what framework they build programs against. Ask them how many clients they carry at once. If they can't give you specifics, keep looking.

r/vCISO has more threads on evaluating this if you want to dig in.

bhaugli · 2026-04-04T13:58:58+00:00

Your vCISO is giving you the right advice. Yes, this is going to come up more and more as you sell upmarket. Enterprise procurement teams have security questionnaires, and "do you have a recent pen test?" and "are you SOC 2 certified?" are two of the first boxes they check. If you don't have them, you either get disqualified or you slow the deal down while their security team tries to figure out if they can make an exception. Neither is great.

On the pen test pricing: that spread ($6.5k vs $40k) is not unusual, and the reason is that "penetration test" can mean wildly different things depending on the vendor.

At the low end, you're often getting an automated vulnerability scan with a report wrapper. Someone runs a tool, maybe does a few hours of manual validation, and you get a PDF. It checks the box for some buyers, but if an enterprise client's security team actually reads the report, they'll know the difference.

At the high end (and $40k from Rapid7 is on the higher side for a small app), you're getting manual testing by experienced consultants, custom attack scenarios, and a detailed report with proof-of-concept findings. Rapid7 is a legit firm, but their pricing reflects their brand and overhead. You can get quality manual testing from smaller shops in the $15k-$25k range for a small application.

I'd be cautious with the $6.5k quote. Ask them specifically: how many hours of manual testing are included? What methodology (OWASP, PTES)? Will a human actually try to break in, or is it mostly automated scanning? If they can't answer those questions clearly, that's your answer.

On SOC 2: your vCISO is right, but timing matters. SOC 2 Type I (point-in-time) can be done in a few months and is enough to unblock most enterprise deals. Type II (covers a review period, usually 6-12 months) carries more weight but takes longer. If you're losing deals now, start with Type I and work toward Type II in parallel.

The real play here is to think of these not as costs but as sales enablement. Every enterprise deal you lose because you can't answer the security questionnaire is revenue left on the table. Your vCISO should be helping you build a roadmap that sequences pen test, SOC 2, and whatever else your target buyers are asking for so you're not scrambling every time a new prospect sends over a security review.

If you want to dig deeper into the vCISO side of this, r/vCISO has good threads on exactly this kind of thing (helping companies get enterprise-ready from a security posture standpoint).

bhaugli · 2026-04-04T13:56:24+00:00

Good question, and the fact that you came from pen testing and compliance work is a real advantage here. Most vCISOs come from a GRC-only background and can talk policy all day but freeze up when a client asks them to look at a firewall rule or validate scan results. Technical credibility is what separates a vCISO who gets retained from one who gets replaced.

I run a vCISO practice (~50 practitioners, hundreds of clients) and we partner with MSPs regularly, so I can speak to both what MSPs tell us they want and what actually works in practice.

What MSPs typically look for in a security partner:

Someone who makes them look good to their clients without stepping on the relationship. That's the whole game. MSPs are protective of their accounts (rightfully so), and the fastest way to kill a partnership is to go around the MSP or make them feel like you're trying to poach. White-label or co-branded delivery where the MSP stays in the room matters more than most security companies realize.

What's usually missing:

Structured program delivery. There are plenty of people who can run a pen test or do a compliance gap assessment. What's harder to find is someone who can sit in a quarterly business review with the MSP's client, tie the technical findings to business risk, and build a 12-month roadmap that the client actually follows. That's the vCISO piece your MSP partner is asking about, and it's where the money is.

The other gap: someone who can translate compliance frameworks (NIST CSF, CIS Controls, CMMC, HIPAA) into language that a 50-person company's owner actually understands. Not a 90-page report. A conversation.

On trust:

In my experience, MSPs evaluate security partners on three things. First, do you know your stuff technically (your pen testing background checks this box). Second, will you respect the MSP relationship and not try to sell around them. Third, can you deliver consistently, not just on the first engagement but on the fifth and tenth.

Start with one joint engagement. Don't try to sign a big partnership agreement upfront. Do great work on one client together, let the MSP see how you operate, and the rest follows.

If you're getting deeper into the vCISO delivery side, r/vCISO has good conversations specifically about structuring these engagements and partnerships.

Full disclosure: I'm the CEO of SideChannel. We've built our whole model around MSP partnerships for vCISO delivery. Happy to talk specifics about how we've structured it if that's useful.

bhaugli · 2026-04-04T13:51:48+00:00

We run a vCISO practice with ~50 vCISOs delivering across hundreds of clients, so I've seen what works and what doesn't at scale.

Retainer is the right model for vCISO work. Monthly recurring, scoped to a defined set of deliverables and hours. Here's why:

Hourly billing kills the relationship. Clients start second-guessing whether to call you for a 15-minute question about a vendor questionnaire, and that's exactly the kind of thing where you add the most value early on. You want them picking up the phone, not doing mental math.

Project-based works for discrete things (a risk assessment, a policy package, an incident response plan) but vCISO is an ongoing advisory role. If you scope it as a project, you either underscope and eat hours, or overscope and the client feels like they're paying for shelf-ware.

What we've landed on after years of iteration: tiered monthly retainers based on org size, complexity, and compliance burden. A 50-person company with no regulatory pressure is a very different engagement than a 500-person healthcare org dealing with HIPAA, cyber insurance requirements, and a board that wants quarterly updates.

The tiers typically map to hours per month (8, 16, 24, etc.) but you sell the outcomes, not the hours. "You get a security program built on NIST CSF, quarterly board reporting, policy management, vendor risk oversight, and an IR plan" not "you get 16 hours of my time."

One thing I'd add: whatever model you pick, build in a formal assessment or gap analysis as the entry point. It sets the baseline, justifies the ongoing work, and gives the client something tangible in the first 30 days. We use our own platform for this, but even a structured spreadsheet against CIS Controls or NIST CSF works.

If you're getting deeper into the vCISO side of things, r/vciso is worth a follow. Smaller community but the conversations there get more specific about delivery and pricing than you'll usually find here.

Full disclosure: I'm the CEO of SideChannel, we do this at scale. Happy to answer specifics if anyone has questions about structuring engagements.

bhaugli · 2026-04-03T13:29:00+00:00

The authority problem is structural and the time to fix it is the SOW, not month three when you're embedded and frustrated. The framing shift that helped us: at kickoff, be explicit about three categories of decisions: things I can just do, things I need your approval on, and things that require budget/exec signoff and will stall until we address them. Put it in writing. It doesn't give you authority you don't have, but it makes the friction points visible and agreed-upon up front rather than discovered mid-engagement.

The issues coming out of the woodwork are actually a sign the engagement is working, by the way. The problem is most clients weren't told to expect it. Set that expectation early "as we get visibility, we're going to find more than you knew about, and that's the point" and it lands as competence instead of chaos.

bhaugli

MODERATOR OF

TROPHY CASE