Risk Assessment to vCISO: A Practical Go-To-Market Motion for MSPs

Getting your Trinity Audio player ready...

Becoming A Strategic Security Partner

It’s no secret that MSPs are trying desperately to find their way from the server room to the board room. With constant advancements in AI automation, hanging your hat on “white-glove support” as a core value proposition will only get you so far up the ladder. We need to start thinking more strategically and providing consultative services that actually deliver real business value. For the security-minded MSP, vCISO services and the risk assessment are exactly that. As the founder of PowerPSA Consulting and creator of the PowerGRYD vCISO System, Jesse Miller has seen firsthand how these assessments can not only open new doors but also define the entire trajectory of a vCISO offering.

But there’s a catch. The effectiveness of a risk assessment as a marketing tool has everything to do with how it’s positioned. Give it away for free, and you’ll attract the wrong crowd. Price it correctly, and it becomes a magnet for high-intent prospects who are ready to buy. In this article, we unpack Miller’s hard-won insights on how MSPs can use risk assessments to drive strategic initiatives with new and existing customers. Not just as a sales gimmick, but as the first step in a strategic relationship with their customer.

Risk Assessments as a Net New Growth Lever

There’s a lot of noise in the cybersecurity vendor channel, but Jesse Miller has found a way to cut through all of it and deliver actionable insights to MSPs through vCISO program-building, using risk assessments as the leadoff centerpiece. “I still think it’s one of the best and most effective ways for a go to market motion for new clients, but you have to get people that are committed and are actually willing to pay a little something to find out what their risk is, rather than tire kickers.” His strategy hinges on a simple principle: if someone is willing to pay, even a little, they’re already showing a level of urgency that most leads never reach.

Some MSPs try to offer free assessments in hopes of scaling interest, but Miller’s seen what that brings in. “I don’t believe in giving them away for free. I’ve tried that in the past, and you run into low quality leads, people who are just tire kickers and maybe want to check the box, but they’re not invested.” It’s not enough for someone to just signal that they’re interested. The point is to find prospects that are willing to act on that interest, and free tends to invite the exact opposite.

There’s a subtle but important shift in how Miller frames the role of assessments. They aren’t just used as “bait” like a lead magnet. They’re a filter disguised as a service. The MSPs that treat them as a true value exchange are the ones building real sales momentum.

When to Use a Loss Leader and When Not To

With that said, it should be no surprise that Miller has never been a fan of defaulting to discount tactics. He believes if you’re solving a real problem for the right audience, there’s no reason to lead with a loss. “I try to stay away from loss leaders in general. If you know your target market and you’re talking about their pain points and solving those pain points, it shouldn’t be a loss leader. The prospect should be thinking, ‘We know you’re bringing value, so we’re going to pay you for it.’” In other words, if the offer is hitting home, there’s no need to play defense with your pricing.

That said, he’s not completely opposed to using risk assessments as a loss leader, but only in very specific scenarios. “I like risk assessments as loss leaders better for an existing client base. I always tell people, structure it at 80% of what their monthly is. It’s like a poker rule, if you want somebody to call your bet, you go a little less than the pot bet, and then they’re like, okay, I can call that.” When the relationship already exists, the game theory changes. At that point, the offer becomes more about expanding wallet share than cracking the door open, which is much more feasible.

The $6K Assessment and Overdelivering On Value

There’s a specific number that Jesse Miller has anchored to when packaging risk assessments for SMBs, and it’s not just based on guesswork. “To me, I see $6,000 as the default price, up to 150 users, with some limits there–covering your standard major departments like sales, HR, executive, operations and finance.” It’s a fixed-fee model that finds a middle ground. It’s broad enough to serve growing companies, but still contained enough to avoid getting buried in complexity.

Instead of tying the assessment to a specific compliance framework, Miller focuses on providing immediate, usable value. “This includes no compliance analysis, but an actionable framework like CIS, integrating impact to introduce risk concepts. We’re going to show [the prospect] where their risk is and make some recommendations–and I always tell people you want to try and ‘choke’ the client with value [laughs]. I’m going to try and give them something that’s so good they could take it and go to somebody else, but why would they ever want to do that, because you just made it so easy for them.” His goal is not to hold anything back as a carrot to dangle in front of them. It’s to deliver such a clear and actionable experience that continuing the relationship becomes the obvious next step.

