A COMBINATION of the right tools, the right sales approach, the right partners, and credibility is critical to becoming a managed security services provider (MSSP).
Credibility is especially critical when you’re a 12-person MSP like The Tek and you want to manage your customer’s security, so finding partners with enterprise-level solutions is huge for us. Plus, our partners’ credibility gives us credibility, something we learned on our two-year journey to becoming an MSSP.
We embarked on this journey because as one of more than 100 MSPs in the greater Raleigh-Chapel Hill area, we knew managed security would differentiate us. We already had a niche with financial services companies and knew they had to meet compliance regulations. Also, while it sounds a little altruistic, our overarching goal is to supply security to all types of small and medium-size businesses, at a price they can afford.
But as a small MSP, getting into the MSSP space is expensive, particularly running a security operations center (SOC) and hiring skilled security professionals. To make it affordable for us, we partnered with a third-party SOC and hired staff to analyze and correlate the data coming from the SOC.
Today we offer our customers a layered security stack—consulting, advanced security (includes next-generation anti-virus, IT risk assessment scans, automated patch management, risk mitigation of PII data, and more), security awareness training, and managed IT—at three different monthly service and billing levels.
Since The Tek has always been very security focused, ramping up to MSSP was faster for us than it may be for others starting from scratch. However, we did learn some things along the way.
One of the simplest—and most eye-opening—lessons learned is that it’s important to show customers the value of your MSSP services. We put all this great software in place, but it does the job behind the scenes. We recognized that we needed to supply some kind of automated weekly or quarterly report to show all the attacks we’ve stopped and other security-related tasks we’ve performed.
We also realized that customers need a single-pane-of-glass view. You can’t tell them, “Hey, here are your nine different platforms, here’s the nine different dashboards. Just log in once a month and take a look.” Customers are busy running their company, so it’s our job to make sure that they can see the true value of their security offering quickly and efficiently.
With regard to products, it took us some time and a few false starts to find software for our customers that actually delivered what it promised and that we could integrate with our portfolio. It was a long journey to find true partners like SolarWinds MSP and Sophos that have software we can trust and know will be good for our customers. That was probably the biggest hurdle.
Finding a security dashboard product was harder. Most of the ones available now are priced for the enterprise, so we ultimately had to build one ourselves.
Another thing we learned is that partnering is everything. When you’re a small company, you have to partner with people who can help you get things done. So we’ve also built relationships with insurance companies, law firms, other MSPs in our area, and companies that are really strong on compliance. We’ve taken the time to vet partners that we can call on at the last minute if we need to deal with a security challenge.
We’ve now taken all that we’ve learned and developed a turnkey MSSP offering for MSPs called MSSP.Ninja. This basically puts a white-labeled security stack on top of their MSP offerings. They continue to provide day-to-day IT support with their solutions. As a partner, we offer vulnerability assessment and consulting, onboarding, training, the SOC, and people with cybersecurity skills, which is usually the most important part. These are the things that truly move you from an MSP to an MSSP.
A final caveat: From the business side, we learned that an MSSP sale is completely different from an MSP sale. Initially we started talking with customers about all the threats that were out there and the technology that could help them. We found out that they don’t really care about the threats or the technology. They’re more interested in what you can do for their business. How can you protect me? How can you do that at a price that I can afford? Most small to medium businesses don’t even have a security budget, so you really have to sell the long-term value of the solution for them.
Photo by Charles Gupton