MSPs Should Monetize Security Awareness Training
The concept behind continuous cybersecurity and compliance training, with liberal amounts of role-relevant phishing simulations, is simple. Training users on the threats they face at work significantly reduces the number of user-related security incidents—by over 86%, according to results from Webroot’s MSP clients.
That’s a huge improvement for any organization, delivering significant productivity gains and labor cost savings, especially given that user errors cause of 95% of successful breaches. But, organizing, running, and managing ongoing cybersecurity training also takes administration man-time. And man-time for MSPs is a scarce and precious resource.
Some MSPs see reducing incident costs and an improved security posture as justification enough for adding security training for free. But that strategy seriously undervalues the service. Free may be great value short-term, but not over the mid or long term. Why? Because continuous cybersecurity awareness training takes about 12 months to change behavior, minimize incidents, and deliver fully impactful results.
Providing this service for free can sap your profit margin but providing anything less would be a disservice to your clients. So, to truly deliver a valuable, profitable, and justifiable service long-term, look to monetize your security awareness training to the point where everyone wins.
Not All Cybersecurity Technology Is Equal
Not all training technology is MSP/reseller ready. Though many training platforms are SaaS cloud-based, most are not truly multi-tenant and the training support software, referred to as a Learning Management System (LMS), can be daunting to use, especially to IT administrators with no prior exposure.
Courses and content should also be evaluated. It’s common to find out-of-date courseware of varying quality and relevance that’s often disjointed from the LMS and reporting platforms. A year in at Webroot, we’re still busy enhancing our content, LMS, and training platform specifically for the MSP and SMB organizations they are designed to serve. The ongoing focus is maximum efficacy with minimum overhead.
How To Monetize Security Awareness Training
So, you decide to charge for security awareness training. But how and for how much?
First, as a stand-alone service, there is the cost of subscribing to content and the LMS. That’s a simple, per-user charge that normally reduces with volume. So you can quickly attach a cost there. Then, as noted, you should consider administration costs. I would allow about 50% of the software cost per-user to cover those, but it will depend on the number of users and clients involved. When offering the service stand-alone, you can calculate your base costs and then add your normal profit margin or markup.
For targeting ROI, I’d suggest looking at the number of user-error incidents generated annually by a client, attach a dollar value to those incidents, and then the average user incident cost. Also look to industry averages, like those by the Ponemon Institute, which attaches an ROI of 37x on security training, or the Better Business Bureau, which puts the average security incident cost around $80,000. With the ROI it can generate, it should be relatively easy to justify investing in cybersecurity awareness training.
When it comes to packaging the service, MSPs have taken different routes, but one of the most successful has been to add the service to a layered security bundle that might also include services like DNS protection. The bundle can rely on an opt-in/opt-out model, or be added to existing services to justify a price increase. Formal layered security packages tend to increase adoption across an existing client base and prove very attractive to new clients. (Compliance training can be another attractive offering in this bundle, too.)
Another alternative for non-committed clients is training users free for the first year, then demonstrating at year-end the impact and cost savings. They can then invest have the service withdrawn. In the end, there are really choices. Clients that understand the value of security training will know their returns far outweighs the cost of the service. For clients with tighter budgets or in need of more convincing, add it as a test service to prove the value before charging for it.
With either approach, look to monetize this highly valuable service.