Building A Next-Gen Managed Security Practice
By Scott Barlow, Vice President, Global MSP, Sophos
Managed Service Providers (MSPs) have long served as their customers’ IT security experts. Small- and medium-sized businesses typically do not have the IT expertise or resources in-house, and so rely on their MSPs to provide the high level of IT support they could not create on their own. As the security landscape evolves and becomes more complex, MSPs also find themselves managing multiple vendors for different product areas, from endpoint security, email, disk encryption, network and mobile security, and wireless capabilities. It’s a time-consuming process that complicates billing and cash flow issues, but also provides MSPs with new opportunities to grow their businesses and even transition from being their customers’ IT reseller to their virtual CIOs. This requires cooperation on the parts of both the MSP and its vendor partners. The next-gen MSP must align its security strategy with vendors and demand that vendors become more integrated into its vendor ecosystem. This includes developing and providing a centralized management dashboard and other tools the MSP need to differentiate themselves from competitors and improve its customers’ security postures.
The evolving security landscape
Advancements in hardware, software and user needs continue to alter the workflow and IT security landscape. Security has become all the more complex, and so too has the knowledge-base MSPs must have at their disposal. Small businesses are enthusiastic adopters of cloud- and web-based resources. For the MSP, this means its clients are no longer tied to one machine, one server, one location, and the corresponding IT security needs of those clients have increased accordingly.
Meanwhile, those same business owners, and their employees, increase the security risk to their systems and information stores by decoupling from the physical office and taking their work home and on the road. They expect to be able to access all applications and data anytime, anywhere, while the IT Security budget has remained the same, or decreased over time. This requires MSPs to protect not just desktop computers, but laptops, smartphones, tablets and other mobile devices as they move from one location to another, and do it with a limited budget.
Simultaneously, the bad guys are also evolving to become more sophisticated and insidious. It’s no longer about stealing a hard drive to smash and grab the data from the disk. Hackers and thieves use more subtle techniques like phishing schemes and crimeware to get their hands on important data, or locking users out of their files with ransomware, forcing an organization to pay a fee to regain access to their data.
Business complexities
It’s a vast understatement to call what MSPs face in order to operate successfully in this new and far more complex environment “challenging.” The numerous vendors and products MSPs need to provide to cover the full range of services required has never been an easy burden to bear, but in today’s fast- paced environment, managing these vendors has become a costly time-sink. MSPs work within a finite budget, and need to determine where their budgets are best spent.
There’s also been a shift to a subscription model for MSP services, transitioning away from long-term contracts (which used to be the norm), a change in client needs MSPs have had to adjust to in the next-gen era. This shift impacts the vendor as well, as most vendor services are perpetual licenses rather than monthly, preventing MSPs from managing their billing processes consistently. This change impacts cash flow for an MSP and vendor alike.
Become a Next-Gen MSP
So what does an MSP need to do to not just survive, but thrive? The key is to differentiate the solutions and services from those the competitors offer. Clients entrust the security of their greatest assets—their data—to the MSP. A successful MSP, therefore, should be able to provide the high-level and user-level guidance the client needs, acting as the single resource for answers, software, hardware, and more. This is where relationships with security solutions vendors can help an MSP evolve into a virtual CIO in the eyes of its clients.
MSPs must make monitoring for and mitigating security threats more efficient and effective. This requires offering a centralized management platform that integrates all security components within a customer environment into one dashboard for monitoring systems and users, receiving alerts and initiating actions.
This requires MSPs to insist that vendors provide more comprehensive, holistic offerings. Yet many vendors don’t have partner or MSP programs, so trying to manage multiple security vendors creates tremendous overhead to learn about the solutions, appropriate certifications, etc. It’s as much a vendor management program as it is a solutions management one.
The days of managing multiple point solutions that operate in their own silos are over. Yes, it’s possible to manage disparate security products from different security vendors with a single dashboard. But if these stand-alone products cannot “talk” to each other, the dashboard becomes a mess of isolated alerts and status updates.
The goal is to show all perspectives of a customer’s user base at a glance so that the MSP and its primary client contact can identify a potential problem and immediately take steps to mitigate the threat. That’s how an MSP elevates its status from trusted IT security advisor to virtual CIO that can have a direct impact on growing the business by helping to drive revenue growth and protecting a brand’s reputation.
Become a difference-maker
Separating yourself from the pack of your competitors requires you to become a differentiator in four key areas:
- Service: Meet the modern client’s needs by being constantly available, wherever they are—and wherever you are—through a SaaS-based management console. The right tools will give you the flexibility to match your clients’ mobility. Next-gen MSPs must align their security strategy with vendors. Vendors, meanwhile, need to become more integrated into the MSP vendor ecosystem, developing and providing tools MSPs use to run their business (PSA) and remotely monitor and manage (RMM) for their customers.
- Security: Ensure your tools provide top of the line security and protection. Your customers are able to offer secure, uninterrupted service for their users because you’ve got them covered against outside threats. By finding and working with the right vendors—and by providing them with the education they need to make best use of the tools you provide them—an MSP can be the first and last line of defense against cyber threats.
- Efficiency: Don’t get bogged down. You can minimize the number of vendor partnerships you’re engaged in to speed up and streamline your vendor management, and improve your own efficiency by scaling back on the number of unique tools you’re using to meet your clients’ needs. Finding the right aggregate partner—or better yet, work with a vendor who owns all the technology you’ll license through them, which can be a much more efficient option than a “marketplace” or aggregator—can integrate a successful MSP’s services, removing much of the manual work MSPs spend updating and managing security services.
Also, find a better way to manage your licenses. By using a billing and licensing option where you can distribute licenses across multiple clients in a more flexible manner—like an aggregate monthly billing option—you’ll speed up the services you offer and be ready to evolve and meet the needs of your clients if those needs grow (or shrink) unexpectedly.
- Financial: The old paradigm of annual contracts for vendor services is no longer efficient in the rapidly changing world of next-gen MSPs. If you bill your clients monthly, you should be able to pay your own bills monthly. It just makes sense. And one note on aggregation services: working vendor to vendor, MSPs often pay for licenses based on devices for each service—so the same user is being charged for their smartphone, laptop, tablet, or more. With the right vendor who understands the MSP model, the MSP can instead pay for the cumulative number of services instead on a user basis, providing far more flexibility and mobility in adapting to your client needs regardless of the number of devices a user owns.
It’s important to try to match the way you sell security services to the way each customer buys products. You need to determine if a customer responds better to gain or pain (i.e., reacting to a security incident). The first group will be proactive and make security purchases before a breach or other security incident occurs. The latter is more reactive – they need a problem to occur, or see evidence of a similar incident in their region with a company in their particular industries. If you know which group a current or prospective customer falls into before making a presentation, you will be able to provide examples of security incidents or breaches that will resonate with them. This will help you convey the financial and public relations impact of such a breach or ransomware attack. More often than not, the solution to ransomware is a lot less than the bounty to be paid to “unlock” the encrypted files.
One final recommendation: Embrace the role of teacher. While attackers are more sophisticated and difficult to detect, they also continue to find success in using some tried-and-true tactics to trick users into granting access to systems and sensitive data. According to the 2016 Verizon Data Breach Investigations Report (DBIR), legitimate user credentials were used in most 2015 data breaches. Sixty-three percent of attackers took advantage of weak, default or stolen passwords. This presents MSPs with the opportunity to develop and lead the effort to educate users on best security practices, as well as dismiss the misperception that attackers don’t target small businesses. Massive data breaches against large multinational companies and national political parties make the headlines, but attackers do not discriminate.