Selling Cybersecurity for the MS(S)P

| By: Rex Frank

ConnectWise has been discussing the Entrepreneurial Journey for a few years now. They describe the four growth stages that companies go through: Muscle & Feel, Managing to What Good Looks Like, Building Teams and Strategy, and Leading Toward Legacy.

As an industry, the average MSP is somewhere between “Managing to What Good Looks Like” and “Building Teams and Strategy.” Most of us have aspects of our business that each lives in separate stages, which leads to confusion and frustration for everyone. 

Scalability begins to happen during “Building Teams and Strategy,” once all of the bottlenecks have been removed and the leadership team can grow and multiply as needed.

Before we talk about scaling cybersecurity, let’s take a quick look back at our industry’s journey toward managed services. Those around in the late ‘90s enjoyed a massive rush to Y2K compliance, which meant more project work than we knew what to do with. The problem we created was that we put all of our clients on the same three-to-five-year refresh cycle starting in 1999. 

Professional services was a barren wasteland from January 2000 until at least 2002, when we started some server refreshes, and 2004 when we started the workstation and network infrastructure refresh cycle. The lack of professional services revenue for three years was the major catalyst to seek recurring revenue for managing the infrastructure.

In 2000, the innovative solution providers went out and bought RMM tools like Level Platforms, Zenith or N-able. We still really did not understand that managed services was about transferring and managing risk. We all said, “We’re going to install these tools and we’ll know the system is down before you do.” We also said, “We will charge a flat fee to monitor the system, but if it has a problem, we’ll bill you time and materials to fix it.” At that time, we weren’t taking on any of the risk.

In many ways, this is where most of us are with cybersecurity right now.

Around 2002, we began to accept risk transfer and offered fixed-fee monitoring and “Unlimited Remote Support” agreements that excluded all on-site work as well as Install, Move, Add, and Change (IMAC). We said, “We’ll try to fix things remotely, but if we have to come on-site, we’re going to bill you!” We discovered that our clients had better things to do with their time than take advantage of our “unlimited” offer, and we became more comfortable leveraging our RMM tools to mitigate the risk.

Around 2005, we began to accept even more risk and extended our offerings to include “Unlimited On-site,” but it was only to support the existing system. We said, “We’ll support the existing system; remote if we can, on-site if needed, but if it’s IMAC, we’re going to bill you!” Again, we were becoming more comfortable with our processes, tools, and standardization, and we got more comfortable with accepting and managing risk.

Currently, most of us have figured out how to bill for and transfer most of the risk, including monitoring, remote, on-site, and IMAC. In most cases, HaaS and SaaS are also included in our fixed-fee offerings.

When it comes to cybersecurity, most of us are still saying we have fixed-fee IT services, EXCEPT for cybersecurity. We’re doing this because we have not yet learned how to leverage security tools, technology, and standardization to mitigate the risk (that we really don’t even understand). We confuse the issue by including some pieces such as a firewall, endpoint security, and email filtering. Still, there is also a whole set of security offerings that we are NOT including, YET!

Thinking about your own journey to becoming comfortable with accepting risk for a flat fee but mitigating that risk by leveraging tools, technology, and standardization, where are you? 

It is probably not a great idea to accept the risk of managing your clients’ security if you have not yet created your solution stack around processes, tools, technology, and standardization. It is, however, essential to get started.

Time is running out. Having your security offering baked in is quickly becoming a “permission-to-play” requirement.

Beware—security can be very technical, but it is not a “technical” sale. Therefore, it is crucial to involve finance, marketing, sales, and the service executive when defining your offering, and it must be standardized to be scalable.

This year I wrote about the 2021 Scalability Challenge which outlines ten business challenges you will need to overcome to position yourself for scalability.

  1. Leadership: You will need collaboration from your engineering team to define what the product can do, management to productize your offering against a cybersecurity framework, and marketing to craft the message for clients and prospects.
  2. Strategy and Culture: You will need to align your strategic and tactical goals with creating a security-first culture in your employees and clients.
  3. Acting with Urgency: Your team will need to “get it done.” This usually means increased meeting rhythms and accountability.
  4. Revenue Generation: Double down your commitment to marketing and sales.
  5. Directed Communication: Fast growth can quickly drown people with unnecessary information. Be sure all communication is directed to only those that need it.
  6. Financial Literacy: Scaling requires literacy at all company levels, from senior leadership to managers and individual team members.
  7. Process Improvement: Scalability depends on process automation, standardization, and compliance. Commit to excellence and continual process improvement. Embrace the fact that to grow, processes will need to be re-architected and implemented to operate at the next level before you can grow.
  8. Working with Data: KPIs become increasingly important. Develop skills around querying data, filtering, slicing, dicing, and studying results.
  9. Simplify to Multiply: You must cut out all the complexity that you possibly can. Complex pricing or processes only contributes to confusion for service delivery, admin, and most importantly, clients.
  10. Standardization: Your offering, solution stack, core processes, company brand, and staff training will all need to be defined and leveraged in the way you do business.

It is time to get serious about building and scaling your security offering. I suggest you assemble your team (engineering, leadership, marketing, and sales) and get yourself positioned to win.