Building your managed security practice

Posted:
03/23/2020
| By: Wayne R. Selk, CDPSE

Building a managed security practice is not something to take lightly. Cyberthreats are getting worse, and you and your clients are high targets on cybercriminals’ radars. Attackers have a lot to gain, and you have a lot to lose.

If you are early in the building process, it can be very overwhelming trying to decide where to start, what to consider, and how to even approach your clients about security. With the right information, you can set up your technology solution provider (TSP) business to offer cybersecurity and offer it correctly to add value to your clients. And it’s particularly important to vet the tools, policies, and processes in your organization first, to make sure your own security posture is sound. Let’s review what you need to know to build your managed security services and practice.

Understanding, identifying, and managing risk

One thing to know about cybersecurity is that it’s not a problem that can be solved with one action or a single tool. As you start to build your managed security services, you must first understand that cybersecurity is about managing risk. So, while you offer tools and solutions to resolve issues and to fight threats, you will need to ensure the money spent for point products matches actual business needs by lowering risk for the organization. The best approach is to turn the conversation from a technology conversation into a business conversation. As a business owner yourself, you manage risk every day.

To manage risk, you have to understand risk—both what it is and how it plays in your overall security conversations and offerings. According to the National Institute of Standards and Technology (NIST), risk is a measure of the extent to which a potential circumstance or event threatens an entity. The greater the risk, the more potential it has to cause harm to an organization. Understanding your risk, the client’s risk, and how the client risk impacts your business is vitally important. To understand your risk, you first need to identify the risk within your organization.

The best way to identify risks is to perform routine and comprehensive risk assessments. The initial risk assessment will establish a baseline from which to work, and each assessment that follows will show the progress being made toward improving your client’s overall risk posture. With a methodical examination and understanding of risk, you can pinpoint exactly what you can do to shore up gaps and keep threats at bay. So, what do you use to perform these incredible risk assessments?

3 cybersecurity rrameworks to know

Knowing what risks to look for and the proper actions to take to remediate them can be overwhelming, even for a larger service provider. Luckily, government agencies around the world have developed frameworks for cybersecurity professionals designed to identify and close security gaps. There are three particular frameworks we want to highlight.

1. The NIST Cybersecurity Framework (CSF)

The NIST Cybersecurity Framework was developed by private industry experts and members of NIST, a federal agency within the United States Department of Commerce. Using existing standards, guidelines, and practices, the NIST Cybersecurity Framework centers around five core functions—Identify, Protect, Detect, Respond, and Recover. These categories span all aspects of cybersecurity making it a very comprehensive, risk-based approach to securing most any organization.

2. United Kingdom’s Cyber Essentials

The United Kingdom launched Cyber Essentials in 2014 as a set of basic technical controls to help organizations protect themselves and clients against a variety of cybersecurity threats. The Cyber Essentials consists of five technical controls: Firewalls, Secure Configuration, User Access Control, Malware Protection, and Patch Management. If followed, organizations can gain one of two Cyber Essentials badges that demonstrate compliance to potential clients and allow you to gain incentives from insurance organizations.

3. Australia’s Essential Eight

The Australia Cybersecurity Centre put together a starter list of mitigation strategies organizations can use to better their cyber resilience. Knowing that no single strategy can protect an organization from a cybersecurity incident, the Cybersecurity Centre pinpointed eight essential strategies known as the Essential Eight. Implementing the Essential Eight helps organizations build a strong cybersecurity posture, saving time, money, and effort when needed to respond to a cybersecurity incident.

No one framework is better than the other, and each has its pros and cons. The important thing to note is that whichever framework you choose, it can help structure your offering.

