How should MSSPs and MSPs price their managed security services? The answer to that question is tricky since so many variables are involved. Still, there are some general steps MSSPs and MSPs can take to develop and set their cybersecurity prices.
We started by speaking with Charles Hansen, author of the MSSP Playbook and owner of Nashville Computer. He shared managed services pricing and packaging guidance during our MSSP Alert webcast today. For additional guidance, we reached out to roughly a dozen of the Top 250 MSSPs, along with MSP industry veterans who have successfully navigated the managed security services market.
We asked those experts two key questions:
- The bad: What was the top cybersecurity pricing or packaging mistake you made in your career, or the top pricing/packing mistake that security-minded MSPs typically make?
- The good: What was the smartest cybersecurity pricing or packaging move you have made or seen security-minded MSPs make?
Below is a sampling of their replies, sorted alphabetically by company name.
MSSP and MSP Security Pricing Advice
Who: Lloyd Wolf, Achieve Business Services
Expertise: Entrepreneurial Operating System (EOS) Implementor. Former MSP owner who launched, built and sold IT services business (Wolf Consulting) to Evergreen Services Group.
- Pricing Mistake to Avoid: MSPs often "eat the cost of a lot of additional security tools, because they were afraid or uncomfortable having conversations with their clients about charging more money."
- Another Pricing Mistake to Avoid: "Not offering an advanced security package with new/additional security options, not having a discussion with each client about the new threats and how the basic protections (firewall, A/V, spam filtering) are no longer sufficient, and not either selling them the advanced security package or getting signature on a written waiver saying they’ll assume the risk."
- Smart Pricing Move: "Minimize ale carte additional security choices and offering a single advanced security.
Who: Justin Kallhoff, chief cybersecurity officer, Ascend Technologies
Expertise: Built Top 250 MSSP (Infogressive), which Ascend Technologies acquired in July 2020.
- Pricing Mistake to Avoid: "Failing to bundle and productize your services."
- Smart Pricing Move: "Naturally, bundling and productizing our services."
Who: Corey Kerns, general manager, Collabrance
Expertise: Master MSSP and Top 250 MSSP owned by Great America Financial Services, which offers various IT and financial services to channel partners.
- Pricing Mistake to Avoid: "The mistake we have made and many MSPs have made/currently making is creating security bundle that encompassing what WE think is appropriate for our customers and the result is that it doesn’t necessary fit the needs / budget of every customer."
- Smartest Pricing Move: "Capturing feedback from customers and prospects around security needs while balancing standardization to be able to offer a suite of services that are tailored towards verticals or common business procedures. You won’t be able to do everything for everyone but you can help the customer understand that risk mitigation goes hand in hand with the level of investment."
Who: Stephen Jones, senior director of cyber security, Dataprise;
Expertise: Top 100 Vertical Market MSP, Top 250 MSSP. Backed by private equity.
- Pricing Mistake to Avoid: "MSPs are generally unprincipled when it comes to resisting discounting to close a deal. Undermining your margins creates downstream consequences in resourcing and upstream consequences in reduced revenue which affects future investment into the business."
- Another Pricing Mistake to Avoid: "MSPs typically offer too many tiers/packages and options within the tiers creating an untenable number of service permutations. This usually creates nebulous differences between the tiers and too many package variations to provide consistent and repeatable service delivery."
- My Personal Pricing Mistake: "The biggest pricing mistake I've made in my career was creating an "unlimited" support package. Using the 80/20 rule, most customers didn't abuse the unlimited support, but a select few did. This quickly became a loss leader as the services we were providing swallowed up all of the profit in the deals. We should have followed the old adage of never saying always, never, or unlimited. "
- Smartest Industry Pricing Move: "Offering all inclusive packages that don't nickel and dime the customer for premium features."
