Written by: Charles Weaver, CEO of MSPAlliance
There are a lot of opposing ideas concerning the issue of whether MSPs should be offering manage security solutions to clients. I’m sure those of you reading this article will also have your opinions, one way or the other.
But, I would like to offer a perhaps unique perspective on the topic of managed security and attempt to reconcile some of the differing opinions circulating within the profession.
Changing Definitions
First, I would like us all to acknowledge that the terms and definitions legacy MSPs have used for several decades have mutated in the last few years. I am speaking specifically about the use of cybersecurity as a new term not previously used amongst MSPs before 2015.
Up until that time, MSPs were mostly offering managed security to clients through the following solutions: management of firewalls, anti-virus, and anti-spam. Sometimes these offerings were labeled “managed security,” and sometimes they were not. The point is, security has always been a component of what an MSP provides to customers. We may not have called it “managed security.”
Clients Opting Out of Managed Security
One thing that has changed over the years is the perception and understanding of the client concerning issues and threats related to cybersecurity. Clients know cybercriminals are targeting them. In the early 2000s, I would wager more clients dismissed the idea that they had anything of value for a cyber-criminal. As such, most clients dismissed the advice given to them by their MSPs.
Today, cyber threats are well known, and the preventative measures MSPs can help put into place are also known. However, you still have clients who refuse to implement cybersecurity measures, whether it is stubbornness, lack of budget, or lack of other resources. And that leads us to the technique I think all MSPs should be switching to, something I call the “Mary Poppins technique.”
Mary Poppins Technique
In the movie Mary Poppins, the famous nanny gave the children something sweet to help them tolerate the medicine they were being asked to swallow. That same technique can work effectively for clients and cybersecurity. If your clients don’t like the taste of the medicine, add a spoonful of sugar, and it will help. What does this mean, exactly?
I think it is time to begin embedding the security into your primary managed services offerings. Whether you call it managed security or not, it should not be an optional offering the client can refuse. Make it sweet, hide the medicine in the other services the clients do want, and force them to participate int he positive cyber hygiene all organizations should be practicing today.
I’m not suggesting that you “hide” services or actions from your client. Instead, I am saying you should embed those security solutions you believe are critical to proper cyber hygiene and make them part of what you offer. If you have to charge more, then charge more. If the client says they already get those services from someone else, that’s fine; make them prove it to you so you can feel confident they are truly protected.
The time has come for MSPs to stop giving clients the option to forego managed security. Every client should be protected by an IT department (either internal or external by an MSP). If the client is not protected against cybersecurity threats, why would you want to take them on as a client?
Try the Mary Poppins method out and see if it works. If this is what you’re doing now, I’d love to hear from you.
John
Posted at 16:24h, 27 AprilGreat advice
Andrew
Posted at 16:39h, 27 AprilCouldn’t agree more, Charles. Having started this process last fall, I’m quite happy to report that we’ve gotten probably 85% of our customers over to the full security model. One thing that helped us get plenty of agreement was incorporating Dark Web scanning at the same time – it costs next to nothing to provide, but gives the customer something really tangible to see when they’re signing a new/restructured agreement. If the customer thinks that’s what they’re paying for, when in reality the bulk of the rate hike is to provide 24/7 Managed Detection & Response.. that’s completely fine with me – as long as they all have the new minimum standard of security.
How to bundle products on proposals and invoices is another trick altogether, but we used this same process as an opportunity to get that into a state I’m finally quite happy with. In either case, I completely agree with you that our position as legitimate MSP’s is that security is not optional, and a lack of it puts us at nearly/potentially as great a risk as it does the customer, depending how our MSA’s/Terms of Service are structured.
Managed Services is Security - MSP Alliance
Posted at 11:35h, 21 September[…] idea that there are distinctly different business models around managed services and managed security services is somewhat misleading. Attempts to distinguish managed security as something wholly […]
Preparing for a Ransomware Attack: A Guide for MSPs - MSP Alliance
Posted at 10:04h, 07 July[…] even the best security measures, none of us are immune from the menace of ransomware attacks. 2021 saw not only an […]