The MSP Security Model Is Changing: 4 Ways to Get Ready

Author: SolarWinds MSP VP Greg Lissy
Author: SolarWinds MSP VP Greg Lissy

Cybersecurity management has become such an expensive and complex endeavor that more and more businesses are looking to outsource its management to service providers. In a recent study, SolarWinds MSP found that 82 percent of companies are planning to switch to an outsourcing model in the next 12 months.

About half of these businesses are doing so because maintaining security management in-house has become too costly. Another top reason for switching is businesses aren’t happy with the performance of their IT security and have concluded they will get better protection by hiring a service provider. 

From an MSP’s perspective, this shift toward managed security outsourcing is an attractive opportunity for new business and higher profits. But you can’t just turn a switch and become an managed security services provider (MSSP). While just about every MSP today offers some level of security services, becoming a full-fledged MSSP requires preparation. Here are some considerations to keep in mind when launching a managed security services offering: 

1. Assess Your Expertise 

Recruiting cybersecurity professionals is extremely difficult because there is a severe talent gap. By 2022, a 1.8 million shortage of cybersecurity jobs is projected. This is one of the key reasons businesses don’t have enough in-house security resources. MSPs have to assess how much cybersecurity talent they currently have and determine how to fill the gaps. Since recruitment prospects are so low, your best bet is to identify techs with an aptitude for security work and enroll them in security courses to earn the certifications they need. 

2. Learn the Services

There are so many facets to security these days that even the most skilled professionals have shortcomings in some areas. Most navigate the complexities and diversities of the security specialization by focusing on specific categories. As you expand into managed security services, you may be best served to do the same, at least initially. There are four main categories of security services:

  • Infrastructure – Covers endpoint security, network firewalls, threat intelligence, and perimeter-level security.
  • Data Security – Includes anti-malware, digital forensics, data backup, email security, and application whitelisting.
  • Risk and Vulnerability Management – Consists of vulnerability scanning and patching, penetration testing, security policy reviews, and intrusion detection.
  • Identity and Access Management – Covers user access and management rights, authentication and authorization, and data governance.

A full-fledged MSSP can provide all these services, but don’t bite off more than you can chew. Start with one category and master it before moving on to the next.

3. Prepare the Organization

To successfully deliver managed security services, you need to prepare the organization by implementing well-planned processes. Security requires meticulous documentation for compliance and certification purposes.  MSSPs must make the effort to develop and execute verifiable processes for reporting, tracking, and managing procedures—as well as for enforcing policies. Without these elements in place, the chances of becoming a successful MSSP become severely limited.

4. Pick Your Tools

As with any other managed service, selecting the right tools and vendors is critical to delivering managed security services. Do your homework and research the technology landscape to determine which platforms and tools can address the needs of your customers. Whenever possible, choose technology that integrates with platforms you already have in place, such as RMM and PSA. The more straightforward the integration, the quicker you can start delivering the service.

Commit to Continuous Learning

These four considerations will put you on the path to delivering managed security services at a time when more of your clients are looking to outsource cybersecurity management. And they will serve you well as the ever-changing threat environment dictates you constantly evolve your security practice to stay ahead of what may be next. By taking on the business-critical security responsibility for your clients, you are solving one of their most vexing challenges. Protect them from cyberdangers, and you’ll win their trust. In turn, they will reward you by bringing you more business.

Greg Lissy is VP, product management, SolarWinds MSP. Read more SolarWinds MSP blogs here.