Written by: Charles Weaver, CEO of MSPAlliance

There are a lot of opposing ideas concerning the issue of whether MSPs should be offering manage security solutions to clients. I’m sure those of you reading this article will also have your opinions, one way or the other.

But, I would like to offer a perhaps unique perspective on the topic of managed security and attempt to reconcile some of the differing opinions circulating within the profession.

Changing Definitions

First, I would like us all to acknowledge that the terms and definitions legacy MSPs have used for several decades have mutated in the last few years. I am speaking specifically about the use of cybersecurity as a new term not previously used amongst MSPs before 2015.

Up until that time, MSPs were mostly offering managed security to clients through the following solutions: management of firewalls, anti-virus, and anti-spam. Sometimes these offerings were labeled “managed security,” and sometimes they were not. The point is, security has always been a component of what an MSP provides to customers. We may not have called it “managed security.”

Clients Opting Out of Managed Security

One thing that has changed over the years is the perception and understanding of the client concerning issues and threats related to cybersecurity. Clients know cybercriminals are targeting them. In the early 2000s, I would wager more clients dismissed the idea that they had anything of value for a cyber-criminal. As such, most clients dismissed the advice given to them by their MSPs.

Today, cyber threats are well known, and the preventative measures MSPs can help put into place are also known. However, you still have clients who refuse to implement cybersecurity measures, whether it is stubbornness, lack of budget, or lack of other resources. And that leads us to the technique I think all MSPs should be switching to, something I call the “Mary Poppins technique.”

Mary Poppins Technique

In the movie Mary Poppins, the famous nanny gave the children something sweet to help them tolerate the medicine they were being asked to swallow. That same technique can work effectively for clients and cybersecurity. If your clients don’t like the taste of the medicine, add a spoonful of sugar, and it will help. What does this mean, exactly?

I think it is time to begin embedding the security into your primary managed services offerings. Whether you call it managed security or not, it should not be an optional offering the client can refuse. Make it sweet, hide the medicine in the other services the clients do want, and force them to participate int he positive cyber hygiene all organizations should be practicing today.

I’m not suggesting that you “hide” services or actions from your client. Instead, I am saying you should embed those security solutions you believe are critical to proper cyber hygiene and make them part of what you offer. If you have to charge more, then charge more. If the client says they already get those services from someone else, that’s fine; make them prove it to you so you can feel confident they are truly protected.

The time has come for MSPs to stop giving clients the option to forego managed security. Every client should be protected by an IT department (either internal or external by an MSP). If the client is not protected against cybersecurity threats, why would you want to take them on as a client?

Try the Mary Poppins method out and see if it works. If this is what you’re doing now, I’d love to hear from you.

Tags : cybersecurity,cybersecurity hygiene,managed security,MSP
  • John
    Posted at 16:24h, 27 April Reply

    Great advice

  • Andrew
    Posted at 16:39h, 27 April Reply

    Couldn’t agree more, Charles. Having started this process last fall, I’m quite happy to report that we’ve gotten probably 85% of our customers over to the full security model. One thing that helped us get plenty of agreement was incorporating Dark Web scanning at the same time – it costs next to nothing to provide, but gives the customer something really tangible to see when they’re signing a new/restructured agreement. If the customer thinks that’s what they’re paying for, when in reality the bulk of the rate hike is to provide 24/7 Managed Detection & Response.. that’s completely fine with me – as long as they all have the new minimum standard of security.

    How to bundle products on proposals and invoices is another trick altogether, but we used this same process as an opportunity to get that into a state I’m finally quite happy with. In either case, I completely agree with you that our position as legitimate MSP’s is that security is not optional, and a lack of it puts us at nearly/potentially as great a risk as it does the customer, depending how our MSA’s/Terms of Service are structured.

  • Managed Services is Security - MSP Alliance
    Posted at 11:35h, 21 September Reply

    […] idea that there are distinctly different business models around managed services and managed security services is somewhat misleading. Attempts to distinguish managed security as something wholly […]

Post A Comment

Have questions?

We're here to help! Fill out the form below and we will get back to you as soon as possible.

    Contact us

    Address:

    100 Europa Drive, Suite 569 | Chapel Hill, NC 27517

    Phone:

    1-800-672-9205

    Email:

    info@MSPAlliance.com

    Sign Up For Our Newsletter

    Select list(s) to subscribe to


    By submitting this form, you are consenting to receive marketing emails from: MSPAlliance, 100 Europa Drive, Chapel Hill, NC, 27517, https://www.mspalliance.com. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact