Cyberthreats continually escalate. You may have provided antivirus or email security solutions to your customers up to this point. But, in light of the changing threat landscape, you may be contemplating doing more. Are you ready to take your business to a new level by offering managed security services?
DevPro Journal reached out to thought leaders for advice that can help you plan a successful entrance into the managed security space — and provide the most effective defenses for your clients moving forward. Their advice covers five key areas:
1. Form Smart Partnerships
Jason Eberhardt, Head of Global Cloud & MSP, Bitdefender:
“Even though MSP’s have been around for quite some time, they are far more relevant today than ever before. MSPs have the unique ability to help the security posture of companies, small and large. One of the most important steps for an MSP is to partner with industry-leading vendors to provide strong, reliable solution suites that offer best in breed security, do not impact performance, and at the right price.
Offering solutions for antivirus, antimalware, anti-exploit, endpoint detection, remediation, patch management, web content filtering, device management, encryption along with remote monitoring and management (RMM) for automation and ticketing/billing, round out these offerings. MSPs also know that the more agents on a device, the more resources it will impact. This means they must seek solutions that allow them to do more with less.”
Allan Richards, Channel Sales Manager, AppRiver:
“AppRiver’s Q2 2019 Cyberthreat Index revealed that SMB decision-makers are now relying on their MSPs for threat prevention support more than for any other key services. As businesses continue to increase their migration to the cloud, they are heavily depending on the experience and expertise of MSPs to reduce the current and future risks wrought by today’s evolving threat environment. However, many are finding themselves exposed to unfamiliar attacks, as many MSPs are not currently equipped with the vendor support, tools and resources they need to provide their customers with adequate threat prevention support.
The key to building a successful managed security offering is partnering with the right security vendor. This means being diligent in choosing a vendor that offers:
- Advanced threat prevention technologies surrounding the three main points of intrusion are email, network and Internet-based threats. Office 365, for example, is proving to be the largest target and vector of phishing and conversation hijacking attacks for SMB markets.
- A good understanding of the compliance requirements needed by their clients, from HIPAA to SEC, SOX, or any other regulations that clients must adhere to
- Educational and marketing resources that enable MSPs to not only develop their product and threat expertise but also to serve as trusted security advisors for their customers. This will enable them to operate more efficiently, keep their customers safe and achieve greater profitability.”
Jason Norton, Product Marketing Director, VIPRE:
“While choosing a security vendor, it is incredibly important to pick the right partner to assist in executing your vision. While this can seem completely overwhelming, there are a few things to look for to reduce the field.
Look for partners that first and foremost have fully-built standardized and scalable security frameworks. Seek cybersecurity solutions that provide not only top-rated security but also have an excellent partner program to go along with it. Excellent partner programs allow for maintenance of excellent margins, an increase in operational efficiencies, and the improvement of your profits while ensuring client protection.
While it seems to be easier to implement the most awarded or the lowest-priced solutions, it does not always mean that their partner program is built for the modern MSP. Strike a balance between top-rated cybersecurity and programs purpose-built for the MSP. It also doesn’t hurt to find a vendor willing to invest in partner enablement and that also maintains an extensive portfolio of cybersecurity solutions which will afford the ability to pare down the number of vendors an MSP works with.”
2. Advance Your Managed Security Services Practices Strategically
Cameron Tousley, National Partner Account Manager, MSP, ESET North America:
“As threats continue to evolve and infiltrate all sizes of companies, it presents an opportunity to start offering security. As you get started, think logically about your approach to offering and selling security services. Perform analysis of common ways companies get breached so you can evaluate how to solve the most popular challenges first.
Analyze your current list of customers to determine if they need security due to regulation or if they only want it to feel safe. If they need it, you’ll have an easier time selling it, but if they don’t, you could find yourself educating non-buyers, and this is a common time-waster that can be avoided. Pick a customer vertical that is required to have security, like healthcare or finance. There are many security product categories, but before you start looking at products, focus on challenges, research solutions, and then pick the best fit for your clients.”
