If there is a theme for 2019 and 2020 in managed services, it is the title of this article. What I really would like to convey to all the MSPs out there is if you think getting into managed security is not worth it and present too much risk to your business, then consider this; you are already at risk, you’re just not getting paid for assuming that risk.
The Managed Services Shift to Security
It’s undeniable that security has become a much more recognizable and popular topic of conversation over the last several years. Everyone is generally aware of cybersecurity and knows how data breaches can (at least theoretically) harm them.
The awareness of the general public of cybersecurity issues raises the value of providing security managed services but also increases the risk. Keep this in mind as you read more.
MSPs and Security
MSPs have been offering security solutions since the beginning. Since the early days of managed services, even the general practitioners have been managing security, firewalls, and other essential elements of the IT network impacting data. Also, if you did not call yourself an MSSP, chances are you were delivering managed security services.
Managed Security is Unavoidable Today
In my opinion, all MSPs are addressing managed security to some degree. Whether you call it managed security is immaterial. What you are delivering is what matters, not what it is called.
Just touching the customer network can transfer risk to your MSP practice. Don’t get freaked out because of this; it’s always been this way. That’s why it is so vital to develop risk mitigation techniques within your MSP practice (more on that elsewhere on this site).
If you accept that your MSP practice will come into some risk in dealing with your customers, then the best practice (and the most lucrative one) would be to charge for those services where you have risk.
Based on experience, customers are sometimes the last to know they have risk. What customers like to do is believe that their MSP has assumed all the risk for managing the IT asset and think no more on the matter. If something bad happens, then guess who gets the call and the blame? The MSP, you guessed correctly.
We have reached a point in our profession where MSPs should have the right to ask probing questions of their customers about what IT assets they have, how they are being managed (by the MSP or by someone else) and have a direct conversation with the client about who owns the risk.
There is nothing wrong with providing managed security solutions (whether you call it that or not). I will hope that if you are providing these solutions that you at least charge the customer for them.