Guide to Providing Managed Security Services
So you’re an MSP, and you want to add Security-as-a-Service, or SECaaS, to your offerings. Or, maybe you’re starting a new managed services business and want to focus on security from the start — which would make you a managed security services provider or MSSP.
Either way, successfully providing managed security services will require you to make the right decisions about tools, processes, personnel, and pricing. This guide provides an overview of what you’ll need to know, as well as links to other guides that dive deeper into the various topics covered below.
What Are Managed Security Services?
Managed security services, Security-as-a-Service or SECaaS all refer to a business model in which companies outsource their IT security operations to a provider who specializes in security. Managed security services eliminate the need for companies to maintain in-house security staff and software, or to keep up-to-date with the latest security threats.
Instead, you — the MSP or MSSP — provide these services to your clients through a subscription-based model.
From MSP to MSSP
If you already operate an MSP business that provides other types of managed services (like data backup or system administration), there are several approaches you can take to add managed security services to your set of offerings, thereby making yourself into an MSSP as well as an MSP.
The most obvious — but also the most involved — approach is simply to build an MSSP operation from the ground up. Doing this will require you to acquire the various software tools that you need to provide managed security services (for more on these, see the following section). You’ll likely also need to hire staff to help deliver the managed security services. And you may need to update your own skillset, as well as that of existing staff members, to ensure that you understand and can react to modern security threats.
Another approach is simply to acquire an existing MSSP business. This will typically be costly. But if you are a larger MSP with a solid, established business of your own, and you have the cash available to buy another business, purchasing a successful MSSP is an easy on-ramp to expanding your portfolio of offerings to include SECaaS.
A third option is to partner with an MSSP. This approach doesn’t require significant capital investments, and it still provides you with the tools and expertise you need to provide SECaaS to your clients. You should take care, however, to ensure that the MSSP you partner with is well equipped to work alongside your existing MSP business. A partnership that requires you to retool your business, or switch your focus to a different vertical, is likely a poor idea.
Further reading MSSP Is a Hard Nut. Think About the Alliance
Whether you’re adding SECaaS to existing offerings or starting an MSSP business from scratch, you’ll need to identify the specific types of managed security services you wish to offer.
There are four main categories of managed security services:
- Infrastructure: If you manage infrastructure security as a service, you would monitor networks and devices for security threats and respond as needed.
- Data security: MSSPs can help secure a company’s data by providing backup and recovery services, as well as scanning for malware or other threats embedded within data.
- Risk and vulnerability management: Through penetration testing, intrusion detection, and vulnerability scanning, MSSPs can help assess clients’ security risks and minimize potential vulnerabilities.
- Identity and Access Management: This type of security service involves managing accounts, user access, and authentication.
Further reading Core Managed Security Technologies and Software Every MSSP Needs
Software You Need to Provide Managed Security
The specific software tools you choose to help provide managed security services will depend on the types of services you offer and the threats that are most relevant. In general, however, the typical MSSP’s software arsenal will include several different types of security tools, including:
- A Security Information and Event Management, or SIEM, tool, which helps you monitor all of a client’s systems for security-related events from a single place.
- Antivirus software, which can help detect threats within certain types of systems, such as workstations or within email attachments sent over a client’s servers.
- Endpoint security tools, which help detect malware and other threats as they pass from the network onto individual devices.
Further reading Guide to Endpoint Security Monitoring
- Network firewalls, to help protect against unauthorized access to clients’ internal networks from the public Internet.
- Data backup and disaster recovery tools. These help ensure not only that your clients’ data is backed up to protect against unexpected data loss, but also that there is a “clean” copy of data that you can restore if production systems are compromised by a security breach.
- Threat intelligence software, which notifies security providers about the latest vulnerabilities within applications or operating systems as they are discovered and announced. With this information, MSSPs are better prepared to keep clients’ systems patched against emerging threats.
- Password management tools, to help enforce best practices regarding passwords.
Further reading Core Managed Security Technologies and Software Every MSSP Needs
Building a successful SECaaS business requires pricing your services in the right way.
One approach is to use All You Can Eat, or AYCE, pricing. Under this model, you offer multiple security services for a single price. You may even bundle them into other MSP service offerings.
AYCE pricing is easier for clients to understand. It also simplifies account management from the MSP or MSSP’s perspective, because it eliminates the need to keep detailed billing information for each client.
That said, AYCE tends not to be a good idea for managed security services if any of the following is true:
- Clients need advanced security technologies that require extensive money, time or resources on your part. For example, if your client has an active virus infection that will take you longer to address than you would typically spend providing managed security services, you may need to charge more for that client.
- The client requires a security service you didn't provide before. In this case, adding the service to an existing bundle, without charging extra, is not profitable for you.
- You service customers with high compliance needs (such as those in verticals like finance). In this case, fast-changing compliance requirements may necessitate a greater investment of time on your part, and you are therefore best off billing separately for the extra services.
So, while AYCE pricing usually works well for basic managed security services, like standard monitoring or data security, it is wise to charge extra for types of services that go above-and-beyond what is considered an everyday security service within your clients’ industry.
Further reading AYCE Is a No Go For an Advanced Security Offering
How to Market and Sell Managed Security Services
Once you’ve set the right prices and have the right tools and personnel in place to offer managed security services, you also need to market and sell those services effectively.
Best practices on this front include:
- Be sure to educate your customers on the importance of security, especially in your clients’ vertical. Even though it may seem that everyone these days understands the impact of IT security threats, your clients (or prospective clients) may not fully understand the challenges that are specific threats within given industries.
Further reading End-User Training Guide
- Demonstrate your security expertise. Make it clear — ideally, using case studies from other clients, as well as data about the time you saved clients and the threats you remediated — how you are positioned to overcome the security challenges that are of greatest concern to your clients.
- Discuss security in a way clients can understand. The typical business decision-maker doesn’t know the ins-and-outs of IT security or the lingo associated with it. For that reason, be sure to speak in terms that focus on the overall business value of managed security services, rather than technical terms that only an MSSP would understand.
- Measure and deliver results by keeping track of security incident data (such as the number of successful and attempted breaches) for infrastructures that you manage. This data will help you achieve contract renewals with existing SECaaS clients, as well as pitch yourself to new ones.
Further reading How to Sell Managed Security Services
Offering managed security services requires a significant investment of time and money in acquiring the right tools, expertise, and personnel. It may also necessitate revisiting your existing pricing strategies, and revamping the way you market and sell your services. But given the fast pace at which the SECaaS market is growing, the investment is likely to be well worth it, no matter which vertical you operate in or how large your managed services business is.