There’s no question that the practice of managing security inside a business has become a bit hard to handle. From the constantly evolving threat landscape to the number of technologies needed for protecting networks, devices and applications, it’s no wonder that hackers are finding their way inside the largest of companies with sizable IT departments.
Determining what exactly customers want and need in terms of security is a tough job for both MSSPs and MSPs seeking to add security services to their offerings. The size of the end customer makes some difference in offerings, but across the board, companies are looking for expertise. They need partners to succinctly explain and monitor the threat landscape, assess their vulnerabilities and advise on how to implement and manage security technologies. Some companies want 24 x 7 monitoring, troubleshooting and remediation as well. MSPs should look beyond individual point solutions to the higher level strategy befitting each customer.
There are ample opportunities for firms to generate recurring revenue by offering customers much-needed help on security. MSPs can help reduce complexity for their clients by not only managing the security components more effectively, but also through consolidating redundant technologies and/or replacing older point solutions with more comprehensive SaaS ones.
Yet service providers must navigate a few hurdles to be successful, as follows:
1. Figuring out the economics
Delivering security services to clients means having deep expertise on the latest security technologies and how to implement and manage them optimally in each environment. This know-how doesn’t come off the trees, of course. We all know the market value of an experienced security architect. Yet IT departments remain cautious in spending; execs still resist paying top dollar for something which is now a mainstream business requirement. MSSPs must strike a balance here. The aim is to deliver a solution which is thorough and customer-oriented, but isn’t painful for resellers and end clients to implement. Providing a menu of options aligned with different segments of clients based on risk or need is one approach: consider the familiar Bronze, Silver, and Gold classifications. Another approach is to provide à la carte items that a customer can bundle together into their own customized packages. Flexibility is the idea.
2. Educating the market
The notion of managed security services is still fairly new in IT. Clients may not know what they need or why nor understand the value a partner can bring to the table; it’s the job of the MSP/MSSP to educate them as objectively as possible. Many organizations (MSSPs included) have a combination of traditional, cloud and customized security solutions in place. The MSSP should begin by offering security health assessments to clients, informing them of existing gaps and predicted needs. MSSPs should also work to help their clients understand that managed security is not just a matter of merely deploying a few technologies but developing and refining best practices to reduce the overall risk profile.
3. The staffing conundrum
Evaluating, integrating and streamlining a client’s security technology portfolio is a complex endeavor. MSPs adding security services and MSSPs wanting to grow their offerings will need to hire or outsource for new skills. This is not getting any easier. On the technical side, security architects and engineers should be able to architect, design and evaluate a comprehensive security solution for customers. That skill set is more important for in-house staff than having expertise on specific vendor solutions. Finding technical people with security chops requires some ingenuity in this tight labor market. Service providers must be willing to hire somebody with a less-than-perfect resume but a demonstrated ability and desire to learn. When hiring salespeople, look for individuals who possess an understanding of selling security as a service, not a piece of hardware. There will be times, of course, when the MSSP should forgo hiring and work with a partner instead. This makes sense when the needed skills and experiences are not discoverable in the desired timeframe – or are too expensive. MSSP staffs can also help themselves through accessing the growing array of online forums and knowledge bases to learn about emerging threats and techniques.
4. To specialize or not
MSSPs have some decision to make: strive to be a generalist or a niche provider? Target smaller or larger businesses and partners? Given the sophistication of security today, it’s impossible to be everything to everyone yet customers also don’t want to work with several providers. For generalists, considerations include the firm’s ability and willingness to work effectively with partners to orchestrate a comprehensive solution for customers. Service providers that prefer to go after a hot niche, such as real-time monitoring, will need to get clear on the investments required to excel in that service and whether enough demand exists to be profitable. These decisions can make or break a business. An IT channel consultant could be a wise investment to help MSPs and MSSPs devise the best strategy for growth in their specific marketplace.