MSSPs (managed security service providers) are in the right place at the right time -- where market acceptance, awareness and customer demand have converged.
Still, the prospect of profits and monthly recurring revenue (MRR) can create haste, and with haste comes an increased risk of mistakes. With that reality in mind, here are five common business mistakes that MSSPs must avoid.
1. Selling A Product, Not A Service
This is the most prevalent hindrance AlienVault witnesses in the market. We often encounter MSSPs pitch their vendor relationships, or highlight some new wiz-bang product feature.
But technology is cool! It sells! Sure it sells a product, but you don't sell products -- true MSSPs sell services.
Let's say the water starts leaking in your house. Do you run to the Internet and google "why is my water leaking?" no - you google "plumbers near me." You call an expert and they say: "Yes, I am qualified to fix that problem!" They don't say "Well I just bought this cool new wrench it has fifteen adjustments, do you want me to use it?"
Customers want a service, or more accurately, they want assurance. Assurance they are protected from the latest threats to their infrastructure so they can focus on their business. Technology changes, products come and go -- but expertise is constant. Commitment to expertise is the foundation of any service. Sell yourself and that commitment; let the vendors sell products.
2. Waiting For The Right Customer Or Just Waiting...
Waiting for the "right" customer is a mistake. What would the right customer be? Let's see: Pays you a lot; never has alerts; comes direct to you; never complains.....even without sarcasm you know this "right" customer is a fairy tale.
There most assuredly are "wrong" customers for a growing business, but refinement of that choice comes from experience, something waiting doesn't provide.
We also encounter MSSPs waiting for their platform to be stable or for marketing materials to be created, almost treating these things like a serial process with one contingent on another. Waiting on sales? Beta test with someone, dog food your service, start automating things; you don't need two keys to launch the missile here.
3. Not Automating
Those that work with AlienVault know about the merits and wonders of automation. We have a rule "Do it Twice and Never Again." Why such intolerance to repetition? Scale. How do MSSPs generate profit and increase margins? Scale. How do you grow your business and expand? Scale. Automation, especially process automation, is a key element to an MSSP’s ability to scale. The more you keep security researchers researching and analysts analyzing the more customers they can help.
4. Not Creating Standard Offers Or Straying From Them
Standardization is one of the pillars of scalability; we can go back to interchangeable parts, assembly lines, Internet protocols, languages for an analogy but I'd rather discuss the alternative to Standard Offers. Often referred to in the biz as "custom offers"' (if you didn't cringe when you read that, you might not be in the MSSP business). Custom offers are a total nightmare in terms of technology, licensing, staffing, billing, revenue forecasting ... well the entire business actually. Reducing variability makes an offer easy to repeat and deliver. When it comes to offer creation, just remember Keep It Simple and Standard.
5. The Right Staff
I'm not referring to finding quality people (always do this) and the usual motivational talk banality, but about getting the right specialties in the door at the right time. Information Security has expanded so wide that the idea of the "generalist" is almost extinct; there just won't be the "one" who can run an entire Security Operations Center (SOC), conduct research, do turn-ups, automate, etc...
Therefore you must break out the functions of your MSSP and find experts for each specialty. In addition to “who” there is also “when.” Knowing when to scale staff and when to hire for new skills is certainly a challenge, but often exuberance can cause businesses to hire too early or stubbornness will cause them to hire only after a problem becomes untenable. We'd love nothing more than to share a formula with you on when to hire X for Y at Z, but businesses are dynamic and unique which is a euphemism for "you're on your own with that."
It’s often said that making mistakes is part of making progress, but it’s also said those who don’t learn from history will repeat it. Remember to focus on your service, keep it standard and look at everything from a scalability perspective.