- Smartest Personal Pricing Move: "The smartest pricing/packaging move I've ever come up with myself, is the concept of a "vanishing premium". Like the infamous car insurance commercial, this is a pricing tactic that predictably lowers a customer's annual service costs by fixed percentage steps each concurrent year they remain a customer and meet a small set of attainable objectives. I've designed this to promote proactivity in customers to achieve or maintain specific security maturity goals which have a dual effect of increasing their security posture while reducing the attack surface and effort on us as an MSP. Additionally as an MSP this incentivizes me to automate and become more efficient each year so that my margins either remain the same or increase while the customers annual subscription costs predictably decrease to a set floor. This pricing mechanism relays to the customer that we as the MSP have skin in the game as do they which has been positively received as not only novel but intriguing to potential customers."
Who: Eric Foster, Fistech CYDERES
Expertise: Channel and MSP expert; Top 250 MSSP
- Pricing Mistake to Avoid: "The top pricing mistake I see from MSP and MSSPs is providing aggressively low pricing to bad fit customers. I understand how painful the early days of building a new MSP or MSSP can be, and the temptation that any revenue is good revenue, but the reality is that there are absolutely bad customers -- such as customers that want something that you're not, or customers who are abusive to your team, or customers who want something bespoke and highly customized but aren't willing to pay the price. All revenue is not good revenue. You have to know who you are and who you are not - what products and services you excel at and what you truly can't do well - and be willing to walk from a prospect that's a bad fit -- or be willing to adjust the price upwards to make a custom request truly worth it. Too many MSP's and MSSP's will get too aggressive to get a deal in, have a bad product-market fit with that client, creating expectations your team can't effectively fill, and ultimately leading to dissatisfaction on every side of the transaction. You also have to be willing to fire a bad customer. For example, you can't be afraid to walk away from someone who is a drain on your resources in significant excess to their economic value as a partner, or who is abusive to your team, or who wants something you can't deliver."
- Smartest Pricing Move: "It's rare in our industry to see truly disruptive pricing models, but one of the biggest we've seen has been Google Chronicle coming into the SIEM game and disrupting the pricing model for traditional event-per-second or volume based pricing, and going to a fixed, predictable per-employee price. Because Google Chronicle is our biggest partner, we aligned our service pricing to that model, and it's been one of the smartest pricing moves we've made. Customers want predictable pricing and moving to something that's directly aligned to the size of the company and very predictable in terms of growth, or merger and acquisition, has been really well regarded in the market."
Who: Kevin Blake, president, ICS
Expertise: Built private equity-backed MSP with major footprint in New York; active MSP acquirer.
- Pricing & Packaging Mistake to Avoid: "Thinking a tool or set of tools solves the cybersecurity question. Not focusing on Risk first. Thinking a guided SAQ is a Risk Assessment."
- Smartest Pricing & Packaging Move: "Marrying/incorporating multiple methods for information gathering: Tools and automation, attestation, and manual review (control verification).
Who: Lynn Souza, CEO, Kyber Security
Expertise: Entrepreneur and founder of Top 250 MSSP; fully transformed from MSP business.
- Pricing Mistake to Avoid: "We started with large bundled packages that for many SMBs were difficult to achieve as they had never spent on cyber security before. On the one hand, we don't believe that cyber security services should be approached with a “menu” mindset allowing organizations to pick and choose only an extra item or two allowing them to “check a box” and not actually achieve a reasonable level of security. But on the other hand, going for the platinum package was out of reach for many -- which prevented them from moving towards a more secure environment right away and forced them to wait until their budget allowed them to achieve the full protections that they wanted."
- Smartest Pricing Move: "We have developed several cyber security packages with offerings that work in concert with each other allowing organizations to move with purpose towards developing a culture of cyber security in their organizations. These start with a basic “Security Starter” package which gets employees trained quickly and regularly as well as provides a vehicle for assessing where an organization is within their cyber security journey and the right information to plan for their future cyber security investments. Packages grow from there with offerings bundled towards specific compliances and efforts towards making their organizations completely KyberSecure. We believe this methodology will allow cyber security to become part of the organizational culture as they grow their efforts over time."