Neal Bradbury, VP, MSP Strategic Partnerships, Barracuda MSP:
“It may come as a surprise to many MSPs that they may already have a foundational security element in place for their SMB customers. Backup and disaster recovery (BDR) is an essential solution (and sometimes an SMB’s last chance) to save their business-critical data.
As the threat landscape continues to evolve with new attacks emerging on an almost daily basis, a great place for MSPs to start is by implementing email security solutions, and a security awareness training program to educate their customers on these latest threats. You can have the most robust security solutions in place, but your defense is only as strong as your weakest links.
It is also important to move slowly, adding new managed security services in a phased approach. Often, providers will rush into adding everything all at once, which can lead to challenges down the road. Also, don’t forget to demonstrate the value of the new services you are adding to your clients in the same way you would any other new managed service offering.”
3. Choose the Optimal Platform
Steven DeMarzio, MSP Channel Manager, Trend Micro
“When entering and growing within the MSP space, a managed service provider should have an infrastructure eco-system that enables them. They should have a solution with multiple layers of security to help minimize false positives to lower their support cost. At the same time, it requires them to control licensing, to adapt and transform with their business model, and operations, to ensure they can conduct operations in an optimized way minimizing onsite efforts. By aligning your MSP model with vendors and partners that provide solutions in a complete and connected environment will provide that path towards success.”
Scott Barlow, VP, Global MSP, Sophos:
“MSPs should sell a complete security system versus individual point products. A complete security system offers security services across the stack beyond endpoint and firewall, including mobile, disk encryption, server, training and more. MSPs often leverage multiple vendors and disparate security technologies that don’t work in concert with one another, which is difficult to manage technically and from a business standpoint.
Additionally, MSPs should determine if they’re going to bake security within existing contracts or pull out the security components as a layered offering on top of an existing contract. This ensures they’re not just dipping their toe into security and responding to all customer needs.
Lastly, MSPs often don’t leverage materials offered by vendors, like sales assets, educational webinars, training, and certifications. These tools are critical to an MSP’s success, especially when selling security services because they are designed to improve both the MSP’s and end users’ security posture.”
4. Stay Agile
George Anderson, Product Marketing Director for Business, Webroot:
“Your client’s market sectors are going to demand different solutions. One size of security service will not necessarily answer all needs – you need to be flexible.
Clients don’t necessarily allocate enough funds for IT security from their budget, so MSPs need to perform their own audits. Having cyber aware and trained users at each client will dramatically increase the value of technical IT security defense.
If you don’t have the right IT security skills then invest in training and education for your own staff. Be very clear with clients about your liability in the event of a breach, to avoid any legal repercussions, and set realistic expectations on both sides as to what you can and cannot do given the budget for security.
A lot of cyber best practices like regular patching, password changes/rules, access permissions, and log analysis should form the foundation of offering managed security services.”
5. Develop a Skilled Team
Michael George, CEO, Continuum:
“There is enormous opportunity and demand for MSPs that can bring effective security solutions to the market. My advice for MSPs beginning to offer managed security services is to be vigilant in addressing the skills gap challenge, implement the right technologies, regularly train employees on security best practices, and recognize that keeping your business secure is a never-ending, always-evolving undertaking. MSPs that can rise to meet these challenges — by refocusing their own disciplines and leveraging strategic partnerships — will position themselves to win out over those that can’t.”
Tim Brown, VP of Security, SolarWinds MSP:
“Go in with your eyes wide open. To truly provide a managed security service takes investment in people, process, and technology. The first thing an MSP should do is structure their team in an appropriate fashion, separating the MSP operation from the MSSP operation. This allows for separation of duty and lets people focus on what they are passionate about—a strong security individual in an MSP role will only last so long.
Next, the MSSP should focus on the ‘boring’ stuff that is the definition of processes and procedures. And finally, technology: Don’t get complex, start with the technology that reduces your clients’ risks and manages good cyberhygiene, then extend beyond that for certain clients.
Providing security services is not for every MSP so if you are uncomfortable with the risk and investment necessary, find a partner, learn the ropes and when you are ready, take it on yourself.” 
