Over the past year, cybersecurity has hit the headlines regularly, from the alleged Russian hack of the U.S. presidential election to corporate and Department of Defense security breaches. Equifax is just one story, and, with 145.5 million people affected, the one that resonates most with the person on the street.
Most business owners are aware of the cybersecurity risks that have been present for some time. However, there’s been one big change: new government guidelines concerning cybersecurity. Guidelines from NIST (National Institute of Standards and Technology), DFARS (Defense Federal Acquisition Regulation Supplement) and other agencies are creating compliance issues for a growing number of SMBs.
What do these changes mean for your MSP?
The use of the term MSSP (managed security service provider) has become prevalent in recent years, creating both opportunity and risk for MSPs. Many industry marketing courses and events are designed to help you leverage SMB fears around cybersecurity. Lead generation is great, but many MSP owners are not prepared to implement a profitable and sustainable cybersecurity risk management practice.
The following insider insights will help guide your MSP as you start incorporating cybersecurity risk management in your offerings.
Risk And Business Planning
The first issue is your risk when you offer additional cybersecurity services that you haven’t provided in the past. You must be sure you understand your legal liability as well as the expectations your customers have.
The representation of your services and the wording of the legal agreement need to be precise. If a client thinks you are keeping them in compliance and they lose a $15 million defense contract because they’re not, you could face significant repercussions. Your representation of your offer cannot be ambiguous.
Top MSPs have a solid business plan covering their cybersecurity practices, so they are clear about which actions they perform and which need to be performed by a third party. While many IT providers aren’t experts at creating business plans, such a plan is critical to improving all of your service deliverables.
Packaging And Pricing
Once you identify what cybersecurity risk management services to offer, the next thing to address is how you package and price those services. Most MSPs aren’t accounting for 100% of their cost per seat in their current models, but then add new cybersecurity services and expect higher margins.
To reflect the additional costs, you need to consider the following questions:
- What of your cybersecurity tool costs will be converted into per-seat costs?
- How many fewer clients will each of your service delivery roles manage if they have additional responsibilities with a new cybersecurity offering? Think about who will deliver each security service, and how will impact their ability to manage clients.
- How will you capture 100% of costs associated with tasks performed by resources outside the current service delivery roles?
- Some larger MSPs have a chief security or compliance officer — how many clients will he or she manage, and how does that translate to a cost per seat?
- What will you bundle into your core offering for every customer, and what will you sell as an additional security package?
Answering these questions helps you define your company’s key value proposition for cybersecurity services. Well-defined packaging and pricing also reduce your own risk while bolstering security.
The Long-Term Outlook For MSPs And Cybersecurity
Another factor to consider is the long-term outcome of the MSP’s role in cybersecurity and how that will affect your approach in the coming years.
A ton of money is pouring into security software and services, and investors know every MSP must enhance its cybersecurity offerings. You can safely assume that, in a few years, security tools and services will be available and priced to move for every MSP.
Keep in mind that some security services you offer today will be seen as "specialty services" with higher value, but over time they will become part of every MSP’s standard offering.
The Bottom Line
Every MSP needs to reevaluate how it approaches cybersecurity risk management and create a plan to enhance its offering. This is a great opportunity if you have the right approach. Be realistic, be smart, be careful and use the TruMethods framework as your guideline.
With the right process, your MSP can enhance core offerings with cybersecurity risk management that offers a higher level of compliance and commands a higher price.