Pricing Jumps When Regulators Could Scrutinize the Output

There’s a reason Jesse keeps these base risk assessments compliance-free. Once regulation enters the picture, everything changes. “Without any regulatory concerns, you can typically do a standard $6k for a small to medium sized company. Now, when you get into regulatory frameworks, that’s when you have to know your target market, because there’s a wide variance.” The moment compliance becomes part of the deliverable, the margin for error shrinks. At the same time, the workload multiplies.

Miller doesn’t just increase pricing for the sake of it. The jump is tied directly to the level of scrutiny the assessment might face. “Is this risk assessment going to be held up and looked at by regulators? Then there’s more liability, and  it gets more custom. When you’re getting into complex regulations, now you’re looking at around $20,000, because you have to be very meticulous about how you’re determining the client’s risk and what that looks like.” That number is not arbitrary. It reflects the time, precision, and liability involved in producing something that can stand up to third-party oversight.

The key here is understanding the stakes. For MSPs targeting regulated industries like Finance for example, Miller’s experience is a clear reminder that pricing should match exposure. A templated report might work for general SMB environments. But if regulators are likely to review the deliverable, that output becomes a formal artifact. With that comes a different level of responsibility, and that responsibility needs to be priced accordingly.

Who Actually Buys This, and Who Influences It

When it comes to closing a risk assessment deal, Jesse has a strong sense of who’s likely to sign the contract and who’s just along for the ride. “Typically, it’s a decision maker or an executive on the leadership team. Usually you’re looking at a COO, or maybe a CEO. CFOs are involved, but not as closely for an initial risk assessment. Keep in mind though, they’ll be one of your primary decision makers for the ongoing MRR, so plan for that as part of your endgame.” These buyers are focused on operational risk and broad liability, which makes them well suited for this kind of conversation.

In some situations the buying process isn’t always so direct. Other stakeholders often shape the outcome, even if they don’t hold the final say. “In larger deals, you’re going to have the influencers like the IT Manager or CTO. For SEC regulated companies, you’re going to have the Chief Compliance Officer, and they’re getting asked governance questions, so then they reach out and say, okay, we need to get a cyber security risk management program in place to meet our reporting standards.” These internal champions may not control the budget. However, they often drive the urgency that kicks the process into motion.

Understanding this split between decision makers and influencers is critical for MSPs that want to position assessments effectively. It’s all about understanding who is feeling the pressure, who is being asked the hard questions, and who is most motivated to find a solution that checks all the boxes.

Disqualifying “One Off” Work and Qualifying the Real Opportunity

There’s a certain type of deal Miller actively avoids. It might sound counterintuitive to walk away from paid work, but he’s learned that not all opportunities are worth the time. “I’m not interested in doing a one-off risk assessment if there’s not a recurring contract to be earned on the other side. At the end of the day that is the opportunity that I am looking for, so simply selling the assessment with no long term partnership can be a risk initself.” 

The appeal of a quick assessment project can be strong, especially when revenue feels tight. But Miller cautions that these one-time engagements tend to attract the wrong type of buyer. “The kind of leads you’re going to attract with that is project only work. They want to get it done so they can move on to the next thing, they’re never going to sign up for services. I would counsel you against pursuing these opportunities.” These clients are trying to check a box, not build a relationship.

If the assessment is not tied to a bigger objective, such as ongoing security services, compliance management, or a vCISO engagement, it’s probably not worth pursuing. Time spent on short-term projects with no future upside is time taken away from prospects who actually need and want a deeper relationship.

The Reveal: How the Assessment Turns Into the vCISO Conversation

Performing the risk assessment is only half the job. According to Jesse, winning that long-term contract is  all about the positioning. “For me it’s usually a multi-faceted presentation where we take them through the reporting and walk them through potential business outcomes. That’s going to be like an hour and 15, to an hour and 30 minute meeting, and you have to play it by ear and ask, ‘Do you want to digest this, or should we keep going?’.” This is not a quick review or a handoff of a PDF. It is a carefully guided experience where the next steps often start to present themselves naturally.

