Managed security services: the MSPs role in cybersecurity
This blog post was originally published January 22, 2019
It shouldn’t be a surprise that your clients are starting to ask more questions about cybersecurity. It was a hot topic in 2019 and will continue to gain popularity among small- to medium-sized businesses (SMBs) in 2020. Their attitudes are changing, and cybersecurity is starting to become a determining factor in whether an SMB will use or continue using a managed service provider (MSP).
As your clients and prospects make cybersecurity a priority, there’s a lot of opportunity for your MSP. And opportunity comes with challenges and risk.
Managed security services: the opportunities and challenges
It’s no doubt that small business owners are becoming more aware of cybersecurity and the impact it has on their businesses. Today, a whopping 89% of SMBs view cybersecurity as the top or one of the top five priorities in their organization. 84% of businesses that don’t currently use an MSP would consider hiring one if they offered the ‘right’ cybersecurity solution for their organization’s needs. That presents a big opportunity for MSPs to transition to be a security-first provider, or MSP+, attract new business, and tap into new revenue streams.
Worldwide, SMBs are projected to grow their spending on remote managed security services to an estimated $21.2 billion by 2021, making it the highest growth area in the managed services market. However, even though the importance of offering cybersecurity is known, many service providers are shying away from this service’s goldmine because they don’t possess the people, processes, or technology to address increasingly sophisticated cyberattacks.
On the other hand, your clients believe you’re handling ‘all things’ security-related as part of your current services. This begs the question: Is there a way to have a conversation around a common language to communicate and mitigate the ambiguity of ‘Who owns the risk?’
Every new opportunity isn’t without challenges. For cybersecurity, it begins with understanding why your clients feel you’re responsible for ‘all things’ security. Have you ever said any of the following things to a prospect or client?
- We are your outsourced IT department.
- We reduce your risk and exposure.
- Our Virtual CIO (vCIO) meets with you quarterly to ensure your business and technology requirements are in alignment.
- You pay one monthly fee that is outcome-driven.
- We do it all!
These are all nice things to say to a small business owner. In fact, these may have won you a few deals. But there’s a problem. Your clients take these statements literally. When they deal with a security incident, you’re the first person they call and expect you to have the answers.
For more than ten years, our industry has preached managed services at every industry event and client/prospect engagement. We’ve conditioned our customers to believe that ‘We do it all.’
Another challenge presents itself in the form of the magnitude that cybersecurity entails. With today’s threats and attacks becoming more sophisticated, the days of securing yourself and your clients through a tools-based model (endpoint and firewall protection, email security/backup, and DNS) aren’t enough. While the tools are still important, you need to factor in the people and the processes into the cybersecurity equation. Security gaps don’t typically show themselves very easily so to understand a complete security posture, you’ll need to perform a risk assessment.
Some MSPs are adding phishing services with security awareness training, which is an excellent step in meeting compliance requirements. Along with training, putting processes in place in your business and your clients will instill cybersecurity into the company culture.
How to prioritize cybersecurity in Your MSP
Now that we’ve identified the opportunities and the challenges, let’s take a look at what you can do to make it all possible.
- Protect your house
To keep your clients secure, you need to nail your internal security controls. You hold the keys to a lot of SMBs’ networks, infrastructures, and data. If you get hit with an attack, it’s not just you that gets hurt.
Protecting your house is the same as protecting a client. Perform a risk assessment in your own business. Install the tools, provide the training, and implement the processes you’d offer to your clients. It shows clients you take security seriously and trust the security measures you’re selling.
- Decide whether to build, buy, or partner for cybersecurity
You know you need to offer cybersecurity, but you’re not really sure how to turn these services into a reality. Every MSP is different, and what works for others might not be the best approach for you. When MSPs finally bring cybersecurity into their offerings, they do one of three things—they either build it themselves, buy another company that specializes in cybersecurity, or they partner with a provider.
Each option comes with their own challenges, so take the time to do your research and determine the best path for your MSP to be successful and profitable.
- Speak the same language
Cybersecurity might be gaining traction within SMBs, but there are still a lot of areas they don’t understand. As you start having more in-depth conversations around cybersecurity, you’ll need to be sure you’re speaking the same language—both in terms they understand and current events. You need to speak a common language about how the threat landscape has changed over the past few months, let alone years, and what has worked in the past won’t work today.
- Perform ongoing risk assessments
Since security is about tools, people, and processes, you need to go further than basic network fixes. Performing a risk assessment will identify critical security gaps across your client’s entire business and provide recommended actions to close the gaps. These findings will help you when you start having security conversations with your clients.
After you perform a risk assessment, you can sit down with your clients and show them what’s leaving them vulnerable to attacks and what steps need to be taken to keep them secure. Along with figuring out the next steps, you can determine who will own the risk after an incident occurs.
- Use a security starter kit
Cybersecurity can be overwhelming if you’re just getting started. Luckily, you aren’t the first MSP to go on the cybersecurity journey. There are plenty of resources available, including the ConnectWise Cybersecurity Starter Kit, to help you learn more about building your cybersecurity services. Our starter kit is filled with eBooks, templates, webinars, educational videos, and more to get you up to speed on how to build, talk about, and sell your cybersecurity offerings to new and existing customers.
- Implement security awareness training
The weakest security link in many SMBs is their staff. This isn’t to say their employees are careless or irresponsible—they just aren’t up to date on the latest cybersecurity practices and education. Everyone has a different level of cybersecurity knowledge. By including security awareness training as part of your services, you can get everyone on the same level and more aware of their role in keeping their company safe.
A knowledgeable staff is a powerful tool in any SMB’s cybersecurity strategy. If employees are constantly on the lookout for signs of an attack, they could potentially prevent an incident, saving your clients money in the future.
Cybersecurity isn’t a one-time fix. You need to constantly evolve to stay ahead of current threats and try to anticipate what’s on the horizon. Now’s the time to address these assumptions, have the security conversation, and get on the same cybersecurity page with your clients. There are improvements you can make today that can make the difference in how secure your business is and set you up to take advantage of the opportunities in front of you. Constantly on the lookout for signs of an attack, they could potentially prevent an incident, saving your clients money in the future.