Who: Tommy Wald, author of The MSP CEO & IT services industry consultant
Expertise: Angel investor and former MSP owner who successfully launched, built and solid IT services business.
- Smartest Pricing Move: "The key pricing model that I have noticed being offered by many include a Basic Security package, and an Advanced. This obviously allows the MSP to continue to bundle their pricing and seems to be getting more traction."
Who: Guy Cunningham, SVP of channel sales and alliances, Netsurion
Expertise: Master MSSP and Top 250 MSSP that offers MDR, EDR, SOCaaS and more to MSPs
- Pricing Mistake to Avoid: "Competing on Price. There are way too many companies that are trying to package up the “cheapest” bundle of services so they can win business based on price. As we all know, this is an easy way to “gain business” but a lousy way to “build a business.” People are a significant part of the services MSSPs deliver to their customers, and people ARE NOT CHEAP.
- Another Pricing Mistake to Avoid: "We’ve also seen MSSP’s build packages or bundles in such a way that the majority of their customers select the lowest price option. Unfortunately, that usually means the customer isn’t really getting the protection they need. So again, selling on price versus value."
- Smartest Pricing Move: "Netsurion’s most successful partners have figured out how to combine the real needs of their customers (compared to the perceived needs of the customer) with a tiered pricing model, and a value-based sales strategy, that makes it easier for their customers to select the right bundle of products and services, while still being profitable for the MSSP. Many times, they’ll even tell their customers, “if you don’t select products X, Y, and Z, we won’t be able to work with you. We’re so convinced that these layers are mandatory in an effective cybersecurity strategy, we’d rather walk away from the business, that expose our customer, and ourselves, to the potential risk of operating an environment without them.”
Who: Peter Bybee, CEO, Security On Demand
Expertise: Entrepreneur and founder of Top 250 MSSP
- Pricing Mistake to Avoid: "Not talking to my customers enough about how to make the pricing model flexible to work for them. Most clients want flexibility. The customer’s environment changes so frequently that creating a formalized process for True-Up & True-Down is really needed to be part of the agreement. As the service provider, you have to think “win/win." Price discounts should increase as their devices or volume increase, but should go down if that’s also the case (within a certain threshold). The problem is that most providers (including me) did not build in a way to measure usage very well and link that to a reporting process so it’s easy to make these adjustments. My suggestion is to not adjust more that quarterly, since monthly usage is too variable."
- Smartest Pricing Move: "Developing Device Based pricing. Customers want certainty. AWS gets away with variable pricing because they’re dealing with large enterprise customers that are more sophisticated and can manage their costs better. The problem most providers have is that many of their own costs are too variable and so building out fixed pricing is a huge challenge. This is compounded further if you are using a third-party SIEM solution, vendor or partner that charges based on data volume stored, analyzed or consumed."
- How to Approach Discounts: "As a partner to other MSSPs and resellers, Security On-Demand provides fixed costs based on a “per month, per device” approach. When the device count increases, the discount per device goes up. The only reason we can offer this fixed cost approach is because we’ve don’t charge based on how much data is consumed – in other words, we don’t have a data volume limit that we set for our customers. Not everyone can to this, but it an increasing trend in the industry – if you look at Google Backstory and a few others – they are starting to move in that direction."
- Data Consumption Challenges: "In my opinion, MSSPs and MDR companies need to solve the data consumption & related cost problem in order to be profitable over the coming years. My prediction is that many of the MSPs and MSSPs out there are going to get squeezed out due to shrinking margins if they don’t get a handle on the data volume problem.""
Who: Mischel Kwon, founder, W@tchTower
Expertise: Entrepreneur and founder of Top 250 MSSP
- Pricing Mistake to Avoid: "The first typical mistake often involves under-estimating size of the engagement. Another mistake involves pricing on current alert numbers in the customer SIEMs -- that's all content dependent and not a good measure."
- Smartest Pricing Move: "Set your price based on physical assessment."