The way Miller connects the dots is straightforward but deliberate. “I show them, here’s your business goals–which you should have underpinned during sales discovery–and here’s the risk to those. Now here’s how our services address this. We have a holistic vCISO risk program coupled with a cyber security program; it gives you the governance, and it reduces your risk down to an acceptable level based on what you want to achieve. Remember, we’re tying it back to the business goals.” The key is clarity. It is all about showcasing business outcomes and illustrating how risks to each one can be remediated through an ongoing relationship.

This is the moment when the entire motion pays off. The client already sees the risks and understands their potential impact. Now they are being shown a clear path forward, led by a partner who has already done the hard work of identifying the issues. That moment, when the recommendations align with a broader program, is what unlocks the vCISO opportunity and builds lasting trust.

Staffing and Unit Economics That Make It Work

Miller doesn’t believe you need to hire an external expert to run with a vCISO program. In fact, he recommends the opposite, with a few qualifiers. “It makes more sense to use somebody internally because they know the client base really well. You’re helping them build a new risk management skillset, and it’s easier to backfill your already built out positions than it is to try and hire a vCISO and then have them fit in with the rest of the organization with no political capital. Now that doesn’t mean don’t train them–they may have to learn new skills–and that should be part of your vCISO offer development plan.” For MSPs, the advantage lies in familiarity. Someone already embedded in the business can carry the weight of the program with far fewer handoffs.

On the financial side, Miller has a defined model for what makes this work operationally viable. “I’m always targeting 60% gross margins on labor. For fully loaded costs, I think you should go like 1.4 for your fully loaded, then take a 60% gross margin on that, and any tools you’re using take a 50% gross margin on those.” This gives MSPs a concrete way to build a service that’s not just strategic, but profitable and repeatable.

The formula is refreshingly practical. Use the people you already have. Price in a way that protects your margins. Avoid over-engineering the delivery model. He is not pushing a high-concept blueprint here that is only relevant to platform MSPs. He is laying out an execution plan that even small MSPs can act on without needing to dramatically scale headcount or take on new risk.

Packaging and Pricing: Don’t Do Per User, Niche Wins

One of the biggest missteps MSPs can make is trying to price these services like a help desk. “If I had to paint a really broad brush, if I was pricing vCISO packages, I would do like $4,000, $8,000, $10,000. That’s really generic, but that’s what I see as a starting point for those programs.” Instead of nickel-and-diming based on user counts, he anchors his pricing to the scope of the engagement. It’s simple, tiered, and easy to map back to the value being delivered.

That’s because the per-user model breaks down quickly in this context. “Charging an additional per user for this service is a terrible idea. You can’t charge per user for this, because you’ll leave money on the table in some cases, and in other cases the model isn’t economically feasible for the client at a higher user count.” In Miller’s experience, tying pricing to headcount often creates more problems than it solves. It makes forecasting unpredictable and risks undervaluing the work required for complex, high-stakes engagements.

Instead, his model encourages MSPs to think more like consultants than commodity providers, while packaging using productized software techniques. Set clear boundaries around what features each tier includes. Price it based on the business risk and deliverables involved. Focus on serving a specific niche where those packages can be repeated and refined. That’s where efficiency meets profitability, and where value becomes much easier to communicate.

Conclusion

What I ultimately learned from this conversation was that Jesse Miller’s approach to risk assessments isn’t about gimmicks or giveaways. It’s a focused motion designed to qualify real buyers, deliver value up front, and naturally lead into longer-term services like vCISO. By charging for that assessment and then living up to expectations, you kickstart the strategic relationship with the customer and earn an immediate win by executing what is ultimately a routine and repeatable process. While there are a ton of really valuable tools and services available to help MSPs activate these services, it starts with understanding the foundation and delivering accordingly–and that’s why I see the PowerGRYD vCISO System as uniquely helpful to MSPs who are serious about taking a security-first approach.