MSPs' relationship with security ranges from those that are still dabbling to those who have an extensive practice covering a vast array of security services and products. Most MSPs, of course, sit somewhere in the middle, but there seems to a growing frustration within established security MSPs at the mistakes that others are making.
Here we take a look at the top five mistakes MSPs are making when it comes to security.
When it comes to offering customers security on a per-item basis, MSPs are opening themselves up to an array of issues that can put a strain on their business.
Most notably, the loss of efficiency that comes with this means wasted staff time and effort, extra paperwork, and less time dedicated to actually providing services.
"We don't ever line item anything," Seth Russell, owner and CEO at Computer St Louis, MO, told CPI. "It's, ‘Here's your monthly price, take it or leave it'. But there are players who are doing it and it gets to a point where, if everything's piecemeal, you don't have a standard stack, which kills efficiency."
Russell's comments chime with observations made by Paul Dippell, the CEO of MSP benchmarker Service Leadership. Dippel claims that MSPs running the same technology stack for the vast majority of their customers are more efficient and more profitable than those that offer an ‘a la carte' service.
Offering items per line also puts you at risk of being dictated to by your customer. Joshua Liberman, president at Albuquerque, NM-based Net Sciences, tells CPI. This just makes an MSP's life more complicated.
"A customer saying, ‘I want you to break these services up [and] I don't want to pay for it all' …I'm not going to do that; I'm not breaking out. I'm not going to make our life more complicated. I'm not going to make it harder for us to track and do all these things because one site wants that. I'm going to explain to him why I can't."
And lastly, if customers are picking and choosing which security technologies they want, there's a strong possibility they will opt out of certain technologies, leaving both themselves and you at risk of a security exposure, Russell explains.
"If you let people decide to opt out of something and you're supposed to be securing their network, then they're not going to be secure. Even if it seems like a small piece of the puzzle, if they don't have all the layers they're supposed to have, they're exposed. It's like saying I want bulletproof glass, but I only want two layers of glass. It just doesn't work."
In one way it seems hard to believe that there are MSPs out there approaching security in a breakfix manner, yet in another way it seems an obvious outcome of a rapidly growing marketplace.
The lack of a "common language" around security is a key problem, according to Karl Bickmore, CEO of Arizona-based MSP Snap Tech IT. He told CPI that there are MSPs out there that are "trying to force the old school model into the new" because of technology complexity and a lack of alignment on security as a whole.
"These MSPs are doing break-fix services around security and reactive services, but people have got to figure this proactive piece out. And, in my opinion, the jury's still out on how that's going to land universally," Bickmore said. "We still have far too much vendor noise and we don't have a common language around what is security or isn't security. And that's causing chaos out there."
Russell agrees. He notes that there are MSPs selling security who just "set it and forget it and think it's never going to come back to bite them".
"You obviously have to be way more active than that and have tools in place to help monitor, not whether the server is online or offline, but how it's behaving. Not everybody's figured that out yet for sure. And if you're supposed to be doing security and there's a breach and you don't know about it until the client's calling you, that's going to be a major problem on multiple levels."
It's something that we talk about time and again, yet, according to commentators, there are MSPs out there who are still not educating their staff effectively. The issue is so prevalent that security talent is "jumping from company to company", Craig Robinson, program director for security services at IDC, told CPI.
"You tend to have this rampant sort of circle where security analysts and the like are jumping from company to company, and a big part of that reason is a lack of training that they get from their current company. When companies don't invest in their people, they're going to lose their analysts and then it snowballs."
What this mean is clients all of a sudden dealing with a different set of people than the ones they have gotten used to, which means a frustrated client potentially being served by a new security contact who isn't as well trained as they could be.
While Robinson says he understands the challenge only too well, there are ways of managing it.
"A firm has rotating shifts…and every Wednesday the shifts come together, so half the day is spent working and half the day is spent in training. Just doing something as simple as that is going to help a lot."
Don't be a one-trick pony or repeat mistakes
Robinson also warns MSPs and MSSPs to avoid only knowing one security offering or vendor, and advises ensuring you are capable of supporting multiple products and not tied to one technology stack.
"When you go in and talk to a client, they don't want to see you as the product person," he pointed out.
And something security service providers must do is learn from their previous security mistakes.
‘Don't let any breach go to waste," Robinson said. "There are always opportunities to learn, look at processes and circle back and say, ‘Okay, how do we miss this one? How do we prevent something like this from happening again?' That sounds simplistic, but sometimes it's the simple things."
To facilitate this, staff at MSPs should "break out of their siloes" and talk to each other about the breach and why it happened.
"People need to be talking to each other - contractors need to be talking to the traders and do a little job rotation every now and then. We've got to be able to look at what other people are seeing and bring some cohesiveness to the team, because when you understand what your teammates are going through when they're doing their job, it's going to make you a better security person."
Starting customers at the lowest level of service, or making it all about cost
It's a common mistake that many MSPs have made and some continue to make: bringing in a client at the lowest level of service with the hope of trying to migrate them up the stack over time.
"When you have a site that's used to spending $500 or $1,000 or even $2,000 a month - whatever the number is for them - it's a challenge. Turning around and getting them to spend 50 percent more, which frequently is the cost to really move up the stack with us, is a harder conversation than you might think," Liberman said.
"Sometimes it's smooth and it certainly has worked for us, but in general, I think you should do a much better job of placing the right services from the beginning."
Alongside this, Liberman warns that another mistake he has made in the past and many MSPs continue to make is leading on price. While this may not be as prevalent as 10 or 20 years ago when most IT folks were not business people, claims Liberman, it's still happening.
"People call up and they want to know if you can help them and the first thing you do is send them a price list - this is not the right approach. I think [IT people] are more sophisticated now and know that, but I know that not everybody does," he said.
Maybe the very first thing a potential customer says is: ‘Well, my boss wants me to shop around, how much do you cost?' So we try to explain to people that anybody that can give you a price over the phone in a matter of minutes isn't paying attention and they're not doing their job. Jumping right to price is a mistake because then suddenly it's all about who can be cheaper."
Some say performance, others say money but it may be systems and processes that carry the day
View all of the photos from last week's Channel Innovation Awards in New York
But Q3 is still the second best quarter of server shipments on record, logging 'near historic highs', despite a slump from Q3 2018
Winner of the Security Channel Chief of the Year award at CPI's MSP Innovation Awards in New York yesterday, FireEye's Chris Carter, answers our five crucial questions for MSPs