Security is everywhere these days. At the MSPWorld Spring 2019 Conference in Austin, TX, there was a lot of discussion surrounding managed security and how MSPs can successfully enter this vertical market. In my opinion, it is not a question about whether MSPs should be in security, but rather how they should do it. Not participating in the managed security discussion is not an option for the MSP community.
Can MSPs Ignore Security?
The short answer is no. Ignoring security is almost unforgivable, and would destroy the trust a customer has in the MSP. If an MSP cannot provide some measure of guidance to a customer around security, that customer will seek out a different MSP who can render advice.
Not only is there revenue to be made in managed security, but there is also a more significant issue of being a general practitioner and knowing enough about security to help customers seek out the appropriate solutions, even if the MSP isn’t directly involved in delivering it.
MSPs Have Been Delivering Security For Years
Whether it has been managing firewalls, IDS/IPS systems, anti-virus, patching, MSPs have been involved in consulting and delivering managed security solutions to customers for a long time. As security has become more commonplace in recent years, the pressure for MSPs to become more involved in security solutions has also grown. And yet, there are still many ways MSPs can remain involved in delivering managed security offerings to customers without having to “sub-source” to another provider.
There are obvious solutions which most MSPs should not attempt on their own, like developing a SIEM. There are plenty of options related to outsourcing SIEM as a service products where MSPs can offer the solution but not be responsible for its delivery.
Security Does Not Mean Assuming Unnecessary Risk
As times and technology change, I believe MSPs have become less comfortable to assist customers unwilling to take appropriate steps to safeguard their IT assets, and instead look at MSPs as a means of offloading those risks; a practice I do not condone.
There is nothing inherently more risky about delivering managed security solutions today than a decade ago. What has changed is more people are talking about security, and more customers want to shift that responsibility to the MSP. MSPs need to make necessary changes to their operations and communicate with their clients to evaluate where the risk is.
Ultimately, customers are responsible for their IT environments. There is only so much liability they can outsource without being negligent.
Last week at MSPWorld we discussed a lot about the liability of managed security. There has always been liability associated with managed services, especially amongst the regulated markets. In an age where security discussions are happening all around us, MSPs need to step up and re-assert their role as guardians of data and security for their customers. If MSPs don’t do it, someone else will!