COULD THERE BE A BETTER PLACE to be in IT right now than the intersection of managed services and security?
Indeed, while sales of security hardware, software, and services will climb at a 9.4% compound annual growth rate through 2023 to $151.2 billion, according to IDC, sales of managed security services will grow at an even better 13.9% CAGR during that same period from a base of $21 billion last year.
The margins on managed security, which can easily top 65%, are pretty good too. “”It’s incredibly lucrative,”” says Angela Hogaboom, CEO of Ocular, a solution provider with specialized security and compliance expertise in Denver.
Ready to get in on that? Be prepared, experts say. You may be an MSP and you may offer security services, but that doesn’t necessarily mean you’re in the managed security business.
Providing Confidence
Definitions vary, but most channel pros with experience in the field agree that a true managed security offering is a multilayered package of sophisticated, subscription-priced services that combine to help client assess their needs, protect their data, detect attacks, and respond to breaches. Steep profits aren’t the only payoff, either.
“”Even more important to me, coming from the MSP space, is the stickiness that you get with your clients,”” says Scott Beck, CEO of BeckTek, an MSP and advanced security provider in Riverview, New Brunswick. “”When you get those solutions in, and they get used to it and you get their staff trained around it, you become almost irreplaceable.””
Most providers sell managed security plans separately from their core managed IT service bundles. Many let customers choose from a menu of basic, intermediate, and advanced tiers.
Included in those options, typically, is a mix of behavior-based endpoint protection software, next-generation firewalls, spam and DNS filtering solutions, email and network security protection, an endpoint detection and response system, two-factor authentication, BDR, and a dark web monitoring service that alerts you when a client’s credentials have been stolen. Vulnerability assessments that identify gaps in a customer’s defenses, security awareness training that teaches end users to recognize phishing scams, and cyber-insurance policies that lessen the financial impact of successful attacks usually factor into the package as well.
So do remote monitoring and support from a professionally staffed security operations center (SOC). Building a SOC can cost millions, however, and staffing one with experienced analysts is expensive. As a result, most managed security providers partner with an outsourced SOC vendor. That’s something Joshua Liberman, president of Albuquerque, N.M.-based MSP and system builder Net Sciences, would do even if it wasn’t more cost-effective.
“”I just don’t see, even if the money was there to do it, that it provides me significant benefits over dealing with people who are truly expert [and] who can analyze millions of data points when we can only analyze thousands,”” he says of operating his own SOC.
Successful managed security providers apply that thinking beyond just the SOC. “”If you need to Google how to do something, a pretty good general rule of thumb is that maybe you should consider outsourcing it,”” Hogaboom says. Your margins will dip some, but your clients will be safer, and therefore happier with you.
“”Having trusted partners who can provide those services, with you acting as an intermediary, actually is very helpful with providing that sort of confidence to your clients that you have people who are being proactive,”” Hogaboom notes.
Playing Quarterback
Hogaboom and others, however, caution against outsourcing absolutely every security function you perform. If all you’re doing is passing along someone else’s services, you’re not adding much value of your own, and if you’re not adding value of your own, you’re vulnerable to losing customers to competitors with greater skills or cheaper rates. Any task that involves face-to-face contact in particular, Hogaboom advises, should come straight from you.
Another word of advice from managed security veterans: Don’t promise more than you can deliver. No one can provide perfect protection, so no one should say they will. Tell your clients that you will reduce their exposure to threats and decrease the impact of any attacks that get through.
“”You just have to be aware that you’re playing a higher-stakes game,”” notes Liberman.
To further protect your hand in that game, many managed security pros counsel, resist the temptation to white-label your security bundles. Honesty is usually the best policy when it comes to crediting your technology partners, unless you don’t mind taking all the blame when one of those vendors makes a mistake. Rather than exaggerate your capabilities, tell your customers that you’re the quarterback of a carefully assembled team of the industry’s most elite cybersecurity service providers.
Eating your own dogfood, as the saying goes, is a good first step in launching a managed security practice. MSPs are under constant attack these days from cyberthieves hungry for end-user credentials and other data in RMM and PSA systems. You can simultaneously protect yourself from that threat and familiarize yourself with the security products you’ll be selling by deploying them at your own company first.
Consider becoming SOC 2 certified as well. Complying with the SOC 2 data management standard, and completing a third-party SOC 2 audit, will not only help you serve customers better but also give you a leg up over competitors when pursuing new clients. Better yet, SOC 2-compliant MSPs can charge more.
Last but not least, do exactly what you should be telling your customers to do, and for the same reason: Buy a good cyber-insurance policy to shield yourself from potentially devastating expenses should your systems be compromised. The return on that and other investments will be worth it, according to Hogaboom.
“”No two clients are the same and no product set is the same, and the solution is customized every time,”” she says of managed security. “”There’s always something to offer.””