Operationalizing managed security services: the 3 security routes

Where you are on your cybersecurity journey dictates how and when you offer managed security services. There are three routes a TSP can take to offer security: build, buy, or partner. What works for one TSP might not work for another and learning about each approach will help you decide which one works best for your business. Let’s go over each approach:

1. Build

Building your security services is exactly as it sounds. You invest both time and money to create and manage your security services. This approach gives you the most control over products and opportunities, but also takes a lot of time and money to get it up and running. One of the greatest challenges to building your security offerings is hiring techs with the right experience. The skills gap in cybersecurity grows larger every day, and the unemployment rate for cybersecurity professionals is nearly 0%. Finding qualified professionals is hard; keeping them is even harder; and when you do, they typically command larger salaries that are often more than many TSPs can afford.

2. Buy

Depending on the size of your TSP, you may look at the costs of building your security services and decide it’s easier to purchase a cybersecurity-focused organization. This approach requires less time to get started with a built-in security staff, but the costs could end up eclipsing what it would take to build your offerings. The merger and acquisition market is hot, and it’s a seller’s market. They don’t have to take the first offer that’s put in front of them and will do what they can to get the most out of their hard work it took to build their organization.

3. Partner

Partnering for cybersecurity is a great medium for a service provider that cannot enter the market alone and does not have the resources to acquire another company. By offering complementary solutions or services, the partnering companies fill gaps the TSP cannot invest in or have the knowledge to offer by themselves. Partnering is the fastest way to market and provides a lower cost of entry, but also offers the least control. Each company remains its own entity and does not have the power to dictate what products the other company uses or how they operate.

Having the cybersecurity conversation

Talking with your clients and prospects about cybersecurity may not be the most comfortable conversation, especially if you are not currently in the business of offering security services. Still, it is the conversation you need to have. How you approach it will determine how receptive your clients are to what you have to share.

Like anything cybersecurity-related, your conversations need to begin by talking about risk. Unlike a technology discussion, risk is more of a business discussion. Your client’s budget owner often has a hard time understanding why they need more technology, which leads to the technologist having a difficult time obtaining the budget they need, when they need it. Through basing the conversation on the risk to the business, rather than the technology, budget owners can better understand the security gaps and be more open to resolving those gaps.

Performing an initial risk assessment will allow you to present to your clients their existing security gaps and what you can do to help remediate them. With this information, you will be in a prime position to prioritize risk, focus your efforts, increase revenue, and reduce your liability, all while helping your clients focus their budget spend into areas they immediately need rather than on tools and solutions they may not currently need.

Once all risk is identified, you have had the conversation, and you have an agreed upon action plan, you can move on to processes and practices to better keep your clients secure.

Selling security

You understand risk, you have started talking about cybersecurity to your clients, and you have figured out how to offer your security services. All that remains is to start selling your cybersecurity offerings. This is a difficult part for a lot of TSPs. Just like talking about cybersecurity, you must approach selling it the right way. Fortunately, if you are having the right conversation around risk, this becomes a much easier conversation with your clients.

The biggest challenge many TSPs face is client objection. As mentioned above, your clients already assume you are covering their security needs within their current agreements. Therefore, it is extremely important to switch to a business impact discussion and become a trusted advisor. Share with and teach your clients how many security tactics of the past, even those only a year or so old, are now outdated and how modern cybercriminals continue to evolve their attacks.

Demonstrate that the security services you’ll provide them as part of your new offerings will help mitigate their risk, and the price they pay for protection could be less than the cost of recovery and cleaning up after a cyberattack. Set up time with one of our security advisors to see a dark web scan in action and learn how you can perform these on your own clients.

TSPs, like you, need to lead by example. Show clients you are serious about security by protecting your house with the same processes and practices you plan to sell to your clients. If they see you trust the process and solutions enough to use them in your business, then they’ll be more inclined to take your security messaging seriously and see you as an expert and trusted advisor.

What to do next

Now that you have all this information, it’s time to start putting it into practice. Before anything else, it is important to follow the principle we like to call ‘protecting your house.’ This means you’re putting security practices and policies in place inside your organization in order to better protect your clients. TSPs are one of the top targets of cybercriminals since you hold the keys to your clients’ environments through your remote monitoring and management (RMM) and remote access tools. Protecting your clients begins with protecting yourself. There are many critical, yet overlooked, ways to improve your cybersecurity today that can pay dividends in the future.