#36 - From The Trenches - Cyber Compliance & vCISO Opportunity (Dan Collins)

In this episode of From the Trenches on the BMK Vision Podcast, Josh Peterson sits down with Dan Collins (CEO of 360 Advanced) to clarify a point that many MSP owners feel, but few can articulate: cybersecurity is increasingly governed by economics and accountability, not by tools. Dan’s vantage point as an independent assessor across frameworks like PCI, SOC, HIPAA, and government-adjacent programs such as FedRAMP and StateRAMP brings a different kind of clarity—one that helps MSPs move from “security as add-on” to “security as operating model.” If you’re building toward advisory outcomes, this conversation pairs naturally with the Vision operating system and BMK’s perspective on MSP consulting that strengthens leadership and execution.

This is not a discussion about the latest security stack. It is a discussion about who owns risk inside a client’s business—and how that ownership is becoming more explicit through insurance underwriting, compliance expectations, and the “office of the CISO” becoming a real governance function (even in organizations that will never hire a full-time CISO). Dan explains why certain verticals lag until pain becomes unavoidable, why public-sector requirements are trickling down-market, and why the MSP that can translate these pressures into a coherent program will be positioned as a strategic partner rather than a reactive vendor.

If you’re an MSP owner watching cyber expectations rise while client sophistication stays uneven, this episode offers a practical lens: distinguish what must be done (controls, remediation, response) from what must be owned (governance, policy, accountability, budget). The future belongs to MSPs who can provide both—without confusing “activity” for “assurance,” or “compliance” for “security.”

Why compliance work is a strategic advantage (when you treat it like governance)

Most MSPs encounter compliance the same way clients do: as a disruptive requirement that arrives from “somewhere else” (a regulator, a customer, a vendor, or an insurer). Dan reframes it more usefully: compliance is a forcing function for operational truth. It exposes where accountability is missing, where controls are undocumented, where ownership is informal, and where the business is relying on “good intentions” rather than an enforceable system.

From an MSP leadership perspective, this is the opportunity. The moment a client is required to demonstrate maturity—PCI evidence, SOC controls, HIPAA safeguards, FedRAMP-adjacent expectations—the MSP can either remain a technical implementer, or become the partner that turns requirements into a coherent operating model: roles, policies, workflow, review cadence, and a funded roadmap.

The difference is not skill. It is posture. The MSP that can translate compliance pressure into governance structure becomes the firm that executives keep, even when tools change.

Event-driven vs. standard-driven security: why some industries lag until it hurts

One of the most instructive threads in the episode is the reality that many sectors do not improve “because it’s right.” They improve when a standard has real enforcement, or when an incident makes the cost undeniable. Healthcare-adjacent SMBs (including dental and small practices) often sit in a gray zone where the data is sensitive, but the perceived consequences are weak—so the behavior stays unchanged.

This is the pattern MSP owners must plan for:

• Standard-driven adoption occurs when enforcement is credible and requirements are measurable.
• Event-driven adoption occurs when lawsuits, breaches, or insurance decisions make risk financially real.
• “Sophistication gaps” widen down-market, which means your service model must account for education, governance, and budget design—not just implementation.

In other words: your client’s willingness is not stable. It changes with the environment. The MSP that can anticipate that change—and structure the response—wins.

The office of the CISO: the missing layer between tools and accountability

Dan makes a clean distinction that MSPs should adopt as language: the “office of the CISO” is not hands-on keyboards. It is the governance layer that ensures security is designed correctly, implemented responsibly, monitored intelligently, and adjusted as threats and business priorities evolve.

That distinction matters because it creates a scalable service line that many MSPs have historically avoided: vCISO as leadership, not as a bundle of deliverables. A credible vCISO motion typically includes:

• Risk ownership and executive reporting (what matters, why it matters, who owns it)
• Policy and program structure (what “good” looks like in this business)
• Roadmap design and prioritization (sequence, budget, ROI)
• Integration with operations (change management, onboarding standards, vendor risk, incident readiness)

The MSP that can provide this layer becomes the firm that is hired for judgment—not just for labor.

Frequently asked questions MSP owners should be asking after this conversation

What does an independent assessor actually do—and why should MSPs care?
Independent assessors validate whether required controls exist and whether evidence supports compliance outcomes. MSPs should care because assessments create clarity: what is missing, what must be remediated, and what needs ongoing operational discipline.

How is cyber insurance shaping security behavior in the SMB market?
Insurance is risk transfer, and underwriters increasingly require measurable controls (and a credible story about operations) before they will price or renew coverage. Over time, that underwriting pressure becomes a practical form of enforcement—especially for clients who would not change otherwise.

Why do StateRAMP and FedRAMP-adjacent requirements matter to “regular” MSPs?
Because public-sector expectations tend to cascade into vendor ecosystems. If your client serves government, or your client’s vendors handle government-adjacent data, the compliance expectations can reach you indirectly—but still with real business consequences.

Where does vCISO fit if my team already runs security tools and patching?
Tools and patching are implementation. vCISO is ownership: policy, program, priorities, budget alignment, and executive accountability. Most clients need both—but they are different disciplines, and they should be packaged and priced differently.

How should MSP owners think about building a sales engine around security-led services?
Treat it like a real go-to-market motion: funded marketing, role clarity, and measurable pipeline—not “hope.” Dan also reinforces a practical benchmark MSPs can learn from: consistent investment in sales and marketing that matches growth intent, without sacrificing sustainable profitability.

How does AI change this landscape for security and compliance?
AI will accelerate production work (including documentation), but it does not remove the need for judgment, accountability, and program ownership. The winning MSP will use AI to compress effort while expanding governance capacity—so the business delivers more assurance with less friction.

Related resources from Bering McKinley

• How MSPs improve cybersecurity posture and network security
• The role of MSPs in implementing Zero-Trust security models
• MSP consulting services that help you lead, scale, and win

Want to continue the conversation?

If you’re an MSP owner building security and compliance into a real operating model—where governance, accountability, and growth strategy reinforce each other—BMK can help you turn that intent into execution through Vision.

👉 Apply to be on the BMK Vision Podcast
👉 Learn more about Vision