Mastering The Art Of Selling Security-as-a-Service

For the longest of time, demand for managed security services has been stubbornly limited. A recent survey conducted by Spiceworks finds that only 12 percent of IT budgets are allocated to managed services. The primary reason for this is that security and compliance are all too often viewed as a tactical investment limited to deploying a firewall and installing anti-virus software on a desktop or notebook PC running Windows.

But the way organizations approach security is changing. Not only is the volume of attacks they must defend against increasing, so too is the sophistication of those attacks. Organizations of all sizes find themselves under siege from everything from zero-day attacks that appear with little to no warning to ransomware schemes that trick gullible end users into encrypting large amounts of data the organization can’t do without. More challenging still, the attack surface that needs to be defended keeps expanding thanks to the rise of both mobile and cloud computing.

The security and compliance opportunity for MSPs falls into four broad categories. Almost every MSP is expected to be able to provide firewalls, spam and content filtering, intrusion detection, and antivirus services. While demand for those services is high, competition at the level of security services is increasing. MSPs that want to ensure higher profit margins need to focus on providing additional security services, including vulnerability assessments, encryption management, two-factor authentication, and training programs to further end-user security education. At the highest end of the security services space there are emerging opportunities ranging from analytics for identifying anomalies in real time to outsourced security operations centers. In the latter case, the MSP manages everything from detection to response on a 24/7, end-to-end basis. Finally, organizations of all sizes need to make sure compliance mandates are not being violated. Rather than treating compliance as an event, compliance today needs to be managed as a continuous process.

IT security and compliance are always going to be a means to a larger end. These days, however, managed service providers that want to stay relevant to their customers in the age of digital business will need to provide access to extensive IT security and compliance expertise one way or another.